Last Comment Bug 715387 - Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)
: Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)
Status: VERIFIED FIXED
[js:p1:fx17][sg:dos][fuzzblocker:js-r...
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz js-differential-test 645468
  Show dependency treegraph
 
Reported: 2012-01-04 16:51 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-07-31 22:14 PDT (History)
6 users (show)
gary: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (16.05 KB, text/plain)
2012-01-04 16:51 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2012-01-04 16:51:56 PST
Created attachment 585941 [details]
stack

x = [];
x.push(x);
x.toString = x.sort;
x.toString();

crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion.

Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little.

Bug 684462 might be related.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   67921:0906d9490eaf
user:        Jeff Walden
date:        Mon Mar 28 20:01:53 2011 -0700
summary:     Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited.  r=luke
Comment 1 Daniel Veditz [:dveditz] 2012-01-11 17:08:06 PST
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2012-03-21 15:11:15 PDT
Yeah, this is just recursion.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-03-21 15:15:03 PDT
See bug 717497, bug 721935 and bug 728722 for other possibly-related too-much-recursion crashes.
Comment 4 Gary Kwong [:gkw] [:nth10sd] 2012-05-04 14:06:27 PDT
> See bug 717497, bug 721935 and bug 728722 for other possibly-related
> too-much-recursion crashes.

May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301.

They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2012-07-31 22:13:42 PDT
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED

Note You need to log in before you can comment on or make changes to this bug.