Closed Bug 715387 Opened 10 years ago Closed 10 years ago

Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [js:p1:fx17][sg:dos][fuzzblocker:js-recursion])

Crash Data

Attachments

(1 file)

Attached file stack
x = [];
x.push(x);
x.toString = x.sort;
x.toString();

crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion.

Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little.

Bug 684462 might be related.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   67921:0906d9490eaf
user:        Jeff Walden
date:        Mon Mar 28 20:01:53 2011 -0700
summary:     Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited.  r=luke
Crash Signature: [@ IsPoisonedId] [@ js::array_sort]
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Assignee: general → jwalden+bmo
Whiteboard: js-triage-needed → [sg:dos] js-triage-needed
OS: Mac OS X → All
Hardware: x86 → All
Yeah, this is just recursion.
Group: core-security
Whiteboard: [sg:dos] js-triage-needed → [sg:dos] js-triage-done
See bug 717497, bug 721935 and bug 728722 for other possibly-related too-much-recursion crashes.
> See bug 717497, bug 721935 and bug 728722 for other possibly-related
> too-much-recursion crashes.

May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301.

They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] → Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack → Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)
Whiteboard: [sg:dos] js-triage-done → [sg:dos][fuzzblocker:js-recursion] js-triage-done
Whiteboard: [sg:dos][fuzzblocker:js-recursion] js-triage-done → [js:p1][sg:dos][fuzzblocker:js-recursion]
Whiteboard: [js:p1][sg:dos][fuzzblocker:js-recursion] → [js:p1:fx17][sg:dos][fuzzblocker:js-recursion]
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED
Assignee: jwalden+bmo → general
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.