Created attachment 585941 [details] stack x = ; x.push(x); x.toString = x.sort; x.toString(); crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion. Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little. Bug 684462 might be related. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 67921:0906d9490eaf user: Jeff Walden date: Mon Mar 28 20:01:53 2011 -0700 summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Yeah, this is just recursion.
> See bug 717497, bug 721935 and bug 728722 for other possibly-related > too-much-recursion crashes. May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301. They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED