My "nearNativeStackLimit" gadget keeps finding bugs where JS_CHECK_RECURSION trips in the middle of some complex operation (like document.write) and it doesn't unwind properly. https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL+su%3AnearNativeStackLimit Maybe we could prevent this problem by enforcing a tighter limit on script recursion (especially "eval") than on the things that happen in the middle of document.write. [And maybe the latter could be elided or made fatal, rather than trying to recover.] cf bug 732665, bug 735082
That's an interesting idea. It would be like having "stack limit ballast".
Bug 776497 is an example of a real-world top crash related to this.
Fixing this would remove a large amount of buggy, hard-to-test attack surface.
I've seen some scary assertions about inner and outer windows that seem to trace back to this bug.
I did this in bug 732665.
Hmm, that is true! Then why am I still hitting hard-to-reduce bugs with too-much-recursion? Is it likely that some recursion checks are misclassified? Is fixing bug 735081 / bug 735082 the only way to find out?
(In reply to Jesse Ruderman from comment #6) > Hmm, that is true! Then why am I still hitting hard-to-reduce bugs with > too-much-recursion? Do you have an example of such a bug? If you have one that's reproducible, I could take a look at some point (though right now I'm pretty swamped).
Bug 1006876 is a recent example, although decoder seems to have had more luck with reproducibility than I usually have.