[Webkit-unassigned] [Bug 15123] Self-replicating code makes Safari hang and eventually crash

Mon Jan 17 10:36:47 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=15123

--- Comment #14 from chris reiss <christopher.reiss at nokia.com>  2011-01-17 10:36:46 PST ---
Thanks for the quick feedback, i'll rework this to use const and a counter class.

As for the second variable,  m_tooDeepWriteRecursion,  and the odd logic here - 

> +    if (m_tooDeepWriteRecursion) {
> +       m_writeRecursionDepth--;
> +       return;
> +    } else {
> +       m_writeRecursionDepth++;
> +    }

these were counterintuitive to me too.  My first cut at fixing this just returned one level up when
 m_writeRecursionDepth > MAX_WRITE_RECURSION_DEPTH.   This didn't fix the crash.

I noticed that Gecko's fix included extra logic to 'panic' all the way up the stack the moment the recursion depth is exceeded.  
(see https://bug197052.bugzilla.mozilla.org/attachment.cgi?id=293907.)   

After a bit of research I found the javascript self-replication actually makes a tree of recursive calls like so - 

The first time through Script A appends an extra copy of itself : 

Script-A  -->  Script-A  + Script-A 

          -->  4 * Script-A

and so on.    So just bouncing up one level still allows a million or so copies to replicate.

Since the recursion is depth-first, Gecko takes the approach if the recursion depth has been 
exceeded, keep returning all the way up the stack.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.