new operator

I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This means that stuff like:

new new new new new new function f(){return f}

Is perfectly valid code. That made me think maybe it would cause a crash. Yep course it does on IE: eval(Array(0xffff).join('new ')+'function f(){return f}')

ModLoad: 0000000070af0000 0000000070ba5000 C:\Windows\SysWOW64\MsSpellCheckingFacility.dll ModLoad: 0000000069a40000 0000000069a8f000 C:\Windows\SysWOW64\Bcp47Langs.dll ModLoad: 0000000074cd0000 0000000074cd3000 C:\WINDOWS\SysWOW64\Normaliz.dll (1778.173c): C++ EH exception - code e06d7363 (first chance) (1778.173c): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. JSCRIPT9!Scanner<NullTerminatedUTF8EncodingPolicy>::Scan+0x8: 70e69742 53 push ebx

Just a stack overflow, I don't think it's exploitable but lets try and manipulate it further. Using unicode escapes changes the code slightly:

eval(Array(0xffff).join('\\u006e\u0065w ')+'function f(){return f}')

msvcrt!memcmp+0xc: 7506985c 56 push esi

I then thought about using different types of spaces and fuzzed them but had no success producing any form of exploitable crash, maybe you can?