Closed
Bug 320932
Opened 19 years ago
Closed 9 years ago
High memory use and crash on page with infinite <option>s
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jeff, Unassigned)
References
()
Details
(Keywords: crash, hang, Whiteboard: [sg:dos])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Basically it just fills the listbox with tons of entries of "Bug!", eventually causing it to take up tons of memory and crash the browser altogether. Reproducible: Always Steps to Reproduce: 1.Go to http://wgcenter.com/firefoxbug.php Actual Results: Firefox stopped responding and had to be ended through task manager Expected Results: Should have limited the number of entries in a dropdown to prevent this crash, perhaps a few thousand items Code of firefoxbug.php: <select name="select8"> <? for($h=0; $h<2; $h++){ echo "<option>Bug!</option>"; $h=0; } ?> </select>
|
||
Comment 1•19 years ago
|
||
I don't think this is security sensitive, but will leave that to others to decide. Not sure if this is layout or parser.
A recent trunk build on winxp ate all my memory and reached a VM size of ~2G, but did not crash after a long time although after a while it began to spew:
WARNING: NS_ENSURE_TRUE(newImpl) failed, file .../mozilla/content/base/src/nsAttrAndChildArray.cpp, line 733
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file ...mozilla/content/base/src/nsGenericElement.cpp, line 2797
I then closed the browser window and after a long time of memory churn crashed at:
+ aContent 0x17a77ef8
+ aPrimaryFrame 0x625da29c
+ entry 0x00000000
+ &mPrimaryFrameMap 0x03c8f6e8
PL_DHASH_ADD 0x00000001
+ this 0x03c8f6dc
nsFrameManager::SetPrimaryFrameFor(nsIContent * 0x17a77ef8, nsIFrame * 0x625da29c) line 450 + 6 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & {...}, const nsStyleDisplay * 0x03fabcf4, nsIContent * 0x17a77ef8, int 0x00000000, nsIAtom * 0x003fee38, nsIFrame * 0x03f35950, nsStyleContext * 0x03fabcc8, nsFrameItems & {...}, int 0x00000000) line 7022
nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & {...}, nsIContent * 0x17a77ef8, nsIFrame * 0x03f35950, nsIAtom * 0x003fee38, int 0x00000000, nsStyleContext * 0x03fabcc8, nsFrameItems & {...}, int 0x00000000) line 8009 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & {...}, nsIContent * 0x17a77ef8, nsIFrame * 0x03f35950, nsFrameItems & {...}) line 7833 + 53 bytes
nsCSSFrameConstructor::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 8923
PresShell::ContentAppended(nsIDocument * 0x03e760e8, nsIContent * 0x03f3bee8, int 0x00001d78) line 5134
nsDocument::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 2295
nsHTMLDocument::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 1138
HTMLContentSink::NotifyAppend(nsIContent * 0x03f3bee8, unsigned int 0x00001d78) line 3663
SinkContext::FlushTags(int 0x00000001) line 1751
HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x03ed44ec) line 2232
CNavDTD::DidBuildModel(CNavDTD * const 0x03ea8cf8, unsigned int 0x804e03f7, int 0x00000001, nsIParser * 0x03cdb358, nsIContentSink * 0x03ed44ec) line 502
nsParser::DidBuildModel(unsigned int 0x804e03f7) line 1198 + 51 bytes
nsParser::Terminate(nsParser * const 0x03cdb358) line 1305
nsDocument::StopDocumentLoad() line 1139
DocumentViewerImpl::Stop(DocumentViewerImpl * const 0x03ecffb0) line 1572
nsDocShell::Stop(nsDocShell * const 0x03c8b370, unsigned int 0x00000003) line 3236
nsDocShell::Stop(nsDocShell * const 0x034d7d78, unsigned int 0x00000003) line 3259
nsDocShell::Destroy(nsDocShell * const 0x034d7d7c) line 3511
nsXULWindow::Destroy(nsXULWindow * const 0x0336b7f0) line 510
nsWebShellWindow::Destroy(nsWebShellWindow * const 0x0336b7f0) line 844 + 9 bytes
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f094) line 402
nsWindow::DispatchEvent(nsWindow * const 0x0336b964, nsGUIEvent * 0x0012f094, nsEventStatus & nsEventStatus_eIgnore) line 1162 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f094) line 1183
nsWindow::DispatchStandardEvent(unsigned int 0x00000065) line 1202 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000, long * 0x0012f514) line 4273
nsWindow::WindowProc(HWND__ * 0x000105be, unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000) line 1351 + 27 bytes
Letting the page run even longer spews
WARNING: NS_ENSURE_TRUE(childCount < ATTRCHILD_ARRAY_MAX_CHILD_COUNT) failed, file .../mozilla/content/base/src/nsAttrAndChildArray.cpp, line 149
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file .../mozilla/content/base/src/nsGenericElement.cpp, line 2797
and a crash at
entry->frame = aPrimaryFrame;
+ aContent 0x16366d08
+ aPrimaryFrame 0x0149eb18
+ entry 0x00000000
+ &mPrimaryFrameMap 0x036cdb40
PL_DHASH_ADD 0x00000001
+ this 0x036cdb34
nsFrameManager::SetPrimaryFrameFor(nsIContent * 0x16366d08, nsIFrame * 0x0149eb18) line 450 + 6 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & {...}, const nsStyleDisplay * 0x039c0a20, nsIContent * 0x16366d08, int 0x00000000, nsIAtom * 0x00fb44b8, nsIFrame * 0x0396954c, nsStyleContext * 0x039c09f4, nsFrameItems & {...}, int 0x00000000) line 7022
nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & {...}, nsIContent * 0x16366d08, nsIFrame * 0x0396954c, nsIAtom * 0x00fb44b8, int 0x00000000, nsStyleContext * 0x039c09f4, nsFrameItems & {...}, int 0x00000000) line 8009 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & {...}, nsIContent * 0x16366d08, nsIFrame * 0x0396954c, nsFrameItems & {...}) line 7833 + 53 bytes
nsCSSFrameConstructor::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 8923
PresShell::ContentAppended(nsIDocument * 0x036198c8, nsIContent * 0x0396cd70, int 0x00004c31) line 5134
nsDocument::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 2295
nsHTMLDocument::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 1138
HTMLContentSink::NotifyAppend(nsIContent * 0x0396cd70, unsigned int 0x00004c31) line 3663
SinkContext::CloseContainer(nsHTMLTag eHTMLTag_select) line 1330
HTMLContentSink::CloseContainer(HTMLContentSink * const 0x038928fc, nsHTMLTag eHTMLTag_select) line 2920 + 18 bytes
CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_select) line 2743 + 31 bytes
CNavDTD::CloseContainersTo(int 0x00000002, nsHTMLTag eHTMLTag_select, int 0x00000000) line 2790 + 12 bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_select, int 0x00000000) line 2934 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x0109a650, unsigned int 0x00000000, int 0x00000001, nsIParser * 0x038926f0, nsIContentSink * 0x038928fc) line 473 + 22 bytes
nsParser::DidBuildModel(unsigned int 0x00000000) line 1198 + 51 bytes
nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 1933
nsParser::ContinueInterruptedParsing(nsParser * const 0x038926f0) line 1352 + 19 bytes
nsParser::HandleParserContinueEvent() line 1421
nsParserContinueEvent::HandleEvent(PLEvent * 0x0d77d3d0) line 237
PL_HandleEvent(PLEvent * 0x0d77d3d0) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01037378) line 623 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000801d8, unsigned int 0x0000c149, unsigned int 0x00000000, long 0x01037378) line 1408 + 9 bytes
|
Reporter | |
Comment 2•19 years ago
|
||
I marked it as security sensative because others could potentialy exploit this and direct users to a page which crashes their browser
|
||
Comment 3•19 years ago
|
||
If you click the stop button while this page is loading you can recover, and the memory usage even drops quite a bit. I'd guess you could do the same thing spewing an infinite loop of any kind of content at us, tables or even just plain text.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:dos]
|
||
Updated•19 years ago
|
Component: General → Layout: Form Controls
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
|
||
Updated•18 years ago
|
QA Contact: general → layout.form-controls
|
||
Updated•15 years ago
|
Summary: browser crashes and major memory usage upon a recursive loop that fills a dropdown with many entries → High memory use and crash on page with infinite <option>s
|
||
Comment 4•15 years ago
|
||
I have placed a copy of comment 0's PHP script at: http://www.squarefree.com/bug320932/infinite-options.php Loading it will hang Firefox, at least.
|
|
||
Comment 5•15 years ago
|
||
On Mac, I can't get this to do anything but hang. In an opt build, it uses 2.5 GB RAM and stays there, still hanging. In a debug build, it uses up memory too slowly to reach 2.5 GB.
Keywords: hang
|
||
Comment 6•13 years ago
|
||
Still an issue with Firefox 8.0a2.
Whiteboard: [sg:dos] → [sg:dos], [MemShrink]
|
||
Comment 7•13 years ago
|
||
This is not a memshrink bug, because this isn't a problem encountered on non-attack pages.
Whiteboard: [sg:dos], [MemShrink] → [sg:dos]
|
||
Comment 8•9 years ago
|
||
I tried this in FF38 and it safely aborts due to out-of-memory. I Nightly I get the "This tab has crashed" message, so I think this is working as expected.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•