Closed
Bug 957030
Opened 10 years ago
Closed 10 years ago
exponential string growth causes an OOM
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 896165
People
(Reporter: teslaenergy, Unassigned)
Details
(Keywords: crash)
Attachments
(1 file)
1009 bytes,
text/html
|
Details |
found this from a long time ago was created for ff17 and reported dont think it ever got fixed properly.
Severity: normal → critical
OS: Linux → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 27 Branch → Trunk
Updated•10 years ago
|
Group: core-security
Comment 2•10 years ago
|
||
It looks like the test case is just doubling the size of a buffer. On OSX, it just ends up hanging the browser. Are you seeing a crash on some other OS, like maybe Win32? What is the crash id (this will show up in about:crashes)?
On Win64 I was only able to reproduce the hang with current Nightly (64bit). It seems that 32bit versions (25.0.1 port, 26, 27, 28) and Waterfox 24 are not affected, but have a high memory usage. I tested on Opera Next and IE11 as well, the result was a site crash and IE also hangs. Firefox 25.0.1 in my Win8.1 (32bit) vm crashs immediately: https://crash-stats.mozilla.com/report/index/123250cf-c4d4-43ba-95ed-9261c2140108 Firefox 26 and Aurora 27 /28 hangs / freezes has a high memory and CPU usage. So I think this bug is very critical for 32bis systems, especially on Firefox ESR.
Comment 5•10 years ago
|
||
The test case is just repeatedly doubling the size of the buffer, and eventually the browser safely hits an OOM crash, which is what the mozalloc_abort is. I don't see any evidence of memory corruption.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: causes crash maybe more → exponential string growth causes an OOM
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•