Open Bug 1162962 Opened 10 years ago Updated 3 years ago

Exponential nodes growth crashes firefox through oom

Categories

(Core :: DOM: Core & HTML, defect, P5)

defect

Tracking

()

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Details

(Keywords: testcase)

Attachments

(1 file)

Attached file Repro
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150415140819 Steps to reproduce: Load this page: <script> var oNode = document.createElement("A"); setTimeout(crash, 0); function crash() { setTimeout(crash, 0); oNode.appendChild(oNode.cloneNode(true)); }; </script> Actual results: The JavaScript constructs a tree of nested DOM Nodes, which grows exponentially. This causes 100% CPU usage. Firefox becomes unresponsive but no "unresponsive script" dialog is shown that would allow a user to kill the script. Eventually all memory is consumed and Firefox terminates itself, closing all open tabs. Expected results: 1) An "unresponsive script" dialog should be shown, so the user may kill the script. 2) It should not be this easy for a webpage to crash Firefox; this type of DoS should result in a "crash" for the page, not the entire browser.
Product: Firefox → Core
Component: Untriaged → DOM
Keywords: testcase
I confirm this bug exists from the latest Nightly back to at least Firefox 17. This testcase crashes Firefox without showing the crash reporter. When running Firefox from terminal I get the following output on crash: > out of memory: 0x00000000000000C8 bytes requested > ExceptionHandler::GenerateDump waitpid failed:No child processes
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 37 Branch → Trunk
FWIW, Chromium in Ubuntu crashes the tab and not the entire process.
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: