Closed
Bug 1226961
Opened 9 years ago
Closed 2 years ago
Loading specific website in browser freezes the browser until we get to an out of memory crash (or until the unresponsive script is killed by the warning dialog)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mathieu.tarral, Unassigned)
References
Details
(Whiteboard: [mozfr-community])
Attachments
(8 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36 Steps to reproduce: 1. Login with a LinkedIn account on https://fr.linkedin.com/ 2. Search for some name in the search bar 3. Open the first profile listed in a new tab Actual results: Firefox freeze when trying to load the LinkedIn profile page, and a memory leak is eating the memory until Firefox is killed by the OS. Expected results: The LinkedIn profile page should have been rendered without problems.
Reporter | ||
Updated•9 years ago
|
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Reporter | ||
Comment 1•9 years ago
|
||
Somme additional informations: Platform: Fedora 23 I was able to reproduce the bug in both normal mode and safe mode (add-ons disabled), but I wasn't able to reproduce it with a clean profile, created with "firefox --profile /tmp/foo". Also, the bug is only present on some specific LinkedIn profile pages, not all of them.
Comment 2•9 years ago
|
||
Can you provide a specific linkedIn URL on which you are seeing the issue? Aldo, while the issue is happening, can you open about: memory in a new tab, get a memory report, and then attach it to this bug? Thanks!
Comment 3•9 years ago
|
||
I discussed this over email with Mathieu; he provided me with a video that demonstrated the problem (not posted publicly for privacy reasons; contact him directly if you need it). It seems like there's a runaway script on the page that is allocating gobs of memory and hogging the main thread. This makes the browser nonresponsive and also causes the memory usage to climb while the script is running. Eventually the unresponsive script warning appears and allows him to kill the script, at which point things return to normal. He was able to download debug symbols and attach gdb, and provided the attached backtraces. This confirms the above theory, and shows the main thread (thread 1) is somewhere in the regexp code, having being invoked by the JIT. So most likely this is a poorly coded website, but it might also be hitting a bad edge case in our code, and should probably be investigated further by somebody who knows the JS/regexp code.
Updated•9 years ago
|
Updated•9 years ago
|
Summary: Memory leak in browser freezes the browser until we get to an out of memory crash → Loading specific website in browser freezes the browser until we get to an out of memory crash (or until the unresponsive script is killed by the warning dialog)
Updated•9 years ago
|
Whiteboard: [mozfr-community]
Comment 4•9 years ago
|
||
This seems to be an issue in the RegExp engine.
Flags: needinfo?(bhackett1024)
Comment 5•9 years ago
|
||
The first two frames of thread 1 in that gdb backtrace are in trace logging code, and seem to indicate that trace logging is active. Trace logging logs information about every regexp execution performed by a script, but doesn't log anything internal to regexp execution, so I think this is unlikely to be a regexp problem and more likely to be things working as intended vis a vis trace logger overhead. Why is trace logging active in this backtrace?
Flags: needinfo?(bhackett1024)
Comment 6•9 years ago
|
||
Hannes, why is trace-logging active in this backtrace? Do you have any idea what might be wrong?
Flags: needinfo?(hv1989)
Comment 7•9 years ago
|
||
This is strange! I can confirm from the backtrace that TraceLogger is active. It would also explain the symptoms of "uses hogs of memory and degraded performance". Since this is strange, since one has to invoke it: TLFLAGS = XXX / TLOPTIONS = XXX Question 1) Can you give me the environment flags firefox is running with? Another way to invoke it, is to use: var du = new Debugger(); du.setupTraceLoggerScriptCalls() du.startTraceLogger(); Both seem quite hard to hit by accident, but possible. @Kartikaya: can we find out, if the js code on the affected site potentially has "setupTraceLoggerScriptCalls" in its code
Flags: needinfo?(hv1989) → needinfo?(bugmail.mozilla)
Reporter | ||
Comment 8•9 years ago
|
||
I have the same profile since a while now, and it is possible that I enabled some debugging features and that I forgot about it. => How can i export my about:config and get only the configuration modified by the user ? Also, I added the firefox env in the attached files.
Reporter | ||
Comment 9•9 years ago
|
||
Comment 10•9 years ago
|
||
(In reply to mathieu.tarral from comment #9) > Created attachment 8691903 [details] > Environement Thanks. Seems the cause is not the environment.
Comment 11•9 years ago
|
||
I was just relaying info from Mathieu; if you have further questions he should be able to answer them directly.
Flags: needinfo?(bugmail.mozilla)
Comment 12•9 years ago
|
||
(In reply to mathieu.tarral from comment #8) > I have the same profile since a while now, and it is possible that I > enabled some debugging features and that I forgot about it. > > => How can i export my about:config and get only the configuration modified > by the user ? cat ~/.mozilla/firefox/PROFILE_FOLDER/prefs.js
Comment 13•9 years ago
|
||
- can you reproduce with a nightly? https://nightly.mozilla.org/
Reporter | ||
Comment 14•9 years ago
|
||
I uploaded my pref.js file and removed the following keys for privacy reasons : - capability.policy.maonoscript.sites - services.sync.* I have just tried with the latest nightly build for Linux x64, firefox-45.0a1.en-US.linux-x86_64, in safe mode, and the bug is still triggered, but thanks to Electrolysis the browser is not frozen anymore :D
Reporter | ||
Comment 15•9 years ago
|
||
Comment 16•9 years ago
|
||
I'll make a try build that(In reply to mathieu.tarral from comment #14) > I uploaded my pref.js file and removed the following keys for privacy > reasons : > - capability.policy.maonoscript.sites > - services.sync.* > > I have just tried with the latest nightly build for Linux x64, > firefox-45.0a1.en-US.linux-x86_64, > in safe mode, and the bug is still triggered, but thanks to Electrolysis the > browser is not frozen anymore :D Good that you can repro on nightly. I'm gonna try to create a try-build that with some extra debug statements in order to have a better understanding. In the meantime, can you move the pref.js file to pref.js.bac or something and try to reproduce. (I.e. that will remove all your custom preferences.) That way we can determine if a line in that file is causing this. Though looking at the file, there is nothing worrisome.
Comment 17•9 years ago
|
||
Nexto what I said in comment 16. Can you try this build: http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com-f3ea02aa2a5784c0a8b872276b22c79e1cc198ea/try-linux64/ and try to replicate it. Even if you cannot replicate, please attach the output from the terminal, which I need to dig deeper into this issue. Thanks!
Reporter | ||
Comment 18•9 years ago
|
||
I tried to reset my preferences by moving my prefs.js to prefs.js.bak, started firefox in safe mode and I was still able to trigger the bug. I also tried your customized nighlty build, triggered the bug and uploaded the output.
Reporter | ||
Comment 19•9 years ago
|
||
Comment 20•9 years ago
|
||
Thanks! I can confirm tracelogger isn't the reason. (Relieve on my side ;) ). I've started a new build that focuses on regexp issues. Upon completion I will provide the link and ask you to try to trigger it again. Again I'm interested in the console output. But first the build have to finish.
Comment 21•9 years ago
|
||
Hey Mathieu, can you run the following build: http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com-518ba3a483aa0cdf5156cc1723445028ee137adc/try-linux64/ and give me the console output again?
Reporter | ||
Comment 22•9 years ago
|
||
I was able to trigger the bug once again. The output given by your build was HUGE (260M) ! I had to compress it with XZ to have an uploadable file.
Reporter | ||
Comment 23•9 years ago
|
||
Comment 24•9 years ago
|
||
Thanks! The log is very helpfull. Some strangeness in your log: 1) All regexp go to the interpreter! The jits doesn't work here !? 2) The Regexp look jittable This raises the question: - Do we have a memory leak in our regexp interpreter? - Why don't we JIT? Gonna investigate the code and look where potentially bugs could be.
Comment 25•9 years ago
|
||
I looked a bit around, but couldn't really pinpoint where things would potentially go wrong. As a result I created another build with some extra print debugs: http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com-cba68377c85f3826319b3147933573bdb5070c2d/try-linux64/ Can you run this and provide the data it spews? This time you don't need to trigger the bug. You only need to have at least 30 lines of output ;). thanks!
Reporter | ||
Comment 26•9 years ago
|
||
So, I just opened firefox nightly in safe-mode and captured the output, if that's what you wanted.
Reporter | ||
Comment 27•9 years ago
|
||
Comment 28•9 years ago
|
||
(In reply to mathieu.tarral from comment #26) > So, I just opened firefox nightly in safe-mode and captured the output, if > that's what you wanted. Interestingly that didn't trigger the issue. Hmm. Can you try again but with trying to trigger the bug?
Reporter | ||
Comment 29•9 years ago
|
||
Sure ! Here is the output.
Reporter | ||
Comment 30•9 years ago
|
||
Comment 31•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #21) > Hey Mathieu, can you run the following build: > http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com- > 518ba3a483aa0cdf5156cc1723445028ee137adc/try-linux64/ > > and give me the console output again? I just noticed that you ran the build from 2 days ago in safe-mode. That might have skewed the results and deductions I made from them. Can you run it again, but this time in normal mode? http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com-518ba3a483aa0cdf5156cc1723445028ee137adc/try-linux64/
Reporter | ||
Comment 32•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #31) > (In reply to Hannes Verschore [:h4writer] from comment #21) > > Hey Mathieu, can you run the following build: > > http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com- > > 518ba3a483aa0cdf5156cc1723445028ee137adc/try-linux64/ > > > > and give me the console output again? > > I just noticed that you ran the build from 2 days ago in safe-mode. > That might have skewed the results and deductions I made from them. Can you > run it again, but this time in normal mode? > http://archive.mozilla.org/pub/firefox/try-builds/hv1989@gmail.com- > 518ba3a483aa0cdf5156cc1723445028ee137adc/try-linux64/ I compressed the new output log and uploaded it.
Reporter | ||
Comment 33•9 years ago
|
||
Comment 34•9 years ago
|
||
Interesting. In both attachments we have a overuse of two regexps: 1013139 JSString* (0x7fe371a1df00) = Latin1Char * (0x7fe3785eb228) = "^-ms-" 1013141 JSString* (0x7fe371a1df80) = Latin1Char * (0x7fe3785eb240) = "-([\da-z])" Looks related. Would be cool to have a search engine that could search on this to find which snippet uses this
Comment 35•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #34) > Interesting. In both attachments we have a overuse of two regexps: > > 1013139 JSString* (0x7fe371a1df00) = Latin1Char * (0x7fe3785eb228) = "^-ms-" > 1013141 JSString* (0x7fe371a1df80) = Latin1Char * (0x7fe3785eb240) = > "-([\da-z])" > > Looks related. > Would be cool to have a search engine that could search on this to find > which snippet uses this Seems like jquery uses both.
Comment 36•8 years ago
|
||
I'm also experiencing this bug with Firefox 46.
Comment 37•8 years ago
|
||
I'm getting this with Firefox 48.0a2. I can attach a stack trace of what I got and am willing to build + run patches from what I'm experiencing.
Comment 38•8 years ago
|
||
My trace is here: https://gist.githubusercontent.com/jalcine/6c7bf87633b28f64df63c4754b5a8a3d/raw/b5fa6a8671ce6a58b0f14a7421a9a35dc148682b/gistfile1.txt
Comment hidden (spam) |
Comment hidden (spam) |
Updated•7 years ago
|
Flags: needinfo?(mail.ahramenterprises)
Updated•2 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•