If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read || Hang and OOM crash when logging into dell.com/myaccount when browser.history.allowReplaceState = false

RESOLVED FIXED in Firefox 47

Status

()

Core
DOM: Content Processes
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: George, Unassigned)

Tracking

({crash})

47 Branch
mozilla47
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox47 fixed)

Details

(Whiteboard: dom-triaged btpp-backlog, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-0fed2970-fb55-479a-8830-df8702160219.
=============================================================

If browser.history.allowReplaceState is false in about:config, visiting https://www.dell.com/myaccount and logging in to a user account will freeze and crash Firefox.

Expected result:
https://www.dell.com/myaccount displays correctly.

Actual Result:
Firefox hangs up and maxes out CPU thread, increasing memory consumption until eventual Out of Memory (OOM) crash. Browser lockup is near immediate. Time to crash is system memory dependent (Lesser of free system memory/process memory limit) (Increases ~100MB / ~7sec until OOM crash). If able to close the tab, memory use often continues to rise for some time and may not always prevent a crash.
In Nightly, occasionally was able to crash the parent e10s process (not just crashing the hung tab). Usually just killed the tab though.

Reproducible: Always

Steps to Reproduce:
1. Set browser.history.allowReplaceState to false in about:config
2. Visit https://dell.com/myaccount
3. Create/Log into a Dell account (If necessary, can make up any account, no email verification required for new accounts)
4. Visit https://dell.com/myaccount (This will redirect to a localized version, e.g. http://www.dell.com/en-us/myaccount)
5. Once the page starts to load, Firefox will start to hang and max out CPU thread, increasing memory consumption until OOM crash.

Tested and reproducible on Windows 7 SP1 x64, Windows 8.1 x64, and Windows 10 x64
Tested on new profiles with no extensions installed. Only change from default is browser.history.allowReplaceState;false
Tested on Firefox Release 44.0.2 Build ID 20160210153822, Firefox Beta 45.0b6 Build ID 20160215141016, and Firefox Nightly 47.0a1 (2016-02-18) Build ID 20160218030349

Sample crash reports generated during testing:
https://crash-stats.mozilla.com/report/index/0fed2970-fb55-479a-8830-df8702160219
https://crash-stats.mozilla.com/report/index/485947fa-c425-4848-85e4-39bf92160219
https://crash-stats.mozilla.com/report/index/4c2a31ea-5b59-49a9-a9ec-ea58f2160219
https://crash-stats.mozilla.com/report/index/b2837444-d8a2-41f9-9c79-44f352160219
https://crash-stats.mozilla.com/report/index/85438d2d-caed-4011-9679-a5ef72160219
https://crash-stats.mozilla.com/report/index/f5ff9c95-3503-4766-bace-a82442160219
(Reporter)

Updated

2 years ago
Crash Signature: [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] → [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] [@ mozalloc_abort | NS_DebugBreak | XPCJSRuntime::newXPCJSRuntime] [@ OOM | large | NS_ABORT_OOM | nsString::nsString] [@ OOM | small] …
(Reporter)

Updated

2 years ago
Component: Untriaged → JavaScript Engine
Summary: crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read → crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read || Hang and OOM crash when logging into dell.com/myaccount when browser.history.allowReplaceState = false
(Reporter)

Updated

2 years ago
Component: JavaScript Engine → Untriaged
Reproducible:
Version 	45.0a1   &   44.0.2
Build ID 	20151204030208   &   20160210153822
User Agent 	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Content Processes
Ever confirmed: true
Keywords: crash

Comment 2

2 years ago
I tried with FF36, same issue.

I removed the crash signatures with empty minidump.
Crash Signature: [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] [@ mozalloc_abort | NS_DebugBreak | XPCJSRuntime::newXPCJSRuntime] [@ OOM | large | NS_ABORT_OOM | nsString::nsString] [@ OOM | small] … → [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read]

Comment 3

2 years ago
Same issue with FF8, I guess it's here since the implementation of browser.history.allowReplaceState.

If people want to test:
URL: https://www.dell.com/myaccount
U: bugzilla@yopmail.net
P: azerty123!
Given comment 3 and the fact that this is a non-default setting of the pref, we can't prioritize this so I'm adding it to our backlog.
Whiteboard: dom-triaged btpp-backlog
Created attachment 8724451 [details] [diff] [review]
Remove the prefs for History API push/pop/replaceState

These prefs don't even work properly, and they can break Web content in
pretty bad ways for the users who have them set.
Attachment #8724451 - Flags: review?(bzbarsky)
Comment on attachment 8724451 [details] [diff] [review]
Remove the prefs for History API push/pop/replaceState

Yeah, ok.  I checked why these prefs are there and they were added in bug 500328 with no real explanation...

r=me
Attachment #8724451 - Flags: review?(bzbarsky) → review+

Comment 7

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/65a86f0f0e90

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/65a86f0f0e90
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.