Closed Bug 1249542 Opened 4 years ago Closed 4 years ago

crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read || Hang and OOM crash when logging into dell.com/myaccount when browser.history.allowReplaceState = false

Categories

(Core :: DOM: Content Processes, defect, critical)

47 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox47 --- fixed

People

(Reporter: o2092009, Unassigned)

Details

(Keywords: crash, Whiteboard: dom-triaged btpp-backlog)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-0fed2970-fb55-479a-8830-df8702160219.
=============================================================

If browser.history.allowReplaceState is false in about:config, visiting https://www.dell.com/myaccount and logging in to a user account will freeze and crash Firefox.

Expected result:
https://www.dell.com/myaccount displays correctly.

Actual Result:
Firefox hangs up and maxes out CPU thread, increasing memory consumption until eventual Out of Memory (OOM) crash. Browser lockup is near immediate. Time to crash is system memory dependent (Lesser of free system memory/process memory limit) (Increases ~100MB / ~7sec until OOM crash). If able to close the tab, memory use often continues to rise for some time and may not always prevent a crash.
In Nightly, occasionally was able to crash the parent e10s process (not just crashing the hung tab). Usually just killed the tab though.

Reproducible: Always

Steps to Reproduce:
1. Set browser.history.allowReplaceState to false in about:config
2. Visit https://dell.com/myaccount
3. Create/Log into a Dell account (If necessary, can make up any account, no email verification required for new accounts)
4. Visit https://dell.com/myaccount (This will redirect to a localized version, e.g. http://www.dell.com/en-us/myaccount)
5. Once the page starts to load, Firefox will start to hang and max out CPU thread, increasing memory consumption until OOM crash.

Tested and reproducible on Windows 7 SP1 x64, Windows 8.1 x64, and Windows 10 x64
Tested on new profiles with no extensions installed. Only change from default is browser.history.allowReplaceState;false
Tested on Firefox Release 44.0.2 Build ID 20160210153822, Firefox Beta 45.0b6 Build ID 20160215141016, and Firefox Nightly 47.0a1 (2016-02-18) Build ID 20160218030349

Sample crash reports generated during testing:
https://crash-stats.mozilla.com/report/index/0fed2970-fb55-479a-8830-df8702160219
https://crash-stats.mozilla.com/report/index/485947fa-c425-4848-85e4-39bf92160219
https://crash-stats.mozilla.com/report/index/4c2a31ea-5b59-49a9-a9ec-ea58f2160219
https://crash-stats.mozilla.com/report/index/b2837444-d8a2-41f9-9c79-44f352160219
https://crash-stats.mozilla.com/report/index/85438d2d-caed-4011-9679-a5ef72160219
https://crash-stats.mozilla.com/report/index/f5ff9c95-3503-4766-bace-a82442160219
Crash Signature: [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] → [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] [@ mozalloc_abort | NS_DebugBreak | XPCJSRuntime::newXPCJSRuntime] [@ OOM | large | NS_ABORT_OOM | nsString::nsString] [@ OOM | small] [@ OOM …
Component: Untriaged → JavaScript Engine
Summary: crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read → crash in mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read || Hang and OOM crash when logging into dell.com/myaccount when browser.history.allowReplaceState = false
Component: JavaScript Engine → Untriaged
Reproducible:
Version 	45.0a1   &   44.0.2
Build ID 	20151204030208   &   20160210153822
User Agent 	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Content Processes
Ever confirmed: true
Keywords: crash
I tried with FF36, same issue.

I removed the crash signatures with empty minidump.
Crash Signature: [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read] [@ mozalloc_abort | NS_DebugBreak | XPCJSRuntime::newXPCJSRuntime] [@ OOM | large | NS_ABORT_OOM | nsString::nsString] [@ OOM | small] [@ OOM … → [@ mozilla::ipc::FatalError | mozilla::dom::PContentParent::FatalError | mozilla::dom::PContentParent::Read]
Same issue with FF8, I guess it's here since the implementation of browser.history.allowReplaceState.

If people want to test:
URL: https://www.dell.com/myaccount
U: bugzilla@yopmail.net
P: azerty123!
Given comment 3 and the fact that this is a non-default setting of the pref, we can't prioritize this so I'm adding it to our backlog.
Whiteboard: dom-triaged btpp-backlog
These prefs don't even work properly, and they can break Web content in
pretty bad ways for the users who have them set.
Attachment #8724451 - Flags: review?(bzbarsky)
Comment on attachment 8724451 [details] [diff] [review]
Remove the prefs for History API push/pop/replaceState

Yeah, ok.  I checked why these prefs are there and they were added in bug 500328 with no real explanation...

r=me
Attachment #8724451 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/65a86f0f0e90
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47

(In reply to :ehsan akhgari from comment #5)

These prefs don't even work properly, and they can break Web content in
pretty bad ways for the users who have them set.

It seems to me like the obvious reason for including those prefs is so that users who don't want sites to be able to tell their browser to lie to them about their history, to tell their browser not to lie to them about their history, even if a site tells them to. Granted, sites may use at least some of these tools in ways that are not deceptive. But they may also use them in ways that are, and users may wish to prevent that.

You need to log in before you can comment on or make changes to this bug.