Closed Bug 1322149 Opened 9 years ago Closed 8 years ago

looped string-doubling Out of memory Crash

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
48 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: romi007r, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dos] DUPEME)

Attachments

(2 files)

neww.html
184 bytes, text/html
Details
f46d0ace-8a6c-4eaf-9664-5ae3c567f995.dmp
163.45 KB, application/octet-stream
Details
Attached file neww.html
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 Steps to reproduce: Open the attachment in firefox it will hang and crash in some time Might be an OOM only but its generates some interesting Dumps same Test case creates interesting dumps like MEMORY_CORRUPTION_LARGE abort_from_exception and Unknown exception - code c0000025 Actual results: DUMP_CLASS: 2 DUMP_QUALIFIER: 400 CONTEXT: (.ecxr) eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000174 edi=00000000 eip=774cf8e1 esp=0018c248 ebp=0018c2b4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!NtWaitForSingleObject+0x15: 774cf8e1 83c404 add esp,4 Resetting default scope FAULTING_IP: ntdll!NtWaitForSingleObject+15 774cf8e1 83c404 add esp,4 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 774cf8e1 (ntdll!NtWaitForSingleObject+0x00000015) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 0 DEFAULT_BUCKET_ID: MEMORY_CORRUPTION_LARGE PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid EXCEPTION_CODE_STR: 80000003 WATSON_BKT_PROCSTAMP: 583e4bb4 WATSON_BKT_PROCVER: 50.0.2.6177 PROCESS_VER_PRODUCT: Firefox WATSON_BKT_MODULE: ntdll.dll WATSON_BKT_MODSTAMP: 57f7bb79 WATSON_BKT_MODOFFSET: 1f8e1 WATSON_BKT_MODVER: 6.1.7601.23569 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System BUILD_VERSION_STRING: 6.1.7601.23569 (win7sp1_ldr.161007-0600) MODLIST_WITH_TSCHKSUM_HASH: aa72d41e85203a629c82b0ebf658d8f0252906a1 MODLIST_SHA1_HASH: cd8b9281c152aff402031e31df1d84ace3a7d709 CHKIMG_EXTENSION: !chkimg -lo 50 -d !ntdll 774cf9c1-774cf9c7 7 bytes - ntdll!NtSetInformationThread+5 [ 33 c9 8d 54 24 04 64:ba 28 2e c0 00 ff e2 ] 7 errors : !ntdll (774cf9c1-774cf9c7) DUMP_FLAGS: 400 DUMP_TYPE: 0 APP: firefox.exe ANALYSIS_SESSION_HOST: YY014800 ANALYSIS_SESSION_TIME: 12-05-2016 22:18:03.0269 ANALYSIS_VERSION: 10.0.10586.567 amd64fre THREAD_ATTRIBUTES: ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 76ff15ce to 774cf8e1 FAULTING_THREAD: ffffffff THREAD_SHA1_HASH_MOD_FUNC: 646019e7612e819fc8aba56460d68e5912f8f117 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 70e2aeaf8a93e9fa2f653f0a0ed9deec52e32f7e PROBLEM_CLASSES: MEMORY_CORRUPTION Tid [0x3d8c] Failure Bucketing LARGE Tid [0x3d8c] Failure Bucketing BUGCHECK_STR: MEMORY_CORRUPTION_LARGE STACK_TEXT: 00000000 00000000 memory_corruption!ntdll+0x0 THREAD_SHA1_HASH_MOD: 7da7fbec386ce361a40d03d69a994bc4836f03e8 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: memory_corruption!ntdll FOLLOWUP_NAME: MachineOwner MODULE_NAME: memory_corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: ** Pseudo Context ** ; kb BUCKET_ID: MEMORY_CORRUPTION_LARGE_memory_corruption!ntdll PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE_memory_corruption!ntdll BUCKET_ID_OFFSET: 0 BUCKET_ID_MODULE_STR: memory_corruption IMAGE_NAME: memory_corruption BUCKET_ID_MODTIMEDATESTAMP: 0 BUCKET_ID_MODCHECKSUM: 0 BUCKET_ID_MODVER_STR: BUCKET_ID_PREFIX_STR: FAILURE_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE FAILURE_EXCEPTION_CODE: 80000003 FAILURE_IMAGE_NAME: memory_corruption FAILURE_FUNCTION_NAME: ntdll BUCKET_ID_FUNCTION_STR: ntdll FAILURE_SYMBOL_NAME: memory_corruption!ntdll FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE_80000003_memory_corruption!ntdll WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox.exe/50.0.2.6177/583e4bb4/ntdll.dll/6.1.7601.23569/57f7bb79/80000003/0001f8e1.htm?Retriage=1 TARGET_TIME: 2016-12-05T15:38:29.000Z OSBUILD: 7601 OSSERVICEPACK: 23569 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 256 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2016-10-07 20:45:42 BUILDDATESTAMP_STR: 161007-0600 BUILDLAB_STR: win7sp1_ldr BUILDOSVER_STR: 6.1.7601.23569 ANALYSIS_SESSION_ELAPSED_TIME: 1b7cd ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:memory_corruption_large_80000003_memory_corruption!ntdll FAILURE_ID_HASH: {d23f91a4-1441-00ea-9bf1-99194534be4b} Followup: MachineOwner # ChildEBP RetAddr 00 0018c248 76ff15ce ntdll!NtWaitForSingleObject+0x15 01 0018c2b4 765d1194 KERNELBASE!WaitForSingleObjectEx+0x98 02 0018c2cc 765d1148 kernel32!WaitForSingleObjectExImplementation+0x75 03 0018c2e0 501b0593 kernel32!WaitForSingleObject+0x12 04 (Inline) -------- nss3!_PR_MD_WAIT_CV+0x8a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\nsprpub\pr\src\md\windows\w95cv.c @ 248] 05 (Inline) -------- nss3!_PR_WaitCondVar+0xbc [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\nsprpub\pr\src\threads\combined\prucv.c @ 172] 06 0018c30c 1010a2f7 nss3!PR_WaitCondVar(struct PRCondVar * cvar = 0x00f09280, unsigned int timeout = 0xffffffff)+0x103 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\nsprpub\pr\src\threads\combined\prucv.c @ 525] 07 0018c31c 1036b265 xul!mozilla::CondVar::Wait(unsigned int aInterval = 0xffffffff)+0x15 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\condvar.h @ 79] 08 (Inline) -------- xul!mozilla::Monitor::Wait+0x10 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\monitor.h @ 40] 09 0018c42c 0ff05e4f xul!mozilla::ipc::MessageChannel::WaitForSyncNotify(bool aHandleWindowsMessages = true)+0x3d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\windowsmessageloop.cpp @ 1084] 0a 0018c4b0 109a6d7c xul!mozilla::ipc::MessageChannel::Send(class IPC::Message * aMsg = <Value unavailable error>, class IPC::Message * aReply = 0x0018c4e8)+0x365 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1189] 0b 0018c53c 10bac915 xul!mozilla::dom::PContentChild::SendSyncMessage(class nsString * aMessage = 0x0018c574, class mozilla::dom::ClonedMessageData * aData = 0x0018c560, class nsTArray<mozilla::jsipc::CpowEntry> * aCpows = 0x0018c580, class IPC::Principal * aPrincipal = 0x0018c5a4, class nsTArray<mozilla::dom::ipc::StructuredCloneData> * retval = 0x0018c5b8)+0xa0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\ipc\ipdl\pcontentchild.cpp @ 3387] 0c 0018c584 10320d98 xul!ChildProcessMessageManagerCallback::DoSendBlockingMessage(struct JSContext * aCx = 0x04f90000, class nsAString_internal * aMessage = 0x00f6a550, class mozilla::dom::ipc::StructuredCloneData * aData = 0x0018c600, class JS::Handle<JSObject *> aCpows = class JS::Handle<JSObject *>, class nsIPrincipal * aPrincipal = 0x00000000, class nsTArray<mozilla::dom::ipc::StructuredCloneData> * aRetVal = 0x0018c5b8, bool aIsSync = false)+0xa8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsframemessagemanager.cpp @ 2040] 0d 0018c634 10be1bab xul!nsFrameMessageManager::SendMessage(class nsAString_internal * aMessageName = 0x00f6a550, class JS::Handle<JS::Value> aJSON = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> aObjects = class JS::Handle<JS::Value>, class nsIPrincipal * aPrincipal = 0x00000000, struct JSContext * aCx = 0x04f90000, unsigned char aArgc = 0x01 '', class JS::MutableHandle<JS::Value> aRetval = class JS::MutableHandle<JS::Value>, bool aIsSync = true)+0xc7 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsframemessagemanager.cpp @ 777] 0e (Inline) -------- xul!nsFrameMessageManager::SendSyncMessage+0x1c [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsframemessagemanager.cpp @ 690] 0f 0018c65c 103f8357 xul!mozilla::dom::ProcessGlobal::SendSyncMessage(class nsAString_internal * messageName = 0x00f6a550, class JS::Handle<JS::Value> obj = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> objects = class JS::Handle<JS::Value>, class nsIPrincipal * principal = 0x00000000, struct JSContext * cx = 0x04f90000, unsigned char _argc = 0x01 '', class JS::MutableHandle<JS::Value> _retval = class JS::MutableHandle<JS::Value>)+0x30 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\processglobal.h @ 48] 10 0018c6a0 0ff3e599 xul!_NS_InvokeByIndex(void)+0x27 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_msvc.asm @ 57] 11 (Inline) -------- xul!CallMethodHelper::Invoke+0x17 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\xpconnect\src\xpcwrappednative.cpp @ 2075] 12 (Inline) -------- xul!CallMethodHelper::Call+0x35a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\xpconnect\src\xpcwrappednative.cpp @ 1394] 13 0018c918 0fe9d3fe xul!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = <Value unavailable error>)+0x392 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\xpconnect\src\xpcwrappednative.cpp @ 1361] 14 0018c9a4 0ffcd958 xul!XPC_WN_CallMethod(struct JSContext * cx = 0x04f90000, unsigned int argc = 1, class JS::Value * vp = 0x0018cb10)+0x11d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1128] 15 (Inline) -------- xul!js::CallJSNative+0x45 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jscntxtinlines.h @ 235] 16 0018ca6c 0ffcd81a xul!js::InternalCallOrConstruct(struct JSContext * cx = 0x04f90000, class JS::CallArgs * args = 0x0018cae0, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0xe8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 453] 17 0018ca90 0fe9e1be xul!InternalCall(struct JSContext * cx = 0x04f90000, class js::AnyInvokeArgs * args = 0x0018cae0)+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 498] 18 (Inline) -------- xul!js::Call+0x2f [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 517] 19 (Inline) -------- xul!js::Wrapper::call+0x148 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\wrapper.cpp @ 165] 1a 0018cb5c 0ffcdb68 xul!js::CrossCompartmentWrapper::call(struct JSContext * cx = 0x04f90000, class JS::Handle<JSObject *> wrapper = class JS::Handle<JSObject *>, class JS::CallArgs * args = 0x0018cbf0)+0x22e [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\crosscompartmentwrapper.cpp @ 333] 1b (Inline) -------- xul!js::Proxy::call+0x63 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\proxy.cpp @ 401] 1c (Inline) -------- xul!js::proxy_Call+0xa8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\proxy.cpp @ 690] 1d (Inline) -------- xul!js::CallJSNative+0xd8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jscntxtinlines.h @ 235] 1e 0018cc24 0ffcd81a xul!js::InternalCallOrConstruct(struct JSContext * cx = 0x04f90000, class JS::CallArgs * args = 0x0018cde0, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2f8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 441] 1f 0018cc48 10041c9b xul!InternalCall(struct JSContext * cx = 0x04f90000, class js::AnyInvokeArgs * args = 0x0018cde0)+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 498] 20 0018d4e0 104fbfdd xul!Interpret(struct JSContext * cx = 0x00000000, class js::RunState * state = 0x00000000)+0x5ceb [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 2873] 21 0018d570 0ffcda13 xul!js::RunScript(struct JSContext * cx = 0x04f90000, class js::RunState * state = 0x0018d5e0)+0x21d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 399] 22 0018d634 0ffcd81a xul!js::InternalCallOrConstruct(struct JSContext * cx = 0x04f90000, class JS::CallArgs * args = 0x0018d6a8, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x1a3 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 474] 23 0018d658 0fe9e1be xul!InternalCall(struct JSContext * cx = 0x04f90000, class js::AnyInvokeArgs * args = 0x0018d6a8)+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 498] 24 (Inline) -------- xul!js::Call+0x2f [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 517] 25 (Inline) -------- xul!js::Wrapper::call+0x148 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\wrapper.cpp @ 165] 26 0018d724 0ffcdb68 xul!js::CrossCompartmentWrapper::call(struct JSContext * cx = 0x04f90000, class JS::Handle<JSObject *> wrapper = class JS::Handle<JSObject *>, class JS::CallArgs * args = 0x0018d7b8)+0x22e [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\crosscompartmentwrapper.cpp @ 333] 27 (Inline) -------- xul!js::Proxy::call+0x63 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\proxy.cpp @ 401] 28 (Inline) -------- xul!js::proxy_Call+0xa8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\proxy\proxy.cpp @ 690] 29 (Inline) -------- xul!js::CallJSNative+0xd8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jscntxtinlines.h @ 235] 2a 0018d7ec 0ffcd81a xul!js::InternalCallOrConstruct(struct JSContext * cx = 0x04f90000, class JS::CallArgs * args = 0x0018d9a8, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2f8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 441] 2b 0018d810 10041c9b xul!InternalCall(struct JSContext * cx = 0x04f90000, class js::AnyInvokeArgs * args = 0x0018d9a8)+0x9a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 498] 2c 0018e0a8 104fbfdd xul!Interpret(struct JSContext * cx = 0x00000000, class js::RunState * state = 0x00000000)+0x5ceb [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 2873] 2d 0018e138 0fec3230 xul!js::RunScript(struct JSContext * cx = 0x04f90000, class js::RunState * state = 0x0018e158)+0x21d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 399] 2e 0018e198 1010c09b xul!js::ExecuteKernel(struct JSContext * cx = 0x04f90000, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class JSObject * scopeChainArg = 0x081c6580, class JS::Value * newTargetValue = 0x0018e210, class js::AbstractFramePtr evalInFrame = class js::AbstractFramePtr, class JS::Value * result = 0x0018e1c0)+0x64 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 682] 2f 0018e234 1010bd9c xul!js::ExecuteInGlobalAndReturnScope(struct JSContext * cx = 0x04f90000, class JS::Handle<JSObject *> global = class JS::Handle<JSObject *>, class JS::Handle<JSScript *> scriptArg = class JS::Handle<JSScript *>, class JS::MutableHandle<JSObject *> scopeArg = class JS::MutableHandle<JSObject *>)+0x187 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\builtin\eval.cpp @ 496] 30 0018e2f8 11275ac5 xul!nsMessageManagerScriptExecutor::LoadScriptInternal(class nsAString_internal * aURL = 0x0018e330, bool aRunInGlobalScope = false)+0x102 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsframemessagemanager.cpp @ 1742] 31 0018e310 10951c38 xul!mozilla::dom::TabChild::RecvLoadRemoteScript(class nsString * aURL = 0x0018e330, bool * aRunInGlobalScope = 0x0018e32e)+0x2f [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\ipc\tabchild.cpp @ 2361] 32 0018e69c 10984741 xul!mozilla::dom::PBrowserChild::OnMessageReceived(class IPC::Message * msg__ = 0x0018f2c8)+0x18b1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\ipc\ipdl\pbrowserchild.cpp @ 4423] 33 0018f028 0ff06630 xul!mozilla::dom::PContentChild::OnMessageReceived(class IPC::Message * msg__ = 0x0018f2c8)+0x50 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\ipc\ipdl\pcontentchild.cpp @ 7392] 34 0018f24c 0ff06eaf xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage(class IPC::Message * aMsg = 0x0018f2c8)+0x77 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1661] 35 0018f2ac 0ff06db6 xul!mozilla::ipc::MessageChannel::DispatchMessageW(class IPC::Message * aMsg = 0x0018f2c8)+0xb2 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1602] 36 0018f318 0ff06cc4 xul!mozilla::ipc::MessageChannel::OnMaybeDequeueOne(void)+0x5d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagechannel.cpp @ 1568] 37 (Inline) -------- xul!mozilla::detail::RunnableMethodArguments<>::applyImpl+0x3 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 729] 38 (Inline) -------- xul!mozilla::detail::RunnableMethodArguments<>::apply+0x3 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 735] 39 0018f31c 0ff06c8a xul!mozilla::detail::RunnableMethodImpl<bool (void)+0xe [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 766] 3a (Inline) -------- xul!mozilla::ipc::MessageChannel::RefCountedTask::Run+0x9 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\ipc\messagechannel.h @ 550] 3b 0018f324 0ff0ae71 xul!mozilla::ipc::MessageChannel::DequeueTask::Run(void)+0x14 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\ipc\messagechannel.h @ 571] 3c 0018f3b0 0ff09f9d xul!nsThread::ProcessNextEvent(bool aMayWait = false, bool * aResult = 0x00000000)+0x1f1 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1082] 3d (Inline) -------- xul!NS_ProcessNextEvent+0x15 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 290] 3e 0018f3e0 1087fc3f xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x0018f560)+0x72 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagepump.cpp @ 100] 3f 0018f3fc 101e0781 xul!mozilla::ipc::MessagePumpForChildProcess::Run(class base::MessagePump::Delegate * aDelegate = 0x0018f560)+0x58 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagepump.cpp @ 317] 40 (Inline) -------- xul!MessageLoop::RunInternal+0x8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 232] 41 0018f434 101e0750 xul!MessageLoop::RunHandler(void)+0x20 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 42 0018f454 10280eb2 xul!MessageLoop::Run(void)+0x19 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 43 0018f460 10280c29 xul!nsBaseAppShell::Run(void)+0x32 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\widget\nsbaseappshell.cpp @ 158] 44 0018f46c 11703c6a xul!nsAppShell::Run(void)+0x24 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\widget\windows\nsappshell.cpp @ 262] 45 0018f480 1087fbfd xul!XRE_RunAppShell(void)+0x26 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 851] 46 0018f490 101e0781 xul!mozilla::ipc::MessagePumpForChildProcess::Run(class base::MessagePump::Delegate * aDelegate = 0x0018f560)+0x16 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\glue\messagepump.cpp @ 294] 47 (Inline) -------- xul!MessageLoop::RunInternal+0x8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 232] 48 0018f4c8 101e0750 xul!MessageLoop::RunHandler(void)+0x20 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 49 0018f4e8 11703995 xul!MessageLoop::Run(void)+0x19 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 4a 0018f62c 0101892b xul!XRE_InitChildProcess(int aArgc = 0n11, char ** aArgv = 0x00f01040, struct XREChildData * aChildData = 0x0018f64c)+0x516 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 685] 4b 0018f658 0101771b firefox!content_process_main(int argc = 0n11, char ** argv = 0x00f01040)+0x70 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\ipc\contentproc\plugin-container.cpp @ 224] 4c (Inline) -------- firefox!NS_internal_main+0x3ec5 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 357] 4d 0018f67c 774eadc9 firefox!wmain+0x402b [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115] 4e 0018f6d8 774e7009 ntdll!RtlpExtendHeap+0x4c 4f 0018f710 76ff1ad5 ntdll!LdrUnlockLoaderLock+0x36 50 0018f71c 76ff1abe KERNELBASE!GetModuleFileNameW+0x118 51 774e7010 0fc08501 KERNELBASE!GetModuleFileNameW+0x101 WARNING: Frame IP not in any known module. Following frames may be wrong. 52 774e7020 d07d89ee 0xfc08501 53 774e7024 850fff85 0xd07d89ee 54 774e7028 00000000 0x850fff85 Expected results: it can Parse the JS much efficiently instead of crashing the process
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
uncaught exception while running with debugger
This is a harmless denial of service crash (memory exhaustion).
Group: firefox-core-security
Keywords: crash, csectype-dos, csectype-oom, testcase
Summary: Out of memory Crash Might be security issue → looped string-doubling Out of memory Crash
Whiteboard: [sg:dos] DUPEME
Can somewhat reproduce on the following user agents: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0 (VM) Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Getting a hang on opening the html attachment, but after leaving open for an extended period of time (30 minutes or so) there are no crashes.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Talked with Benjamin Smedberg on this issue, and he suggested we close this as Won't Fix per Comment 3.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: