Crash [@ OOM | small ] with mozilla::dom::HTMLImageElement involved

RESOLVED FIXED

Status

Tech Evangelism
Desktop
--
critical
RESOLVED FIXED
a year ago
2 months ago

People

(Reporter: Tomcat, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

unspecified
crash

Firefox Tracking Flags

(firefox51- affected, firefox52- wontfix, firefox53- affected)

Details

(Whiteboard: [contactready], URL)

(Reporter)

Description

a year ago
Found via bughunter and reproduced with tinderbox windows opt beta build.

Opt Builds crash very fast (within 30 seconds) debug builds take way longer 

Steps to reproduce:

-> Load http://www.lcvs.kh.edu.tw/site/adm-night/department.html
---> Crash after a few seconds 

Crash-id https://crash-stats.mozilla.com/report/index/281b431c-4b4b-4d89-bce5-51afd2170104 - beta opt

https://crash-stats.mozilla.com/report/index/6a601749-9bbd-40cc-b8e1-c02c62170104 - nightly opt
(Reporter)

Comment 1

a year ago
[Tracking Requested - why for this release]:

bughunter found affects opt builds, edgar could you take a look , not sure if this is the right component. thanks!
status-firefox51: --- → affected
status-firefox52: --- → affected
status-firefox53: --- → affected
tracking-firefox51: --- → ?
tracking-firefox52: --- → ?
tracking-firefox53: --- → ?
Flags: needinfo?(echen)
Page is doing a "new Image" call.  Having that crash on OOM is not unreasonable.

Tried the page in Chrome: it pegs the CPU in the content process, and memory usage is growing, but slowly...
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #3)
> Page is doing a "new Image" call.  Having that crash on OOM is not
> unreasonable.
> 
> Tried the page in Chrome: it pegs the CPU in the content process, and memory
> usage is growing, but slowly...

Same in Edge.

I look at the page source [1], it runs into an infinite loop and calls "new Image" repeatedly.

======
<head>
...
<script>
...
function FP_preloadImgs() {//v1.0
 var d=document,a=arguments; if(!d.FP_imgs) d.FP_imgs=new Array();
 for(var i=0; i<a.length; i  ) { d.FP_imgs[i]=new Image; d.FP_imgs[i].src=a[i]; }
}
...
</script>
</head>
<body onload="FP_preloadImgs(/*url*/'images/button6.jpg',/*url*/'images/button5.jpg')">
....
</body>

[1] view-source:http://www.lcvs.kh.edu.tw/site/adm-night/department.html
OK, in that case an OOM crash is pretty much expected, seems like.
Seems this is a broken script allocating memory in an infinite loop, doesn't seem worth tracking.
tracking-firefox51: ? → -
tracking-firefox52: ? → -
tracking-firefox53: ? → -

Updated

a year ago
Flags: needinfo?(echen)
Component: DOM: Core & HTML → Desktop
Product: Core → Tech Evangelism
Setting this to needsdiagnosis for now. Sounds like it's happening to some extent in all browsers, so maybe not a high priority for webcompat?
Whiteboard: [needsdiagnosis]
(In reply to Adam Stevenson [:adamopenweb] from comment #7)
> Setting this to needsdiagnosis for now. Sounds like it's happening to some
> extent in all browsers, so maybe not a high priority for webcompat?

I think so.
Whiteboard: [needsdiagnosis] → [needscontact]
To add to Edgar's comment #4:

function FP_preloadImgs() {//v1.0
 var d=document,a=arguments; if(!d.FP_imgs) d.FP_imgs=new Array();
 for(var i=0; i<a.length; i  ) { d.FP_imgs[i]=new Image; d.FP_imgs[i].src=a[i]; }
}

Note that they're never incrementing i in that loop, so it never stops. To fix this they need to do:

...
for(var i=0; i<a.length; i++)
...

(not the plusses there)
* (note the plusses there)
I send a mail to 4 staffs in the computer center who are the website owners.

School's mail server seems not work, two mail delivery fail. But one uses gmail and the other one uses yahoo looks good.

I also remind them about the infinite loops in different functions, not only in FP_preloadImgs(), but it's the first root cause of this bug.

Set whiteboard to contactready.
Whiteboard: [needscontact] → [contactready]
Too late for firefox 52, mass-wontfix.
status-firefox52: affected → wontfix
I can see that they fixed their infinite loop. Cool.
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.