Crash [@ OOM | small ] with mozilla::dom::HTMLImageElement involved

RESOLVED FIXED

Status

defect
--
critical
RESOLVED FIXED
2 years ago
3 months ago

People

(Reporter: cbook, Unassigned)

Tracking

(Blocks 1 bug, {crash})

unspecified
Dependency tree / graph

Firefox Tracking Flags

(firefox51- affected, firefox52- wontfix, firefox53- affected)

Details

(Whiteboard: [contactready], )

Reporter

Description

2 years ago
Found via bughunter and reproduced with tinderbox windows opt beta build.

Opt Builds crash very fast (within 30 seconds) debug builds take way longer 

Steps to reproduce:

-> Load http://www.lcvs.kh.edu.tw/site/adm-night/department.html
---> Crash after a few seconds 

Crash-id https://crash-stats.mozilla.com/report/index/281b431c-4b4b-4d89-bce5-51afd2170104 - beta opt

https://crash-stats.mozilla.com/report/index/6a601749-9bbd-40cc-b8e1-c02c62170104 - nightly opt
Reporter

Comment 1

2 years ago
[Tracking Requested - why for this release]:

bughunter found affects opt builds, edgar could you take a look , not sure if this is the right component. thanks!
Flags: needinfo?(echen)
Page is doing a "new Image" call.  Having that crash on OOM is not unreasonable.

Tried the page in Chrome: it pegs the CPU in the content process, and memory usage is growing, but slowly...
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #3)
> Page is doing a "new Image" call.  Having that crash on OOM is not
> unreasonable.
> 
> Tried the page in Chrome: it pegs the CPU in the content process, and memory
> usage is growing, but slowly...

Same in Edge.

I look at the page source [1], it runs into an infinite loop and calls "new Image" repeatedly.

======
<head>
...
<script>
...
function FP_preloadImgs() {//v1.0
 var d=document,a=arguments; if(!d.FP_imgs) d.FP_imgs=new Array();
 for(var i=0; i<a.length; i  ) { d.FP_imgs[i]=new Image; d.FP_imgs[i].src=a[i]; }
}
...
</script>
</head>
<body onload="FP_preloadImgs(/*url*/'images/button6.jpg',/*url*/'images/button5.jpg')">
....
</body>

[1] view-source:http://www.lcvs.kh.edu.tw/site/adm-night/department.html
OK, in that case an OOM crash is pretty much expected, seems like.
Seems this is a broken script allocating memory in an infinite loop, doesn't seem worth tracking.

Updated

2 years ago
Flags: needinfo?(echen)
Component: DOM: Core & HTML → Desktop
Product: Core → Tech Evangelism
Setting this to needsdiagnosis for now. Sounds like it's happening to some extent in all browsers, so maybe not a high priority for webcompat?
Whiteboard: [needsdiagnosis]
(In reply to Adam Stevenson [:adamopenweb] from comment #7)
> Setting this to needsdiagnosis for now. Sounds like it's happening to some
> extent in all browsers, so maybe not a high priority for webcompat?

I think so.
Whiteboard: [needsdiagnosis] → [needscontact]
To add to Edgar's comment #4:

function FP_preloadImgs() {//v1.0
 var d=document,a=arguments; if(!d.FP_imgs) d.FP_imgs=new Array();
 for(var i=0; i<a.length; i  ) { d.FP_imgs[i]=new Image; d.FP_imgs[i].src=a[i]; }
}

Note that they're never incrementing i in that loop, so it never stops. To fix this they need to do:

...
for(var i=0; i<a.length; i++)
...

(not the plusses there)
* (note the plusses there)
I send a mail to 4 staffs in the computer center who are the website owners.

School's mail server seems not work, two mail delivery fail. But one uses gmail and the other one uses yahoo looks good.

I also remind them about the infinite loops in different functions, not only in FP_preloadImgs(), but it's the first root cause of this bug.

Set whiteboard to contactready.
Whiteboard: [needscontact] → [contactready]
Too late for firefox 52, mass-wontfix.
I can see that they fixed their infinite loop. Cool.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Component: Desktop → Desktop
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.