1480354 - constructed Blob freezes tab on download

Status: VERIFIED FIXED

(Core :: XPCOM, defect)

Description

[Christian]

Attachment: PoC.htm

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180704003137

Steps to reproduce:

1. Create an empty Blob
2. Add 512 KB blocks to the Blob until it has a size of 25 MB
3. create URL to Blob
4. Try downloading via anker with download attribute
5. "save as" dialog appears, choose "save"


Actual results:

Download never finishes; after some time, tab doesn't respond to input anymore either.
Please note that if the steps to reproduce are slightly changed (i.e. if we're adding 1 KB blocks instead of 512 KB blocks), then the tab crashes instead of freezing.


Expected results:

Download succeeds (i.e. finishes).

Comment 1

[Christian]

Also note that when we're adding bigger blocks (i.e. 1 MB blocks instead of 512 KB blocks), then everything works just fine.

Comment 2

[Alice0775 White]

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=55a9b2fe876c5f9ac8d33b861b1df4679e5a3191&tochange=68c85fdcd9f616dd3648a79db12873e7355fc247


Regressed by: Bug 1371699




Fixed range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=993f78b4700d242461c4e78c252b7a00d14bfd9f&tochange=fae4d7e570524591e715d8962b899d3044e75e64

Fixed by: Bug 1460561 in Firefox 62


:baku,
Your bunch of patch seems to cause the problem, could you look into this?

Comment 3

[Andrea Marchesini [:baku]]

Attachment: blob_nested.patch

Let's avoid a super complex tree of nested blobs.

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

I'm a bit lost here, comment 2 says Bug 1460561 fixed this.

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

Comment on attachment 8997094 [details] [diff] [review]
blob_nested.patch

I was thinking if there was some way to access subblobs, like using FormData or so, but couldn't find any way.


Please add a crashtest like test here too, something which crashes without the patch. Assuming that is done, r+

Comment 6

[Pulsebot]

Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f58dc7309e3
Better approach for nested blobs construction, r=smaug

Comment 7

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/3f58dc7309e3

Comment 8

[Ryan VanderMeulen [:RyanVM]]

You need to add dom/file/tests/crashtests/crashtests.list to the main crashtest manifest in testing/crashtest/crashtests.list or the new test won't be run (and I've confirmed that it currently isn't as expected).

Also, is this something we should consider backporting?

Comment 9

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e17409c5199c
Add the new crashtest manifest to the master one. r=me

Comment 10

[Eliza Balazs [:ebalazs_]]

https://hg.mozilla.org/mozilla-central/rev/e17409c5199c

Comment 11

[Andrea Marchesini [:baku]]

Comment on attachment 8997094 [details] [diff] [review]
blob_nested.patch

Approval Request Comment
[Feature/Bug causing the regression]: Blob in general
[User impact if declined]: a malicious website can make the browser to freeze
[Is this code covered by automated tests?]: n/a
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: follow the bug description 
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: stable on central for weeks, it doesn't break any existing test.
[String changes made/needed]: none

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8997094 [details] [diff] [review]
blob_nested.patch

It's a bit late in the cycle for this, but it's very well-baked on Nightly and I think the severity of the issue warrants a late landing. Approved for 62 RC1.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8997094 [details] [diff] [review]
blob_nested.patch

And ESR 60.2.

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/cf53f302800b (FIREFOX_62b_RELBRANCH)
https://hg.mozilla.org/releases/mozilla-release/rev/b9e8f688c3d4

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr60/rev/8b34737e4fdf

Comment 16

[Catalin Sasca, Desktop QA [:csasca]]

I tried reproducing the following issue with no success on a affected Nightly build (2018-07-04) under Windows 10 (x64). Christian , could you please see if the issue is reproducing on the affected build and provide some detailed steps if it does?

Comment 17

[Christian]

2018-07-04 is version 61.0.1, isn't it? I checked it in three versions again:

61.0.1: Could reproduce the issue:
  - open the PoC attached in the original post
  - click the link
  - choose "Save File"
  => "Download" never finishes, web content freezes.
  => After I clicked "cancel" the download could be cancelled correctly, but the web content stayed frozen.

61.0.2: Could reproduce with the same steps

63.0a1 (current nightly): Could *not* reproduce, issue is fixed there :-)

Comment 18

[Catalin Sasca, Desktop QA [:csasca]]

I successfully reproduced the issue on Firefox 61.0.1 under Windows 10 (x64) using the STR from Comment 17.
The issue is verified fixed on Latest Nightly 63.0a1, Firefox 62.0 and ESR 60.2.0 (65bfaed52818, build from threeherder) under Windows 10 (x64), macOS 10.12 and Ubuntu 16.04 (x64). Thanks for the reply Christian. I took a Nightly build from that date and that's why it wasn't reproducing for me.