Closed Bug 1499166 Opened 5 years ago Closed 5 years ago

Uncaught crash in IndexedDB

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox64 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [fuzzblocker])

Attachments

(2 files)

testcase.html
431 bytes, text/html
Details
fuzzer.js
390.49 KB, application/x-javascript
Details
Attached file testcase.html 
The attached testcase appears to crash the tab under m-c rev 4a230b07f0cb however, no crash information is generated.  I've tested this with both asan and debug builds and nothing is returned.

Please note that the testcase must be served via a local webserver in order to reproduce.
Attached file fuzzer.js 

    
  
Whiteboard: [fuzzblocker]

    
    

    
  
Looks like it's oom-killer:

Oct 15 15:59:29 glenda kernel: JS Helper invoked oom-killer: gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), nodemask=(null), order=0, oom_score_adj=0
Oct 15 15:59:29 glenda kernel: JS Helper cpuset=/ mems_allowed=0
...
Oct 15 15:59:29 glenda kernel: Out of memory: Kill process 28580 (file:// Content) score 466 or sacrifice child
Oct 15 15:59:29 glenda kernel: Killed process 28580 (file:// Content) total-vm:21710904208kB, anon-rss:8490628kB, file-rss:0kB, shmem-rss:260kB
Oct 15 15:59:29 glenda kernel: oom_reaper: reaped process 28580 (file:// Content), now anon-rss:0kB, file-rss:0kB, shmem-rss:4kB
Group: core-security → dom-core-security

    
    

    
  
(In reply to Jesse Schwartzentruber (:truber) from comment #2)
> Looks like it's oom-killer:
> 
> Oct 15 15:59:29 glenda kernel: JS Helper invoked oom-killer:
> gfp_mask=0x6280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), nodemask=(null),
> order=0, oom_score_adj=0
> Oct 15 15:59:29 glenda kernel: JS Helper cpuset=/ mems_allowed=0
> ...
> Oct 15 15:59:29 glenda kernel: Out of memory: Kill process 28580 (file://
> Content) score 466 or sacrifice child
> Oct 15 15:59:29 glenda kernel: Killed process 28580 (file:// Content)
> total-vm:21710904208kB, anon-rss:8490628kB, file-rss:0kB, shmem-rss:260kB
> Oct 15 15:59:29 glenda kernel: oom_reaper: reaped process 28580 (file://
> Content), now anon-rss:0kB, file-rss:0kB, shmem-rss:4kB

Good catch.  Appears to be due to the massive images created via ImageData constructor.  I'll have to tune these down.  Closing.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Group: dom-core-security

          You need to log in
          before you can comment on or make changes to this bug.