Closed Bug 1531333 Opened 6 years ago Closed 6 years ago

Rapid OOM on inclusive.tki.org.nz

Categories

(Core :: SVG, defect, P2)

Product:
Core
Component:
SVG
Version:
66 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- wontfix
firefox67 --- verified
firefox68 + verified

People

(Reporter: blackwhitekez, Assigned: emilio)

References

(Regression)

Details

(Keywords: memory-leak, regression, Whiteboard: [MemShrink])

Attachments

(2 files)

crashes.tar.gz
1.45 MB, application/gzip
Details
Bug 1531333 - Fix <svg:use> cycle detection. r=heycam,longsonr,smaug
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Happens randomly with random websites, has never happened up until two weeks ago and occurred three times since then. After the first time the system was reinstalled from scratch, with /tmp moved to its own partition after the first crash exhausted all free tmp space causing other apps to crash as well. Occurred twice since reinstalling but able to recover with /tmp unaffected.

Actual results:

You'll try to open some web site (not the same one each time). The web site will fail to load and the system will max out on memory use and start swapping to disk (swap partition). A process called Web Content will be visible in the process monitor and will be clearly rapidly increasing in resource usage and continue to do so until all system resources are exhausted at which point Firefox crashes. In this case it consumed up to 100 GB of virtual memory (system has 32 GB physical and 100 GB swap). After crashing the system went down to 3 GB of physical memory and 24 GB of swap in use for the other apps. The 3rd time it happened, FF was killed by the user before crashing. The first step to close the tab that was trying to load the website supposedly causing the problem has no impact as Web Content continues to gobble more resources. Only possiible to stop this runaway by closing the Firefox window. Then the Web Content process disappears and the system goes back to normal.

Expected results:

When Firefox is restarted after crashing and attempting to access the same web sites as were running before crash there is only a small resource usage overall and no runaway occurring. Since the web site that caused the crash now loads normally it is not possible to prove there is an issue with that particular website or trace what is going on in the system.

Summary: Firefox Develop runs away and crashes after exhausting system resources → Firefox Developer runs away and crashes after exhausting system resources

OK
I have pinned down a website that consistently crashes Firefox Developer Edition.

Address: http://www.inclusive.tki.org.nz which is a website published by the Government of New Zealand.

This website can be guaranteed in testing so far to cause Firefox Developer's Web Content process to run away and crash after exhausting all the system's virtual memory every single time.

Does not crash Firefox ESR, only Developer.

Tested over multiple different computers and configurations with same results every time.

Sorry I have to rush this before my browser crashes again.

BWK: Do you get a crash report in about:crashes? If so, can you please paste it here? Thanks.

Flags: needinfo?(blackwhitekez)

Crash report 1472b011-c379-150a-2c62-8a0c12d2e110 was submitted.

Sometimes the browser will crash, sometimes it won't. In this instance, the Web Content process crashed at virtual memory usage of 100 GiB, but the browser stayed open, so possibly it only crashed the tab.

Flags: needinfo?(blackwhitekez)

(In reply to BWK from comment #3)

Crash report 1472b011-c379-150a-2c62-8a0c12d2e110 was submitted.

Sometimes the browser will crash, sometimes it won't. In this instance, the Web Content process crashed at virtual memory usage of 100 GiB, but the browser stayed open, so possibly it only crashed the tab.

I cannot find that report (bp-1472b011-c379-150a-2c62-8a0c12d2e110) - can you paste the entire sequence with the first two characters? Thanks.

Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Stack trace in crash report shows recursive calls to nsNodeUtils::CloneAndAdopt, therefore moving to DOM: Core.

Component: JavaScript Engine → DOM: Core & HTML

That sounds like bug in the web page, but I can't now reproduce.

If anyone can reproduce, regression range would be really good.

Keywords: regression, regressionwindow-wanted
Priority: -- → P3

(In reply to André Bargull [:anba] from comment #6)

Stack trace in crash report shows recursive calls to nsNodeUtils::CloneAndAdopt, therefore moving to DOM: Core.

This is an OOM crash on an allocation of 250 bytes, so the stack is not relevant.

What we really need here is a memory report. There might also be one to dig out of the crash report.

Keywords: memory-leak
Whiteboard: [MemShrink]

Thanks for the regression window!

Emilio, can you take a look?

Status: UNCONFIRMED → NEW
Component: DOM: Core & HTML → SVG
Ever confirmed: true
Flags: needinfo?(emilio)
Summary: Firefox Developer runs away and crashes after exhausting system resources → Rapid OOM on inclusive.tki.org.nz
Priority: P3 → --
Assignee: nobody → emilio
Keywords: regressionwindow-wanted

[Tracking Requested - why for this release]: This is a really bad OOM. The regression window points to a bug that landed in 63, so maybe this website changed recently. It isn't clear how widespread this is, given that this is apparently the first report we've gotten, but it still seems like we should fix it if we can given how bad it is.

tracking-firefox68: --- → ?
Keywords: regression
Attached file crashes.tar.gz

In the tarball (since bugzilla insists in auto-previewing the attachment while I'm attaching it), there are two svgs.

The problematic one from the URL Alice has mentioned (thanks Alice!), and one with three more lines of code which also crashes Firefox 63 and before:

<style>
  symbol { display: block }
</style>

This is a bug in our cycle detection for SVG which causes it to blow up quite a bit. It just wasn't doing it before because it was using NAC, and NAC doesn't get generated for undisplayed elements like the <use> inside the <symbols> elements.

This is a bogus svg fwiw, it looks like some tool has generated it quite poorly. Still we should fix this.

With the current code we'll eventually detect the cycle, but will take much
more, creating many shadow trees unnecessarily. Take for example the following:

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="133" height="232774">
<style>
symbol { display: block }
</style>
<symbol id="svg-sprite" viewBox="0 0 133 230866">
<title>svg-sprite</title>
<symbol id="svg-sprite" viewBox="0 0 133 230866">
<title>svg-sprite</title>
<use xlink:href="#svg-sprite" width="500" height="500" />
</symbol>
<use xlink:href="#svg-sprite" y="1601" width="133" height="228958" />
</symbol>
<use xlink:href="#svg-sprite" y="1601" width="133" height="230866" />
</svg>

Before this patch, we'd create an svg use element subtree for #svg-sprite. That
subtree will contain two other <use> elements, one under the <symbol>, one not
under it.

Both point to #svg-sprite, but we fail to detect we're an ancestor since the
element #svg-sprite we're looking at is the clone of the #svg-sprite element.

Thus we need to take a look at mOriginal instead (which is the <use> element
under #svg-sprite) rather than at the clone.

Yeah, I had to draw the trees, it's messy :)

Blink and WebKit do something slightly different (they check the element id
directly1). That's not 100% correct, since you can have multiple elements with
the same ID.

Flags: needinfo?(emilio)
Priority: -- → P2
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/88b6e96d8215 Fix <svg:use> cycle detection. r=longsonr

So far as I know this is a relatively new website.

I can't crash regular firefox when loading this site. Only happens with Developer.

https://hg.mozilla.org/mozilla-central/rev/88b6e96d8215

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9052983 [details]
Bug 1531333 - Fix <svg:use> cycle detection. r=heycam,longsonr,smaug

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: 1450250 for this specific test-case, but it was a pre-existing issue, see bug 743636
  • User impact if declined: OOM
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: visit one of the pages listed in the bug and see them load to completion :)
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low-risk fix to our cyclic <svg:use> detection.
  • String changes made/needed: none
Attachment #9052983 - Flags: approval-mozilla-beta?
Flags: qe-verify?
Has Regression Range: --- → yes
Has STR: --- → yes
Flags: qe-verify? → qe-verify+
Keywords: regression

Comment on attachment 9052983 [details]
Bug 1531333 - Fix <svg:use> cycle detection. r=heycam,longsonr,smaug

Fix for a bad memory leak in our SVG support causing an OOM crash. Small patch with tests already on Nightly. Uplift approved for 67 beta 5, thanks.

Attachment #9052983 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Hi, I have retested this issue in Firefox Beta 67.0b5 as well as the latest nightly 68.0a1 (2019-03-26) using Windows 10 as well as Ubuntu 18.04 and the issue no longer occurs. I will mark this issue accordingly

QA Whiteboard: [qa-triaged]
status-firefox67: fixedverified
status-firefox68: fixedverified
Flags: qe-verify+
Status: RESOLVED → VERIFIED
status-firefox66: --- → wontfix
status-firefox-esr60: --- → unaffected
Flags: in-testsuite+
Regressed by: 1450250
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: