Lots of string concatenation in JavaScript leads to full system freeze / FF 66.0.3, Ubuntu 19.04 fresh install
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: danielsedoff, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
I wrote some pure JavaScript code (no libraries attached) inside <script> tags in a HTML file. It contained some errors which eventually led to an infinite loop with concatenation, i. e. var s = ""; for(;;) s += "a";. Later I did the same in the FF console, with the same results.
I thought there was something wrong installed on my PC. Anyway, I had to wait a minute for a full reboot when I had this issue, to log in again, and so on. So I made a fresh Ubuntu install with a Firefox without any plugins, etc. Same results.
Actual results:
A full system freeze with no way of recovery. The only thing that works is Alt+SysRq+R+E+I+S+U+B. Either way, when loading the buggy JS/HTML file and when using the console.
Expected results:
I expected an 'Error: out of memory' message in the console or 'This page has crashed' instead of an unrecoverable full system freeze. I actually get this error message in FF 66.0.5 (Windows 7 x64.)
Additionally:
I asked a question about this on SO, and got an answer that, well, Linux is not very good at handling OOM issues. However I don't think we can be satisfied with that. To me, this looks like a FF vulnerability, not just the fault of the Linux kernel. I checked it on two Linux machines of my own, everything was neatly reproduced. These PCs differ in CPUs, motherboards, and manufacturers.
|
||
Comment 1•6 years ago
|
||
Could you please share the JavaScript code and the exactly steps you followed to reproduce the issue?
Thanks.
|
Reporter | |
Comment 2•6 years ago
|
||
Yes. I open Firefox, press F12 to launch the console. Then I type this primitive code:
var s = ""; for(;;) s+= "a";
and press Enter. Which causes a freeze. I have no plugins on Firefox.
$ uname -srvpo
Linux 5.0.0-13-generic #14-Ubuntu SMP Mon Apr 15 14:59:14 UTC 2019 x86_64 GNU/Linux
$ cat /proc/meminfo
MemTotal: 3944808 kB
MemFree: 850640 kB
MemAvailable: 2039768 kB
Buffers: 90660 kB
Cached: 1442800 kB
SwapCached: 0 kB
Active: 1763668 kB
Inactive: 897912 kB
Active(anon): 1249656 kB
Inactive(anon): 74416 kB
Active(file): 514012 kB
Inactive(file): 823496 kB
Unevictable: 120332 kB
Mlocked: 16 kB
SwapTotal: 2097148 kB
SwapFree: 2097148 kB
Dirty: 11524 kB
Writeback: 0 kB
AnonPages: 1248460 kB
Mapped: 375276 kB
Shmem: 195956 kB
KReclaimable: 108384 kB
Slab: 212824 kB
SReclaimable: 108384 kB
SUnreclaim: 104440 kB
KernelStack: 12032 kB
PageTables: 19004 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 4069552 kB
Committed_AS: 4826288 kB
VmallocTotal: 34359738367 kBVmallocUsed: 0 kBVmallocChunk: 0 kBPercpu: 9856 kBHardwareCorrupted: 0 kBAnonHugePages: 0 kBShmemHugePages: 0 kBShmemPmdMapped: 0 kBCmaTotal: 0 kBCmaFree: 0 kBHugePages_Total: 0HugePages_Free: 0HugePages_Rsvd: 0HugePages_Surp: 0Hugepagesize: 2048 kBHugetlb: 0 kBDirectMap4k: 197392 kBDirectMap2M: 3907584 kB`
|
|
Reporter | |
Comment 3•6 years ago
|
||
Thank you. And sorry for messing up the end of the listing.
|
|
||
Comment 4•6 years ago
|
||
I managed to reproduce it on Firefox Nightly 69.0a1, Firefox 68.0b13 and on Firefox 67.0.4 on Windows 10 x 64, Mac OS X 10.14 and on Ubuntu 18.04 x64.
|
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 5•6 years ago
|
||
Thank you for confirming this bug. I didn't find it because I was having fun with the console; rather, I was debugging some 100 lines of JavaScript code with an error which caused endless concatenation; which in its turn made me almost hard reset the PC. Now I have an alias for kill -9 $(pgrep firefox) in case something goes wrong. This helps if you are quick enough.
|
||
Updated•6 years ago
|
|
||
Updated•2 years ago
|
Description
•