Open Bug 1797412 Opened 1 year ago Updated 1 year ago

OOM due to unconstrained memory usage

Categories

(Core :: Graphics: CanvasWebGL, defect, P2)

defect

Tracking

()

Tracking Status
firefox108 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-oom, testcase)

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20221020-ca2873779214 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ ASAN_OPTIONS=hard_rss_limit_mb=6144 python -m grizzly.replay ./firefox/firefox testcase.html

NOTE: Set a reasonable memory limit via ASAN_OPTIONS=hard_rss_limit_mb=# to avoid system OOMs.

This might not necessarily be a bug, instead it may highlight an area that could benefit from optimization. The test case may be magnifying an issue that would otherwise go unnoticed. Addressing this would help make the browser more fuzzing friendly.

This test case does not trigger an OOM on Chrome.

The heap profile was collected when the memory limit was reached.

HEAP PROFILE at RSS 6268Mb
Live Heap Allocations: 46496512 bytes in 29433 chunks; quarantined: 15095753 bytes in 39730 chunks; 24202 other chunks; total chunks: 93365; showing top 90% (at most 20 unique contexts)
39866596 byte(s) (85%) in 1 allocation(s)
    #0 0x556dbbdb2078 in __interceptor_calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x7f8597edeb5e in AllocateArrayBufferContents(JSContext*, unsigned long) /builds/worker/checkouts/gecko/js/src/vm/ArrayBufferObject.cpp:447:11
    #2 0x7f8597ea5ccd in std::tuple<js::ArrayBufferObject*, unsigned char*> js::ArrayBufferObject::createBufferAndData<(js::ArrayBufferObject::FillContents)0>(JSContext*, unsigned long, js::AutoSetNewObjectMetadata&, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/vm/ArrayBufferObject.cpp:1343:18
    #3 0x7f8597e9d662 in js::ArrayBufferObject::createZeroed(JSContext*, unsigned long, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/vm/ArrayBufferObject.cpp:1406:7
    #4 0x7f859830c9d9 in maybeCreateArrayBuffer /builds/worker/checkouts/gecko/js/src/vm/TypedArrayObject.cpp:886:30
    #5 0x7f859830c9d9 in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::fromLength(JSContext*, unsigned long, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/vm/TypedArrayObject.cpp:901:10
    #6 0x7f858f2f6878 in create /builds/worker/workspace/obj-build/dist/include/js/experimental/TypedData.h:635:1
    #7 0x7f858f2f6878 in CreateCommon /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:206:18
    #8 0x7f858f2f6878 in Create /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:181:12
    #9 0x7f858f2f6878 in mozilla::dom::ImageData::Constructor(mozilla::dom::GlobalObject const&, unsigned int, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/ImageData.cpp:62:20
    #10 0x7f858d854a01 in mozilla::dom::ImageData_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/ImageDataBinding.cpp:367:59
    #11 0x7f85998fd8f7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #12 0x7f85998fd8f7 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8
    #13 0x7f85998fd8f7 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10
    #14 0x7f85998e992e in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16
    #15 0x7f85998cef8e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #16 0x7f85998fb125 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #17 0x7f85998fcbce in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #18 0x7f85998fcbce in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #19 0x7f8597eebb05 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #20 0x7f858ec535b9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #21 0x7f858fae60f4 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #22 0x7f858fae5bb0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1310:43
    #23 0x7f858fae716b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
    #24 0x7f858fad52ee in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
    #25 0x7f858fad3b51 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
    #26 0x7f858fad7d35 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
    #27 0x7f858fadd6b1 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #28 0x7f858d386604 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1373:17
    #29 0x7f858cc7aa9f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4499:28
    #30 0x7f858cc7a766 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4469:10
    #31 0x7f858cfd1293 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7843:3
    #32 0x7f858d0cc79d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
    #33 0x7f858d0cc79d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
    #34 0x7f858d0cc79d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
    #35 0x7f8589cf09af in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #36 0x7f8589d045b2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
    #37 0x7f8589cfb517 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
    #38 0x7f8589cf87a8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jgilbert)

We're not trottling when sending e.g. GB of data across IPC. We should add some form of max in-flight data size.

Severity: -- → S3
Flags: needinfo?(jgilbert)
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: