1832911 - unconstrained memory and cpu usage when scaling and animating

Status: NEW

(Core :: CSS Transitions and Animations, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230312-a8939ff5236d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

NOTE: Set a reasonable memory limit via ASAN_OPTIONS=hard_rss_limit_mb=# to avoid system OOMs.

The DOM fuzzers are hitting this issue multiple times a day. Issues such as this can destabilize fuzzing infrastructure. If this is not a bug providing the ability for fuzzers to work around this would be ideal (see bug 1815272). Chrome is not affected.

HEAP PROFILE at RSS 6132Mb
Live Heap Allocations: 6875527 bytes in 31813 chunks; quarantined: 16179200 bytes in 48933 chunks; 28148 other chunks; total chunks: 108894; showing top 90% (at most 20 unique contexts)
238316 byte(s) (3%) in 77 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7eae018868 in ft_mem_qalloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:75:15
    #2 0x7f7eae018868 in ft_mem_alloc /build/freetype-sW3nZt/freetype-2.11.1+dfsg/./src/base/ftutil.c:54:25

196608 byte(s) (2%) in 1 allocation(s)
    #0 0x55f7ac9d46ae in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f7e9d6ee99c in mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::createTable(js::SystemAllocPolicy&, unsigned int, mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::FailureBehavior) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h
    #2 0x7f7e9d6fb716 in changeTableSize /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1862:22
    #3 0x7f7e9d6fb716 in rehashIfOverloaded /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1909:12
    #4 0x7f7e9d6fb716 in bool mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::add<JSAtom*&>(mozilla::detail::HashTable<js::WeakHeapPtr<JSAtom*> const, mozilla::HashSet<js::WeakHeapPtr<JSAtom*>, js::AtomHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::AddPtr&, JSAtom*&) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:2163:30
    #5 0x7f7e9d6a4e61 in add<JSAtom *&> /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:623:18
    #6 0x7f7e9d6a4e61 in atomizeAndCopyCharsNonStaticValidLength<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:547:7
    #7 0x7f7e9d6a4e61 in AtomizeAndCopyCharsNonStaticValidLengthFromLookup<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:480:30
    #8 0x7f7e9d6a4e61 in AtomizeAndCopyChars<unsigned char> /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:575:10
    #9 0x7f7e9d6a4e61 in JSAtom* js::AtomizeChars<unsigned char>(JSContext*, unsigned char const*, unsigned long) /builds/worker/checkouts/gecko/js/src/vm/JSAtom.cpp:832:10
    #10 0x7f7e9f3a0397 in js::StringBuffer::finishAtom() /builds/worker/checkouts/gecko/js/src/util/StringBuffer.cpp:150:20
    #11 0x7f7e9d6d7dba in NameToFunctionName(JSContext*, JS::Handle<JS::Value>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1819:13
    #12 0x7f7e9d6d74cf in js::IdToFunctionName(JSContext*, JS::Handle<JS::PropertyKey>, js::FunctionPrefixKind) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1851:10
    #13 0x7f7e9d805b59 in DefineAccessorPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:115:30
    #14 0x7f7e9d812ca2 in JS_DefineProperties(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:866:14
    #15 0x7f7e926d76ee in Define /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:722:10
    #16 0x7f7e926d76ee in DefinePrefable<const JSPropertySpec> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:737:12
    #17 0x7f7e926d76ee in mozilla::dom::DefineProperties(JSContext*, JS::Handle<JSObject*>, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1018:10
    #18 0x7f7e926d8336 in CreateInterfacePrototypeObject /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:974:9
    #19 0x7f7e926d8336 in mozilla::dom::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JSClass const*, JS::Heap<JSObject*>*, JS::Handle<JSObject*>, JSClass const*, unsigned int, bool, mozilla::dom::LegacyFactoryFunction const*, JS::Heap<JSObject*>*, mozilla::dom::NativePropertiesN<7> const*, mozilla::dom::NativePropertiesN<7> const*, char const*, bool, char const* const*, bool, char const* const*, bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:1093:13
    #20 0x7f7e900e8ddc in mozilla::dom::CSS2Properties_Binding::CreateInterfaceObjects(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59657:3
    #21 0x7f7e926ef9e6 in mozilla::dom::GetPerInterfaceObjectHandle(JSContext*, unsigned long, void (*)(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ProtoAndIfaceCache&, bool), bool) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:4301:5
    #22 0x7f7e900e8196 in GetProtoObjectHandle /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:47:12
    #23 0x7f7e900e8196 in mozilla::dom::CSS2Properties_Binding::Wrap(JSContext*, nsDOMCSSDeclaration*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) /builds/worker/workspace/obj-build/dom/bindings/CSS2PropertiesBinding.cpp:59597:42
    #24 0x7f7e97863714 in Wrap<nsDOMCSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CSS2PropertiesBinding.h:37:12
    #25 0x7f7e97863714 in WrapObject /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp:31:10
    #26 0x7f7e97863714 in non-virtual thunk to nsDOMCSSDeclaration::WrapObject(JSContext*, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/layout/style/nsDOMCSSDeclaration.cpp
    #27 0x7f7e92461cdf in DoGetOrCreateDOMReflector<nsICSSDeclaration, (mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior)0> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1094:18
    #28 0x7f7e92461cdf in GetOrCreateDOMReflector<nsICSSDeclaration> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1163:10
    #29 0x7f7e92461cdf in mozilla::dom::HTMLElement_Binding::get_style(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:1983:8
    #30 0x7f7e926c3a61 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3217:13
    #31 0x7f7e9d3f3503 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
    #32 0x7f7e9d3f3503 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
    #33 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #34 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #35 0x7f7e9d3f7486 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:801:10
    #36 0x7f7e9d7d11a7 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2070:12
    #37 0x7f7e9d7d11a7 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2098:12
    #38 0x7f7e9d7d11a7 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2246:14
    #39 0x7f7e9d7d11a7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2277:10
    #40 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #41 0x7f7e9d439768 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #42 0x7f7e9d439768 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
    #43 0x7f7e9d40cef0 in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
    #44 0x7f7e9d40cef0 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
    #45 0x7f7e9d3f22a8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
    #46 0x7f7e9d3f22a8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
    #47 0x7f7e9d3f36bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #48 0x7f7e9d3f5636 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #49 0x7f7e9d3f5636 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #50 0x7f7e9d561f5b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #51 0x7f7e9206b4c0 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #52 0x7f7e9352a576 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #53 0x7f7e93528469 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:199:12

Comment 1

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1832911 using build mozilla-central 20230312211644-a8939ff5236d. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 2

[Tyson Smith [:tsmith]]

I see bugmon failed to reproduce, I'd be happy to get a Pernosco session if needed just ni? me.

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Can you get it? It'd be great. Is this somehow specific to <select>?

Comment 4

[Tyson Smith [:tsmith]]

I tried <select> -> <div> and I saw high cpu activity but not the memory usage.

A Pernosco session is available here: https://pernos.co/debug/gs5gOww9HbNyCz36Fx9hLg/index.html (original test case)

Comment 5

[Frank Griffith Jr]

Boris, can you take a quick look to determine severity? Thanks

Comment 6

[Boris Chiou [:boris]]

The memory usage looks normal on my local machine, but CPU usage (about 60% on the mac) is a little bit high.
Once I update <select> to <div>, the CPU usage becomes 30-40%. So this may be an issue which is specific to <select>. (Or just because the <div> is just an empty block?)

We run the infinite animations which updating its border's color (note: it's a main thread animation) on all elements. This may not be a common case. So mark this as S3 for now.

Comment 7

[Boris Chiou [:boris]]

So does this still block the fuzzy work? I may not have idea to fix this quickly, so do we have any way to prevent this from blocking fuzzing infrastructure?

Comment 8

[Tyson Smith [:tsmith]]

(In reply to Boris Chiou [:boris] from comment #7)

So does this still block the fuzzy work?

Yes this is still being triggered by the fuzzers and has been since mid March (20230312-a8939ff5236d)

I may not have idea to fix this quickly, so do we have any way to prevent this from blocking fuzzing infrastructure?

The reason this is an issue is because it impacts the stability of the machines running the fuzzers. Ideally this would be mitigated by addressing the root cause. If that is not possible in other scenarios workarounds have been added by developers to allow fuzzers to run the code while minimizing the impact of the issue (see bug 1815272 for an example).

Comment 9

[Tyson Smith [:tsmith]]

(In reply to Boris Chiou [:boris] from comment #6)

The memory usage looks normal on my local machine, but CPU usage (about 60% on the mac) is a little bit high.

FYI: I was seeing the issues with ASan builds (which is primary build used by the fuzzers).

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:boris, could you consider increasing the severity?

For more information, please visit BugBot documentation.