Open Bug 1922850 Opened 1 year ago Updated 1 year ago

Memory used by object URLs is not limited

Categories

(Core :: DOM: File, defect)

Product:
Core
Component:
DOM: File
Version:
Firefox 131
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mattis.bergmann, Unassigned)

Details

Attachments

(1 file)

memory-report.json.gz
577.87 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0

Steps to reproduce:

I opened an an HTML file via a file:// URI as well as from a local HTTP server.
The script allocates a lot of object URLs constantly (10ms interval).
Here is the HTML file:
You may have to modify buffer size, allocation count and interval based on system performance. In some configurations Firefox killed the tab before it could crash the browser.

<!DOCTYPE html>
<html>
<head>
    <title>FF Object URLs</title>
    <script>
        let buf = new ArrayBuffer(4096 * 1024);
        let b = new Blob([buf]);
        window.onload = function () {
            window.setInterval(updateTab, 10);
        };
        function updateTab() {
            if (b !== undefined) {
                for (let i = 0; i < 32; i++)
                    URL.createObjectURL(b);
            }
        }
    </script>
</head>
<body>
    <h1>Memory leak test</h1>
</body>
</html>

Actual results:

Memory usage went up constantly until Firefox froze due to running out of memory.
Looking at about:memory, the majority of RAM usage in fact stems from allocated object URLs.
I tested the script on a windows machine a couple of weeks ago (I don't have a working windows machine currently) which completely locked up and required a restart.
Closing the tab stops the growing memory usage and after a couple of seconds allocated memory gets freed.

Expected results:

Allocations should have been stopped when some reasonable limit of memory usage is reached. From my understanding JavaScript should not be able to crash the browser.

The bug is reproducable in nightly build 20241004095321.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core
Component: Widget: Gtk → DOM: File

Thanks for filing this. Could you share some of the crash reports you generated this way? We assume from your description that the parent process is crashing.

Severity: -- → S3
Flags: needinfo?(mattis.bergmann)
Attached file memory-report.json.gz

Firefox did not generate a crash report, possibly because it was killed by the OOM killer before having a chance. However, I was able to get a memory report right before the crash.

Flags: needinfo?(mattis.bergmann)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: