Closed Bug 1939488 Opened 7 months ago Closed 4 months ago

"InternalError: too much recursion" when loading a large manifest.json file

Categories

(WebExtensions :: General, defect, P2)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(firefox139 fixed)

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox139 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Whiteboard: [addons-jira])

Attachments

(1 file)

Bug 1939488 - Replace inefficient regex of JSON comment stripper with linear algorithm
48 bytes, text/x-phabricator-request
Details | Review

STR:

  1. Create a manifest.json and add a key with many characters. E.g. 10M of "foo": "X (repeated 10M times)"
  2. Load it via about:debugging

Expected:

  • The extension should load.

Actual:

  • The extension fails to load, with about:debugging's UI displaying:

There was an error during the temporary add-on installation.
Error details

too much recursion`

  • And the error console:

[ACTION FAILED] TEMPORARY_EXTENSION_INSTALL_FAILURE: too much recursion
readJSON/</<@resource://gre/modules/Extension.sys.mjs:1174:25
onStopRequest@resource://gre/modules/NetUtil.sys.mjs:124:18

This issue is caused by the COMMENT_REGEXP at https://searchfox.org/mozilla-central/rev/222add4dd36e034fa4d0a8b3e4e1ded979599892/toolkit/components/extensions/Extension.sys.mjs#398-411

This regular expression contains a repeating non-capturing group, but with large inputs, the internal implementation seems to recurse to a depth proportional to the string to test.

I tried fixing the COMMENT_REGEXP regexp to reduce backtracking (beyond what was attempted in bug 1299256), but found that even the simplest of regular expressions can exhaust the stack when a large input is fed. E.g. the following regexp can be used to try and match a string literal: /^"(?:[^"\\\n]|\\.)*"/, but triggers RangeError when passed '"' + 'x'.repeat(1e7) + '"'

Here is a self-contained test case demonstrating that a repeating non-capturing group can lead to deep recursion depths, and thus trigger an error (in Chromium and Firefox):

/^a(?:[^x]|nevermatch)*/.exec('a' + "b".repeat(1e7) +'c')

See Also: → 1299256

The severity field is not set for this bug.
:zombie, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(tomica)
Severity: -- → S4
Flags: needinfo?(tomica)
Priority: -- → P3
Priority: P3 → P2

There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:robwu, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(tomica)
Flags: needinfo?(rob)
Flags: needinfo?(tomica)
Flags: needinfo?(rob)
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/38de86874c87 Replace inefficient regex of JSON comment stripper with linear algorithm r=zombie

https://hg.mozilla.org/mozilla-central/rev/38de86874c87

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: