High memory use and crash on page with infinite <option>s

RESOLVED WORKSFORME

Status

()

Core
Layout: Form Controls
--
critical
RESOLVED WORKSFORME
13 years ago
3 years ago

People

(Reporter: Jeffrey Brown, Unassigned)

Tracking

({crash, hang})

Trunk
x86
Windows XP
crash, hang
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5


Basically it just fills the listbox with tons of entries of "Bug!", eventually causing it to take up tons of memory and crash the browser altogether.

Reproducible: Always

Steps to Reproduce:
1.Go to http://wgcenter.com/firefoxbug.php

Actual Results:  
Firefox stopped responding and had to be ended through task manager

Expected Results:  
Should have limited the number of entries in a dropdown to prevent this crash, perhaps a few thousand items

Code of firefoxbug.php:

<select name="select8">
<?
for($h=0; $h<2; $h++){
echo "<option>Bug!</option>";
$h=0;
}
?>
</select>

Comment 1

13 years ago
I don't think this is security sensitive, but will leave that to others to decide. Not sure if this is layout or parser.

A recent trunk build on winxp ate all my memory and reached a VM size of ~2G, but did not crash after a long time although after a while it began to spew:

WARNING: NS_ENSURE_TRUE(newImpl) failed, file .../mozilla/content/base/src/nsAttrAndChildArray.cpp, line 733
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file ...mozilla/content/base/src/nsGenericElement.cpp, line 2797

I then closed the browser window and after a long time of memory churn crashed at: 

+	aContent	0x17a77ef8
+	aPrimaryFrame	0x625da29c
+	entry	0x00000000
+	&mPrimaryFrameMap	0x03c8f6e8
	PL_DHASH_ADD	0x00000001
+	this	0x03c8f6dc

nsFrameManager::SetPrimaryFrameFor(nsIContent * 0x17a77ef8, nsIFrame * 0x625da29c) line 450 + 6 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & {...}, const nsStyleDisplay * 0x03fabcf4, nsIContent * 0x17a77ef8, int 0x00000000, nsIAtom * 0x003fee38, nsIFrame * 0x03f35950, nsStyleContext * 0x03fabcc8, nsFrameItems & {...}, int 0x00000000) line 7022
nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & {...}, nsIContent * 0x17a77ef8, nsIFrame * 0x03f35950, nsIAtom * 0x003fee38, int 0x00000000, nsStyleContext * 0x03fabcc8, nsFrameItems & {...}, int 0x00000000) line 8009 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & {...}, nsIContent * 0x17a77ef8, nsIFrame * 0x03f35950, nsFrameItems & {...}) line 7833 + 53 bytes
nsCSSFrameConstructor::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 8923
PresShell::ContentAppended(nsIDocument * 0x03e760e8, nsIContent * 0x03f3bee8, int 0x00001d78) line 5134
nsDocument::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 2295
nsHTMLDocument::ContentAppended(nsIContent * 0x03f3bee8, int 0x00001d78) line 1138
HTMLContentSink::NotifyAppend(nsIContent * 0x03f3bee8, unsigned int 0x00001d78) line 3663
SinkContext::FlushTags(int 0x00000001) line 1751
HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x03ed44ec) line 2232
CNavDTD::DidBuildModel(CNavDTD * const 0x03ea8cf8, unsigned int 0x804e03f7, int 0x00000001, nsIParser * 0x03cdb358, nsIContentSink * 0x03ed44ec) line 502
nsParser::DidBuildModel(unsigned int 0x804e03f7) line 1198 + 51 bytes
nsParser::Terminate(nsParser * const 0x03cdb358) line 1305
nsDocument::StopDocumentLoad() line 1139
DocumentViewerImpl::Stop(DocumentViewerImpl * const 0x03ecffb0) line 1572
nsDocShell::Stop(nsDocShell * const 0x03c8b370, unsigned int 0x00000003) line 3236
nsDocShell::Stop(nsDocShell * const 0x034d7d78, unsigned int 0x00000003) line 3259
nsDocShell::Destroy(nsDocShell * const 0x034d7d7c) line 3511
nsXULWindow::Destroy(nsXULWindow * const 0x0336b7f0) line 510
nsWebShellWindow::Destroy(nsWebShellWindow * const 0x0336b7f0) line 844 + 9 bytes
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f094) line 402
nsWindow::DispatchEvent(nsWindow * const 0x0336b964, nsGUIEvent * 0x0012f094, nsEventStatus & nsEventStatus_eIgnore) line 1162 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f094) line 1183
nsWindow::DispatchStandardEvent(unsigned int 0x00000065) line 1202 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000, long * 0x0012f514) line 4273
nsWindow::WindowProc(HWND__ * 0x000105be, unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000) line 1351 + 27 bytes

Letting the page run even longer spews

WARNING: NS_ENSURE_TRUE(childCount < ATTRCHILD_ARRAY_MAX_CHILD_COUNT) failed, file .../mozilla/content/base/src/nsAttrAndChildArray.cpp, line 149
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file .../mozilla/content/base/src/nsGenericElement.cpp, line 2797

and a crash at

    entry->frame = aPrimaryFrame;

+	aContent	0x16366d08
+	aPrimaryFrame	0x0149eb18
+	entry	0x00000000
+	&mPrimaryFrameMap	0x036cdb40
	PL_DHASH_ADD	0x00000001
+	this	0x036cdb34


nsFrameManager::SetPrimaryFrameFor(nsIContent * 0x16366d08, nsIFrame * 0x0149eb18) line 450 + 6 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & {...}, const nsStyleDisplay * 0x039c0a20, nsIContent * 0x16366d08, int 0x00000000, nsIAtom * 0x00fb44b8, nsIFrame * 0x0396954c, nsStyleContext * 0x039c09f4, nsFrameItems & {...}, int 0x00000000) line 7022
nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & {...}, nsIContent * 0x16366d08, nsIFrame * 0x0396954c, nsIAtom * 0x00fb44b8, int 0x00000000, nsStyleContext * 0x039c09f4, nsFrameItems & {...}, int 0x00000000) line 8009 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & {...}, nsIContent * 0x16366d08, nsIFrame * 0x0396954c, nsFrameItems & {...}) line 7833 + 53 bytes
nsCSSFrameConstructor::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 8923
PresShell::ContentAppended(nsIDocument * 0x036198c8, nsIContent * 0x0396cd70, int 0x00004c31) line 5134
nsDocument::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 2295
nsHTMLDocument::ContentAppended(nsIContent * 0x0396cd70, int 0x00004c31) line 1138
HTMLContentSink::NotifyAppend(nsIContent * 0x0396cd70, unsigned int 0x00004c31) line 3663
SinkContext::CloseContainer(nsHTMLTag eHTMLTag_select) line 1330
HTMLContentSink::CloseContainer(HTMLContentSink * const 0x038928fc, nsHTMLTag eHTMLTag_select) line 2920 + 18 bytes
CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_select) line 2743 + 31 bytes
CNavDTD::CloseContainersTo(int 0x00000002, nsHTMLTag eHTMLTag_select, int 0x00000000) line 2790 + 12 bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_select, int 0x00000000) line 2934 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x0109a650, unsigned int 0x00000000, int 0x00000001, nsIParser * 0x038926f0, nsIContentSink * 0x038928fc) line 473 + 22 bytes
nsParser::DidBuildModel(unsigned int 0x00000000) line 1198 + 51 bytes
nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 1933
nsParser::ContinueInterruptedParsing(nsParser * const 0x038926f0) line 1352 + 19 bytes
nsParser::HandleParserContinueEvent() line 1421
nsParserContinueEvent::HandleEvent(PLEvent * 0x0d77d3d0) line 237
PL_HandleEvent(PLEvent * 0x0d77d3d0) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01037378) line 623 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000801d8, unsigned int 0x0000c149, unsigned int 0x00000000, long 0x01037378) line 1408 + 9 bytes

(Reporter)

Comment 2

13 years ago
I marked it as security sensative because others could potentialy exploit this and direct users to a page which crashes their browser
If you click the stop button while this page is loading you can recover, and the memory usage even drops quite a bit. I'd guess you could do the same thing spewing an infinite loop of any kind of content at us, tables or even just plain text.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:dos]

Updated

13 years ago
Component: General → Layout: Form Controls
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
QA Contact: general → layout.form-controls
Summary: browser crashes and major memory usage upon a recursive loop that fills a dropdown with many entries → High memory use and crash on page with infinite <option>s

Comment 4

9 years ago
I have placed a copy of comment 0's PHP script at:
http://www.squarefree.com/bug320932/infinite-options.php
Loading it will hang Firefox, at least.

Comment 5

9 years ago
On Mac, I can't get this to do anything but hang.  In an opt build, it uses 2.5 GB RAM and stays there, still hanging.  In a debug build, it uses up memory too slowly to reach 2.5 GB.
Keywords: hang
Still an issue with Firefox 8.0a2.
Whiteboard: [sg:dos] → [sg:dos], [MemShrink]
This is not a memshrink bug, because this isn't a problem encountered on non-attack pages.
Whiteboard: [sg:dos], [MemShrink] → [sg:dos]
I tried this in FF38 and it safely aborts due to out-of-memory.
I Nightly I get the "This tab has crashed" message, so I think this is
working as expected.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.