Closed Bug 441675 Opened 16 years ago Closed 16 years ago

OOM conditions causes all kinds of random crashes

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 427099

People

(Reporter: u315569, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14)

Hi,


I've found that cause FireFox to run out of memory can lead to very erratic behavior; every time I run my repro, it seems to crash at a different location in the code. I am seeing a lot of NULL pointers, but I cannot rule out that some of these errors may be exploitable, as there seem to be so many,


This is the code I use to reproduce this issue:


<BODY onload="init();" style="font-family: Courier New;"><SCRIPT>
var asHeap = [];
var asChunks = ["A"];
var bException = false;
var iTotal = 0;
function init() {
setInterval(go, 1);
setInterval(test, 333);
}
var o = null;
function test(oWindow) {
window.open("javascript:window.close();");
}
function go() {
if (bException) {
asHeap.push(asChunks.pop());
}
bException = true;
try {
var sChunk = asChunks[asChunks.length - 1];
document.title = "~0x" + iTotal.toString(16) + 
" / " + sChunk.length.toString(16);
var sNewChunk = sChunk + sChunk;
if (sNewChunk.length == sChunk.length * 2) {
asChunks.push(sNewChunk);
iTotal += sNewChunk.length;
bException = false;
}
} catch (e) {}
}
</SCRIPT></BODY>


As you can see, it uses one Interval to consume memory (go) and one to open and close windows (test) the latter I added to force FireFox to do something that may fail badly when there's not enough memory to complete the operation. I noticed that the popup-blocker starts acting "odd" sometimes: even though it allowed the first few popups, it started to prevent them later or vice versa. This happens before FireFox is really low on memory, so that does not seem to be the cause. This behavior also does not seem to be predictable, it happens every now and then and there does not seem to be a good reasen for it to be so random.

Reproducible: Always

Steps to Reproduce:
Load this URL:
* http://skypher.com/SkyLined/Repro/FireFox/OOM.html
Actual Results:  
FireFox crashes


I reported this on May 20, 2008 to security@mozilla.org in an email with the title "OOM conditions causes all kinds of random crashes" but have not received a reply to date.
This is kinda-known. Unless you have a specific POC, I'd like to open this bug up/dup it against our ongoing work for a no-fail allocator: http://wiki.mozilla.org/Mozilla_2/Memory and bug 427099
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Duping this to bug 427099 per comment 1.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.