changing iframe's source (SVG) via JavaScript can force Firefox to use high CPU and to hang (should trigger script warning)

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
9 years ago
5 years ago

People

(Reporter: Tobbi, Unassigned)

Tracking

({hang})

1.9.0 Branch
All
Windows Vista
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

I don't think, this is really a bug, but I found out that you can force Firefox to hang / to use a high amount of CPU / RAM by just changing the source of an iframe dynamically, using e.g.:
do
this.src='http://openclipart.org/people/ClayDowling/ClayDowling_D20.svg';
while(1==1); "

In my opinion, Firefox should prevent such a thing from happening. Then everyone could force Firefox to become unresponsive.

You can find a testcase at http://tobbi.bplaced.net/testcases/testcase3.html

I know, that the description is really bad but I didn't know a better one.

Reproducible: Always

Steps to Reproduce:
1. Open the testcase.
2. Move the mouse over the iframe (to trigger onmouseover event)
3. Watch Firefox becoming unresponsive
Actual Results:  
Firefox hangs, becomes unresponsive, uses much CPU and RAM

Expected Results:  
Prevent such thing from happening (e.g. trigger a script warning)
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: hang
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.9.0 Branch
This will probably be mitigated by the patch in bug 453157.

Comment 2

9 years ago
(In reply to comment #1)
> This will probably be mitigated by the patch in bug 453157.

The slow script warning dialog should work now with jit-enabled as the bug 465030 is fixed.
(Reporter)

Comment 3

9 years ago
Okay, tried out latest trunk build now: It indeed triggers a script warning. The problem is: There are multiple ones and they do not include the right script. There are different js warnings with different js file names.
I can reproduce on Windows Vista 64 bit... Although, it crashed for me... For some reason the report didn't submit correctly... Sorry, no ID
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86 → All

Updated

8 years ago
Keywords: crash

Comment 5

8 years ago
https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg
Just found it, for some reason it didnt make it into about:crashes, but it was in the profile folder... 00ae7cda-193d-44c4-b103-f87be4dfbf8e
i take that back, i guess it didn't submit correctly...

Updated

8 years ago
Keywords: crash
I tried it with the FF 15.0 on Windows Vista X86 and don't see this issue anymore
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.