Closed Bug 474788 Opened 16 years ago Closed 12 years ago

changing iframe's source (SVG) via JavaScript can force Firefox to use high CPU and to hang (should trigger script warning)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.0 Branch
Platform:
All
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Tobbi, Unassigned)

Details

(Keywords: hang) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

I don't think, this is really a bug, but I found out that you can force Firefox to hang / to use a high amount of CPU / RAM by just changing the source of an iframe dynamically, using e.g.:
do
this.src='http://openclipart.org/people/ClayDowling/ClayDowling_D20.svg';
while(1==1); "

In my opinion, Firefox should prevent such a thing from happening. Then everyone could force Firefox to become unresponsive.

You can find a testcase at http://tobbi.bplaced.net/testcases/testcase3.html

I know, that the description is really bad but I didn't know a better one.

Reproducible: Always

Steps to Reproduce:
1. Open the testcase.
2. Move the mouse over the iframe (to trigger onmouseover event)
3. Watch Firefox becoming unresponsive
Actual Results:  
Firefox hangs, becomes unresponsive, uses much CPU and RAM

Expected Results:  
Prevent such thing from happening (e.g. trigger a script warning)
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: hang
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.9.0 Branch
This will probably be mitigated by the patch in bug 453157.
(In reply to comment #1)
> This will probably be mitigated by the patch in bug 453157.

The slow script warning dialog should work now with jit-enabled as the bug 465030 is fixed.
Okay, tried out latest trunk build now: It indeed triggers a script warning. The problem is: There are multiple ones and they do not include the right script. There are different js warnings with different js file names.
I can reproduce on Windows Vista 64 bit... Although, it crashed for me... For some reason the report didn't submit correctly... Sorry, no ID
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86 → All
Keywords: crash
Just found it, for some reason it didnt make it into about:crashes, but it was in the profile folder... 00ae7cda-193d-44c4-b103-f87be4dfbf8e
i take that back, i guess it didn't submit correctly...
Keywords: crash
I tried it with the FF 15.0 on Windows Vista X86 and don't see this issue anymore
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.