Last Comment Bug 530258 - browser hang and memory exhaustion using iframe.src and javascript: protocol
: browser hang and memory exhaustion using iframe.src and javascript: protocol
Status: NEW
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: x86 Windows XP
-- critical with 6 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Andrew Overholt [:overholt]
Depends on:
Blocks: eviltraps
  Show dependency treegraph
Reported: 2009-11-20 21:06 PST by bcoles
Modified: 2016-02-19 22:11 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

proof of concept (63 bytes, text/html)
2009-11-20 21:19 PST, bcoles
no flags Details
proof of concept (262 bytes, text/html)
2009-11-23 06:12 PST, bcoles
no flags Details

Description User image bcoles 2009-11-20 21:06:07 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091102 Firefox/3.5.5

This may be a duplicate of from 2001 which doesn't appear to be resolved?

Remote browser crash if a user browses a webpage with the following HTML code:
<iframe src="javascript: while (true) { window.location=''; }">

Javascript must be enabled.

Tested on:

Windows XP SP2:

Windows Vista SP0:

Reproducible: Always

Steps to Reproduce:
1. create new *.html file
2. upload it to a web host (optional)
3. enable javascript
4. run file

Actual Results:  
browser hangs. killing the process is the only option.

Expected Results:  
"this script will run forever, do you wish to terminate? y/n" warning.

Happens even when "warn me when web sites try to redirect or load the page" under tools->options->advanced->general->accessibility is selected.

I spent a few minutes debugging but couldn't get control of eip. i'm lazy.
Comment 1 User image bcoles 2009-11-20 21:19:24 PST
Created attachment 413778 [details]
proof of concept
Comment 2 User image Daniel Veditz [:dveditz] 2009-11-22 21:58:06 PST
Not sure why bug 101276 never had its fix checked in, but this isn't behaving like that one. This one is chewing up a lot more memory and CPU. I _do_ get the "A script on this page may be busy, or it may have stopped responding" prompt, but it does NOT let me kill the script! Memory use goes back down to reasonable levels every time that prompt comes us. It seems to be creating recursive iframes, but only one or two per busy prompt. If they were being created due to the while loop I'd have expected a lot more.

I don't see a crash. Maybe with less memory you'd trip over one of our many out-of-memory crashes
Comment 3 User image bcoles 2009-11-23 06:06:29 PST
proof of concept #1 : Firefox 3.0.x :

<iframe src="javascript: while (true) { window.location=''; }">

My apologies, this causes Firefox 3.0.x to hang without prompting.

As you say, Firefox 3.5.5 reports an unresponsive script but won't allow you to continue. You also can't change tabs when the "unresponsive script" prompt is shown (also a bug?).

proof of concept #2 : Firefox 3.5.5 & Internet Explorer 8.0.6:

I've adjusted the HTML (poc url above, code below) which now causes Firefox 3.5.5 and Internet Explorer 8.0.6 to hang (IE dev team have been notified). It also causes memory exhaustion.

<iframe src="javascript:while(true) { document.write('<iframe src=\'javascript:\';></iframe>'); }"></iframe>

With WinXP SP2 @ 2.2GHz and 3GB of RAM this provides the "unresponsive script" prompt after ~10 seconds and ~800MB of memory usage. Upon clicking "stop script" the memory usage idles until the browser stop event is evoked (closed tab, or closed browser, or clicked "stop", or pressed ESC, etc).

The browser hangs and the memory usage then increases rapidly until it peaks at ~2GB. Killing the process is required.

proof of concept #3 : Firefox 3.5.5 :

For reliable denial of service repeat the previous line 100 times as it will hang the browser and exhaust memory WITHOUT prompting with "unresponsive script. continue y/n?"
Comment 4 User image bcoles 2009-11-23 06:12:37 PST
Created attachment 414035 [details]
proof of concept
Comment 5 User image Kyle Repinski 2016-02-19 22:11:14 PST
FYI, this is a major issue with e10s on at the very least all desktop platforms. Every 15 seconds this chews up 1GB of RAM, and closing the tab doesn't stop it. If somebody lands on a page with this and e10s they'll be crashing every time.

Note You need to log in before you can comment on or make changes to this bug.