Open
Bug 530258
Opened 15 years ago
Updated 2 years ago
browser hang and memory exhaustion using iframe.src and javascript: protocol
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
NEW
People
(Reporter: bcoles, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [sg:dos])
Attachments
(1 file, 1 obsolete file)
|
262 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
This may be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=101276 from 2001 which doesn't appear to be resolved?
Remote browser crash if a user browses a webpage with the following HTML code:
<iframe src="javascript: while (true) { window.location=''; }">
Javascript must be enabled.
Tested on:
Windows XP SP2:
Firefox/3.5.5
Firefox/3.0.15
Windows Vista SP0:
Firefox/3.0.10
Reproducible: Always
Steps to Reproduce:
1. create new *.html file
2. upload it to a web host (optional)
3. enable javascript
4. run file
Actual Results:
browser hangs. killing the process is the only option.
Expected Results:
"this script will run forever, do you wish to terminate? y/n" warning.
Happens even when "warn me when web sites try to redirect or load the page" under tools->options->advanced->general->accessibility is selected.
I spent a few minutes debugging but couldn't get control of eip. i'm lazy.
|
||
Comment 2•15 years ago
|
||
Not sure why bug 101276 never had its fix checked in, but this isn't behaving like that one. This one is chewing up a lot more memory and CPU. I _do_ get the "A script on this page may be busy, or it may have stopped responding" prompt, but it does NOT let me kill the script! Memory use goes back down to reasonable levels every time that prompt comes us. It seems to be creating recursive iframes, but only one or two per busy prompt. If they were being created due to the while loop I'd have expected a lot more.
I don't see a crash. Maybe with less memory you'd trip over one of our many out-of-memory crashes
Blocks: eviltraps
Summary: Remote browser crash if a user browses a webpage (if java script is enabled). → browser hang if iframe src sets window.location to '' in a loop.
Whiteboard: [sg:dos]
|
|
||
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
proof of concept #1 : Firefox 3.0.x : http://pixelsinspace.net/f.html
[code]
<iframe src="javascript: while (true) { window.location=''; }">
[/code]
My apologies, this causes Firefox 3.0.x to hang without prompting.
As you say, Firefox 3.5.5 reports an unresponsive script but won't allow you to continue. You also can't change tabs when the "unresponsive script" prompt is shown (also a bug?).
proof of concept #2 : Firefox 3.5.5 & Internet Explorer 8.0.6: http://pixelsinspace.net/ff.html
I've adjusted the HTML (poc url above, code below) which now causes Firefox 3.5.5 and Internet Explorer 8.0.6 to hang (IE dev team have been notified). It also causes memory exhaustion.
[code]
<iframe src="javascript:while(true) { document.write('<iframe src=\'javascript:\';></iframe>'); }"></iframe>
[/code]
With WinXP SP2 @ 2.2GHz and 3GB of RAM this provides the "unresponsive script" prompt after ~10 seconds and ~800MB of memory usage. Upon clicking "stop script" the memory usage idles until the browser stop event is evoked (closed tab, or closed browser, or clicked "stop", or pressed ESC, etc).
The browser hangs and the memory usage then increases rapidly until it peaks at ~2GB. Killing the process is required.
proof of concept #3 : Firefox 3.5.5 : http://pixelsinspace.net/fff.html
For reliable denial of service repeat the previous line 100 times as it will hang the browser and exhaust memory WITHOUT prompting with "unresponsive script. continue y/n?"
Summary: browser hang if iframe src sets window.location to '' in a loop. → browser hang and memory exhaustion using iframe.src and javascript: protocol
Version: unspecified → 3.5 Branch
Attachment #413778 -
Attachment is obsolete: true
|
|
||
Updated•13 years ago
|
Group: core-security
Version: 3.5 Branch → Trunk
|
|
||
Updated•13 years ago
|
Component: Security → DOM: Core & HTML
Product: Firefox → Core
QA Contact: firefox → general
|
||
Comment 5•9 years ago
|
||
FYI, this is a major issue with e10s on at the very least all desktop platforms. Every 15 seconds this chews up 1GB of RAM, and closing the tab doesn't stop it. If somebody lands on a page with this and e10s they'll be crashing every time.
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 6•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: critical → --
|
||
Comment 7•2 years ago
|
||
I didn't get crash; however, when I ran proof of concept — Details I got "the script is slowing down the browser" pop-up, "stop running" button doesn't seem to work.
Severity: -- → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•