Closed Bug 537527 Opened 15 years ago Closed 13 years ago

Web Workers can be used to "fork bomb" Firefox

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.9.1 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: wpt2097, Unassigned)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Two example files for the bug. An HTML-document and a JavaScript file.
518 bytes, application/zip
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20091216 Fedora/3.5.6-1.fc12 Firefox/3.5.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20091216 Fedora/3.5.6-1.fc12 Firefox/3.5.6

With a simple script I can make Firefox degrade and finally die by using the new feature Web Workers.

Creating a Worker which calls a script, which creates a new Worker with the same script etc etc.
(I'll try to append some example files).

The operating system (Linux) also slows down and becomes sluggish.

An interesting side effect is that the page which initiated the fork bomb is of course restored by Session Restore when starting the browser after crash, so off we go again...




More details on this page on history and implementation on fork bombing;
  http://en.wikipedia.org/wiki/Fork_bomb


Reproducible: Always

Steps to Reproduce:
1. Create javascript file that creates Workers using the same javascript
2. Create a html file which creates a Worker using above javascript
3. Load page, watch and see Firefox degrade in performance and die.
Actual Results:  
Slow system, memory eaten up by Firefox.

Expected Results:  
Would be nice with some kind of limit of workers per document/website which prevented >100 workers without user confirmation.
crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100102 Minefield/3.7a1pre ID:20100102044111

Signature	nsCOMPtr_base::~nsCOMPtr_base() | nsTArray<txExpandedNameMap_base::MapItem>::DestructRange(unsigned int, unsigned int)
UUID	0f41d41d-6494-46b2-836d-413e22100102
Time 	2010-01-02 07:39:28.787807
Uptime	5
Last Crash	483823 seconds before submission
Product	Firefox
Version	3.7a1pre
Build ID	20100102044111
Branch	1.9.3
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x1
User Comments	Bug 537527
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsCOMPtr_base::~nsCOMPtr_base() 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
1 	xul.dll 	nsTArray<txExpandedNameMap_base::MapItem>::DestructRange(unsigned int,unsigned int) 	obj-firefox/dist/include/nsTArray.h:878
2 	xul.dll 	txHandlerTable::`scalar deleting destructor'(unsigned int) 	
3 	xul.dll 	txHandlerTable::shutdown() 	content/xslt/src/xslt/txStylesheetCompileHandlers.cpp:3078
4 	xul.dll 	txMozillaXSLTProcessor::Shutdown() 	content/xslt/src/xslt/txMozillaXSLTProcessor.cpp:1306
5 	xul.dll 	nsLayoutStatics::Shutdown() 	layout/build/nsLayoutStatics.cpp:304
6 	xul.dll 	nsContentUtils::WrapNative(JSContext*,JSObject*,nsISupports*,nsID const*,int*,nsIXPConnectJSObjectHolder**,int) 	
7 		@0x7fd203f 	
8 	xul.dll 	nsDOMWorkerFunctions::NewWorker(JSContext*,JSObject*,unsigned int,int*,int*) 	dom/src/threads/nsDOMWorker.cpp:367
9 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:1376
10 	mozjs.dll 	RefillFinalizableFreeList 	js/src/jsgc.cpp:1527
11 		@0x4cbff4f
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: DOM → XPCOM
Ever confirmed: true
Keywords: crash, testcase
OS: Linux → All
QA Contact: general → xpcom
Version: unspecified → 1.9.1 Branch
The number of OS threads is already limited, it´s not really a fork bomb. See
<http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020326.html> and
bug 530634. Bug 530886 is the master bug for improving scheduling in general.

You should be able to launch hundreds of web workers or more, by design. That´s
not a bug. I´m not sure if a maximum number would serve a real purpose, unless
its´a real huge number. It´s already possible to consume resources in lots of
different ways (loading thousands of images for instance, or lots of iframes),
this is just one of them.
I don´t want to imply that this shouldn´t be fixed, I just want to point out that launching hundreds of web workers should still be possible, even though it´s a bit silly (and scheduling will need to be improved). If there will be a limit it might be in the thousands.
Component: XPCOM → DOM
QA Contact: xpcom → general
This is fixed now with bug 649537.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: