Error console crashes Firefox when out of memory



Toolkit Graveyard
Error Console
8 years ago
2 years ago


(Reporter: Lostmon Lords, Unassigned)


(Depends on: 2 bugs, {crash, testcase})

crash, testcase
Dependency tree / graph



(2 attachments)



8 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB6.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; Tablet PC 2.0) chromeframe/5.0.366.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv: Gecko/20100401 Firefox/3.6.3

Firefox hang in with a malformed page , and wen try to view error console firefox crash due to a uncaught excepcion

Reproducible: Always

Steps to Reproduce: the sample PoC with firefox
2.wait until page load ( very slow ) crtl+shift+j
Actual Results:  
Firefox hangs & crash with posible memory corruption traces.

Expected Results:  
view javascript errors

Firefox 3.6.2 & 3.6.3 hangs & crash with posible memory corruption traces it´s  also posible 
A remote code execution , i do several test and debugs , but i don´t have found the RCE.

Hex dump: 66:8B1447
Moves contents of 16-bit memory at location [EAX*2+EDI] to the 16-bit register DX. Flags are not affected.

Comment 1

8 years ago
Created attachment 437046 [details]
Traces on debug

trace with JiT debugger.
->toolkit::error console

do you have a stack trace in about:crashes to point us to?
Component: Developer Tools → Error Console
Keywords: crash
Product: Firefox → Toolkit
QA Contact: → error.console
Version: unspecified → 1.9.2 Branch

Comment 3

8 years ago
Created attachment 437049 [details]
test case for this issue

Test case , open it and press ctrl+shift+j wen load , or open your error console
and them open the test case.
Keywords: qawanted, testcase

Comment 4

8 years ago
confirmed here on OS X 10.6.3

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100401 Firefox/3.6.3 ID:20100401064631

Didn't get a crash stack though. Thanks for filing this.
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All

Comment 6

8 years ago
Flock Browser 2.5 crashes too on similar situation
Seeing same stack on Win 7:

Hang and eventual crash on 10.6, but no reporter catching the crash there.

Comment 8

8 years ago
The testcase is just code that asks the JS engine to fill up memory, and the crash is just operator new saying we're out of memory.

Avoiding OOM crashes is bug 427099, bug 516518, bug 70821, or bug 482143.  We're generally not bothering to fix the crash locations one at a time.
Group: core-security
Keywords: qawanted
Summary: Error console crash firefox in uncaugh excepcion → Error console crashes Firefox when out of memory
I figured it was just hammering the console with text, and the stack trace indicated it was failing on new operator.

We can leave this open until that's fixed in the other referenced bugs.

thanks Jesse.


6 years ago
Depends on: 427099, 516518, 482143
The Error Console has been removed in favor of the Browser Console (see Bug 1278368), and the component is going to be removed.  If this bug is also relevant in the Browser Console, please reopen and move this into Firefox -> Developer Tools: Console.
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
I am mass-reopening and re-componenting every single one of the Toolkit:Error Console bugs that appear to have been closed without anyone even *glancing* at whether they were relevant to the Browser Console.

If you want to close a whole bunch of old bugs -- FOR ANY REASON -- it is YOUR RESPONSIBILITY to check EVERY SINGLE ONE OF THEM and make sure they are no longer valid.  Do not push that work onto the bug reporters.

(It's okay to close bugs that haven't been touched in years when they don't have enough information for you to figure out whether the problem is still relevant to the current software - the reporter probably isn't coming back to clarify.  But that is the ONLY situation where it is okay.)

(I'm going to have to do this in two steps because of the way the "change several bugs at once" form works.  Apologies for the extra bugspam.)
Component: Error Console → Developer Tools: Console
Product: Toolkit → Firefox
Resolution: WONTFIX → ---
Version: 1.9.2 Branch → Trunk
The Error Console feature was removed entirely from the tree in Bug 1278368 and the bugzilla component is now being removed. We’ve migrated bugs that seem to also affect the Browser Console into the devtools component, please move this over if it was missed.
Last Resolved: 2 years ago2 years ago
Component: Developer Tools: Console → Error Console
Product: Firefox → Toolkit
Resolution: --- → WONTFIX


2 years ago
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.