Closed
Bug 608554
Opened 10 years ago
Closed 9 years ago
Firefox crashes when executing the given javascript
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gauravgulati81, Unassigned)
References
Details
(Keywords: crash, csectype-oom, testcase, Whiteboard: [sg:dos oom])
Attachments
(1 file, 1 obsolete file)
337 bytes,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Firefox crashes when executing the given javascript. Please find the test file attached. Reproducible: Always Steps to Reproduce: 1. Launch an html page having the following javascript: <script type="text/javascript"> var num=99999999; var str = unescape("%u9999%u9999"); var i = Math.ceil(Math.log(num) / Math.LN2), res = str; do { res += res; } while (0 < --i); document.write(res.slice(0, 999999999999)); </script> Actual Results: Firefox crashes. Expected Results: Firefox should not crash.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Attachment #487196 -
Attachment description: script used for testing → Please ignore this script
Reporter | ||
Comment 2•10 years ago
|
||
Reporter | ||
Comment 3•10 years ago
|
||
Please use the following javascript for reproducing the bug: <html><body> <script type="text/javascript"> var num=49000000; var str = unescape("%u9999%u9999"); var i = Math.ceil(Math.log(num) / Math.LN2), res = str; do { res += res; } while (0 < --i); document.write(res.slice(0, 999999999999)); </script> </body></html>
Comment 4•10 years ago
|
||
With Firefox 1.9.2 DEBUG on Linux x86-64 *__GI_raise (sig=<value optimized out>) at sysdeps/unix/sysv/linux/raise.c:64 *__GI_abort () at abort.c:92 g_logv () from /lib/libglib-2.0.so.0 g_log () from /lib/libglib-2.0.so.0 g_realloc () from /lib/libglib-2.0.so.0 pango_glyph_string_set_size () from /usr/lib/libpango-1.0.so.0 ?? () from /usr/lib/pango/1.6.0/modules/pango-basic-fc.so pango_shape () from /usr/lib/libpango-1.0.so.0 gfxPangoFontGroup::CreateGlyphRunsItemizing gfxPangoFonts.cpp:3088 gfxPangoFontGroup::MakeTextRun gfx/thebes/src/gfxPangoFonts.cpp:2416 TextRunWordCache::MakeTextRun gfx/thebes/src/gfxTextRunWordCache.cpp:685 MakeTextRun layout/generic/nsTextFrameThebes.cpp:436 BuildTextRunsScanner::BuildTextRunForFrames nsTextFrameThebes.cpp:1783 BuildTextRunsScanner::FlushFrames layout/generic/nsTextFrameThebes.cpp:1214 BuildTextRuns layout/generic/nsTextFrameThebes.cpp:1148 nsTextFrame::EnsureTextRun layout/generic/nsTextFrameThebes.cpp:1972 nsTextFrame::Reflow layout/generic/nsTextFrameThebes.cpp:6126 g_realloc aborts on OOM - this is the expected behavior.
Comment 5•10 years ago
|
||
On Windows, this is likely a dupe of bug 608336.
Comment 6•10 years ago
|
||
With Firefox 1.9.2 DEBUG on OSX 10.5 I got the occasional OOM abort from |operator new|, other than that it just hanged consuming CPU cycles -- no nasty looking crashes (YMMV).
Reporter | ||
Comment 7•10 years ago
|
||
Please execute the 2nd attachment to generate the crash.... the 1st attachment was made by mistake.
Updated•10 years ago
|
Attachment #487196 -
Attachment is obsolete: true
Comment 8•10 years ago
|
||
Yes, my tests above was with attachment 487197 [details].
Comment 9•10 years ago
|
||
Testing 1.9.2 debug build on Windows XP with the patch for bug 608336 - I get only safe OOM abort from |operator new|.
Updated•10 years ago
|
Comment 10•10 years ago
|
||
Fixed by bug 608336. Gaurav, please verify with the latest 3.6.13 candidate build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.13-candidates/ Note that we will still crash, that is expected, but the crash should be a deliberate call to abort() or similar when we run out of memory.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•9 years ago
|
||
Re-tested in version 15.0.1. The defect is reproducible. The browser crashes as soon as the script is executed.
Reporter | ||
Comment 12•9 years ago
|
||
Re-test performed on Win XP SP3.
<in mail to sec@> Hi, This bug is reproducible in Firefox version 15.0.1. But, I am unable to re-open the defect in bugzilla. Thanks, Gaurav Gulati.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 14•9 years ago
|
||
Per comment 10: Note that we will still crash, that is expected, but the crash should be a deliberate call to abort() or similar when we run out of memory. There are other bug reports tracking the work needed to implement memory quotas per tab and such features to prevent individual pages from consuming too much memory. Again, a *safe crash* is expected. Please don't reopen unless you see something different - or in that case, better file a new bug.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•