Open Bug 736194 Opened 13 years ago Updated 2 years ago

Long document.title test hangs browser

Categories

(Firefox :: Tabbed Browser, defect)

Product:
Firefox
Component:
Tabbed Browser
Type:
defect

Tracking

()

People

(Reporter: cpeterson, Unassigned)

References

(
URL
)

Details

Attachments

(2 files)

testcase 1: a page with a configurable number of zero-width space characters as a prefix in its title before "abcde"
605 bytes, text/html
Details
screencast comparing Chrome vs. Epiphany (WebKit) vs. Firefox on the attached testcase (pay attention to the title shown on the tab in tabstrip, after the button is pressed)
320.02 KB, video/webm
Details
STR: 1. Load https://bugzilla.mozilla.org/attachment.cgi?id=591441 AR: The browser hangs as test case extends document.title exponentially. ER: The browser could limit document.title to avoid hangs. Chrome does not hang, but the test case's tab eventually OOMs to a "sad tab" error. Safari hangs. --- This bug is a fork from Native Fennec bug 721006.
Severity: normal → S3

This test case hangs Nightly for about a minute, tab switching is prevented. Firefox 111 hangs for about 3 minutes then crashes, so it seems bug 1817184 and friends helped this case a lot. Chromium does not hang.

https://share.firefox.dev/3lIo2Du

Severity: S3 → --
Component: General → Layout: Text and Fonts
OS: macOS → Unspecified
Hardware: x86 → Unspecified

This is a legitimate bug, but not really a bug in text layout. Gecko is legitimately trying to lay out all of the text that the UI is giving us to lay out here, and it just takes a while to do that, when there's an absurd amount of text.

Really, we should have some sort of clamping on the number of characters we'll allow ourselves to put into a tab-title, as a DoS protection here, to keep pages from hanging/crashing the parent process like this. That probably should be done at the level of the tab-strip itself. It seems like Chrome does this, based on a testcase that I'll attach here shortly.

Component: Layout: Text and Fonts → Tabbed Browser
Product: Core → Firefox

Based on the attached testcase, it looks like Chrome caps the tab-title's displayed title at 4096 characters. If you choose e.g. 4095 and hit the button, then the tab title just shows a (i.e. it contains 4095 zero-width spaces, and then "abcde", and "bcde" gets truncated away)

Epiphany (WebKit on Linux) does a similar thing, but at a smaller threshold of 512, with an ellipsis. If I type in 510 in epiphany and hit "update title", they show "a..." in the tab title (i.e. they have space for 510 zero-width spaces, and then the "a" character, and then an ellipsis character, for a total of 512 characters).

The document.title API still reports the full title, though, as shown in the body of the page which still shows "abcde".

See attached screencast which compares Chrome to Epiphany to Firefox.

As shown in the screencast: Chrome truncates at 4096 characters, and epiphany truncates-with-an-added-ellipsis at 512 characters, whereas Firefox doesn't seem to ever truncate the title that's shown in the tab-title (which is why this can end up causing a hang or a crash in the parent process).

Attachment #9334172 - Attachment description: screencast comparing Chrome vs. Epiphany (WebKit) vs. Firefox → screencast comparing Chrome vs. Epiphany (WebKit) vs. Firefox on the attached testcase (pay attention to the title shown on the tab in tabstrip, after the button is pressed)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: