big HTML files slow down Firefox, gzipping them freezes it

NEW
Assigned to

Status

()

Core
HTML: Parser
--
critical
5 years ago
3 years ago

People

(Reporter: Tobias "ToBeFree" Frei, Assigned: hsivonen)

Tracking

({crash})

Trunk
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME, crash signature, URL)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)

Steps to reproduce:

I noticed that creating a big HTML text page (I tried ~60MB) and serving it to Firefox considerably slows it down; serving it via gzip even freezes it for some time. Is there any limit or could I actually create a 6GB page which can be served via gzip in some seconds, and would that thing actually be uncompressed?

Here's the page I've created; it is currently not being served via gzip - I disabled gzip because I had some issues with Varnish and files which were gzipped already.
http://freiwuppertal.de/biggzip-creation.html

However, even without gzip, I notice the effect, and I'm not really using a bad computer.

Another interesting idea might be using that page as an iframe multiple times... on a page which is full of iframes and ~60MB big itself, it would be deadly, I assume, and one could iframe that one again... hell.

It is somewhat similar to pdf.js's performance issues when opening this PDF:
http://www.stack.nl/~jilles/irc/charybdis-oper-guide/charybdis-oper-guide.pdf
(have a look at the table of contents)

By the way, serving a 6GB html file gzipped does not require 6GB space on the server because the gzipped page could be stored in .gz format, ready to be served 1:1... which reminds me of http://www.unforgettable.dk/ - it would basically be a zipbomb.


Actual results:

Firefox slowed down/freezed, see above / try yourself. I didn't try bigger files, however.


Expected results:

I am unsure if/how this could be prevented. Maybe Firefox should not unzip gzipped content if it is too big (or at least show a warning message), and maybe it should not download HTML pages if they are bigger than a value which can be specified in the preferences, unless those pages are on an exception list.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0
buildID: 20130718163513

I notice a little delay in Firefox loading the html page (the pdf works fine for me), even if Firefox doesn't freeze. Testing with chrome I don't see any delay I can switch between tab, open menu normally.
(Reporter)

Comment 2

5 years ago
Okay, I enabled gzip just for html files on that domain to make the problem more obvious. Try again, please. :-)
(Reporter)

Comment 3

5 years ago
Curiously, I created a 67MB page containing 1.000.000 iframes of biggzip-creation.html; the result is devastating. It kills Firefox, and even if you manage to close the page (Ctrl+W might be a lifesaver here), it might result in an unusable browser. Maybe it even kills your whole operating system if you don't close it quickly enough: it eats all RAM your computer has.

Do NOT open the following page unless you want to kill your browser and possibly your OS to see that this is an actual way to exploit Firefox's gzip function.

To get the link to the file, enter "freiwuppertal.de/" in your URL bar, then append the following:
"gzip-exploit-dangerous-donotopen-kills-your-browser-1928374655577394242.html"

Please be careful when opening that file. Really. NoScript won't protect you this time. Save open files and documents, don't open it just for fun. Use it on your own risk.
Tobias I can reproduce this in Firefox.

I've put it in Core/General I'm not really sure of this component!
Component: Untriaged → General
OS: Linux → All
Product: Firefox → Core

Comment 5

5 years ago
I got OOM crash during testing this URL: https://crash-stats.mozilla.com/report/index/46e2c497-4bbd-457e-a014-ac2482130720

Comment 6

5 years ago
I can also reproduce with the URL in comment 5.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHtml5TreeBuilder::characters(wchar_t const*, int, int) ]
Component: General → HTML: Parser
Ever confirmed: true
Keywords: crash
Hardware: x86_64 → All
Version: 23 Branch → Trunk
(Assignee)

Comment 7

5 years ago
Hmm. The HTML parser itself should already be protected against ill effects from a situation like this. I suspect there are two bugs elsewhere: one in the networking layer below the parser and another in DOM or layout above the parser.

Needs further investigation.
(Assignee)

Comment 8

5 years ago
Ah, except comment 5 shows a case where the HTML parser itself is not protected against gigantic text nodes (or attributes).
FWIW, against today's Debug Nightly in the end the console endlessly prints

WARNING: Overflowed nscoord_MAX in conversion to nscoord height: file e:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\obj-firefox\dist\include\nsRect.h, line 95
WARNING: Overflowed nscoord_MAX in conversion to nscoord height: file e:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\obj-firefox\dist\include\nsRect.h, line 95

and doesn't crash.
(Reporter)

Comment 10

5 years ago
I tried it again, this time with the current nightly build, and it still crashes my whole operating system. First it starts consuming memory until the 8GB are reached, then it hits the swap partition and... game over.

Not fixed yet.


It is currently possible to crash Firefox (and maybe the whole OS on some systems) simply by creating a webpage like that, or even simpler, by embedding the linked website on any other website. In my opinion, it's a quite critical bug which is probably not easy to fix. Maybe it isn't going to be fixed at all, but the current situation is scary in my opinion.

Comment 11

4 years ago
Total crash with a lot o facebook tabs 

https://crash-stats.mozilla.com/report/index/28554c2b-583c-448f-9954-b53982140102



AdapterDeviceID: 0x0fc6
AdapterVendorID: 0x10de
Add-ons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20131118,%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.8.9,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0,%7Bd10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d%7D:2.4
AvailablePageFile: 3302133760
AvailablePhysicalMemory: 888553472
AvailableVirtualMemory: 176709632
BuildID: 20131205075310
CrashTime: 1388622772
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1386686047
Notes: AdapterVendorID: 0x10de, AdapterDeviceID: 0x0fc6, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.2018
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
OOMAllocationSize: 79049
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
SecondsSinceLastCrash: 4061203
StartupTime: 1388572362
SystemMemoryUsePercentage: 72
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 2147352576
URL: https://www.facebook.com/ajax/pagelet/generic.php/PhotoViewerInitPagelet?ajaxpipe=1&ajaxpipe_token=AXiQj18piv6L0a0Q&no_script_path=1&data=%7B%22fbid%22%3A%221116501203919%22%2C%22set%22%3A%22a.1116498883861.2018133.1568650285%22%2C%22type%22%3A%223%22%2C%22size%22%3A%22604%2C453%22%2C%22theater%22%3Anull%2C%22source%22%3A%224%22%2C%22firstLoad%22%3Atrue%2C%22ssid%22%3A1388622765822%7D&__user=100003120471790&__a=1&__dyn=7n8apij2qmvu5k9UmAEBee8m7pEsx6iWF29aBw&__req=jsonp_2&__rev=1064290&__adt=2
Vendor: Mozilla
Version: 26.0
Winsock_LSP: MSAFD Tcpip [TCP/IPv6] : 2 : 1 :  
 MSAFD Tcpip [UDP/IPv6] : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [RAW/IPv6] : 2 : 3 :  
 MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [UDP/IP] : 2 : 2 :  
 MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll 
 Provider di servizi TCPv6 RSVP : 2 : 1 :  
 Provider di servizi TCP RSVP : 2 : 1 : %SystemRoot%\system32\mswsock.dll 
 Provider di servizi UDPv6 RSVP : 2 : 2 :  
 Provider di servizi UDP RSVP : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7AAF560-CAE5-4969-846D-B17B6CB00C4B}] SEQPACKET 0 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7AAF560-CAE5-4969-846D-B17B6CB00C4B}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{F80FDB91-74F6-4D46-B5CD-168BCDBF9D21}] SEQPACKET 4 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{F80FDB91-74F6-4D46-B5CD-168BCDBF9D21}] DATAGRAM 4 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6334B24-2EA8-447C-BFC5-B7611806C72D}] SEQPACKET 3 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{C6334B24-2EA8-447C-BFC5-B7611806C72D}] DATAGRAM 3 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{8617E0F9-1712-4C39-939C-98511A6F8114}] SEQPACKET 10 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{8617E0F9-1712-4C39-939C-98511A6F8114}] DATAGRAM 10 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A095C3EA-3003-4D35-9FC4-BE86BAA15D93}] SEQPACKET 2 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A095C3EA-3003-4D35-9FC4-BE86BAA15D93}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8617E0F9-1712-4C39-939C-98511A6F8114}] SEQPACKET 11 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8617E0F9-1712-4C39-939C-98511A6F8114}] DATAGRAM 11 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C6334B24-2EA8-447C-BFC5-B7611806C72D}] SEQPACKET 8 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C6334B24-2EA8-447C-BFC5-B7611806C72D}] DATAGRAM 8 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BA5D3425-C1DE-4F79-B27F-FA9A1430EAA4}] SEQPACKET 6 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BA5D3425-C1DE-4F79-B27F-FA9A1430EAA4}] DATAGRAM 6 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B7AAF560-CAE5-4969-846D-B17B6CB00C4B}] SEQPACKET 1 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B7AAF560-CAE5-4969-846D-B17B6CB00C4B}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F80FDB91-74F6-4D46-B5CD-168BCDBF9D21}] SEQPACKET 5 : 2 : 5 :  
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F80FDB91-74F6-4D46-B5CD-168BCDBF9D21}] DATAGRAM 5 : 2 : 2 : %SystemRoot%\system32\mswsock.dll




its importantthat you fiFirefox behaviour with facebook (phoo album, big photos, fulscreen).
total crash, no hang.
thanks.

Updated

4 years ago
Duplicate of this bug: 956018

Comment 13

4 years ago
why this big issue is assigned to Nobody?
(Assignee)

Comment 14

4 years ago
(In reply to banakon from comment #13)
> why this big issue is assigned to Nobody?

Mainly because fixing this is non-trivial and I don't expect to get to it soon.
Assignee: nobody → hsivonen

Comment 15

4 years ago
this means that firefox is and will be unable to handle facebook fotoalbum in more tabs. 
FF usage is endangered. first the critical crash, then the developement of australis ;)
(Assignee)

Updated

4 years ago
Depends on: 960519
(Assignee)

Comment 16

4 years ago
Oops wrong crash.
No longer depends on: 960519

Updated

3 years ago
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHtml5TreeBuilder::characters(wchar_t const*, int, int) ] → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHtml5TreeBuilder::characters(wchar_t const*, int, int) ] [@ mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::characters ]
You need to log in before you can comment on or make changes to this bug.