Opened 3 years ago

Last modified 8 months ago

#18090 reopened defect

Torcrazybutton eats all memory and crashes Tor Browser

Reported by: bugzilla Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-crash, tbb-performance-leaking, tbb-oom, tbb-torbutton
Cc: mcs Actual Points:
Parent ID: #18047 Points:
Reviewer: Sponsor:

Description

When playing mp4 video not on whitelisted youtube, 2 tabs with videos are opened (autoplay, 'cause Temporary allow for site only by NoScript), one tab is closing by user, switch to another, no response, memory is growing, crash...
The most suspicious component: NoScript (another one string-handling bug?)
Continuing investigation...
Log:
Faulting application name: firefox.exe, version: 38.5.0.0, time stamp: 0x00000000
Faulting module name: mozalloc.dll, version: 38.5.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00001582
Faulting process id: 0xf64
Faulting application path: C:\%REMOVED%\Tor Browser\Browser\firefox.exe
Faulting module path: C:\%REMOVED%\Tor Browser\Browser\mozalloc.dll
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.256.1
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=0a9e
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=0a9e
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789

Child Tickets

Change History (17)

comment:1 Changed 3 years ago by cypherpunks

Keywords: Windows added

comment:2 Changed 3 years ago by cypherpunks

Faulting module name: mozalloc.dll, version: 38.5.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00001582

mozalloc_abort(msg)
OOM.

comment:3 Changed 3 years ago by gk

Is this reproducible? Does it matter which videos I look at? Do you see it on 5.0.7 as well?

comment:4 Changed 3 years ago by cypherpunks

Keywords: OOM added

comment:5 Changed 3 years ago by bugzilla

Trying to reproduce... Didn't see on 5.0.7.

comment:6 Changed 3 years ago by bugzilla

Hmm, it's very hard to reproduce...

Last edited 2 years ago by bugzilla (previous) (diff)

comment:7 Changed 3 years ago by gk

Keywords: TorBrowserTeam201601 removed
Priority: Very HighMedium
Severity: CriticalMajor

comment:8 Changed 3 years ago by bugzilla

Parent ID: #18047

comment:9 Changed 3 years ago by bugzilla

Oops, it did it again.
The main suspects are:

  1. js on page that doesn't like NoScript.
  2. When FF finishes downloading of embedded video, it does a lot of work and memory consumption. As Tor Browser disabled media.cache, it broke some functionality and, that is even worse, FF might be poorly tested with such settings...
Last edited 2 years ago by bugzilla (previous) (diff)

comment:10 Changed 3 years ago by bugzilla

Keywords: tbb-oom added; Windows OOM removed
Summary: Tor Browser 5.5a6 (High) eats all memory and crashes when playing videoTor Browser eats all memory and crashes when playing video (probably, NoScript)

Yeah, it's, most likely, a NoScript, now (6.0a3) even with this exception sometimes:
uncaught exception: NoScript aborted redirection to htt%ERASED% <unknown>

comment:11 Changed 2 years ago by bugzilla

Keywords: tbb-torbutton added
Summary: Tor Browser eats all memory and crashes when playing video (probably, NoScript)Torcrazybutton eats all memory and crashes Tor Browser

The reason is:
Torbutton goes crazy and starts an endless loop of growing (more) and shrinking (less) by populating strings, thus creeping to OOM. Incompatibility with site scripts?

742.03 MB (100.0%) -- explicit
├──618.03 MB (83.29%) -- window-objects
│  ├──546.97 MB (73.71%) -- top(chrome://browser/content/browser.xul, id=86)
│  │  ├──544.10 MB (73.33%) -- js-zone(0x14d2cba0)
│  │  │  ├──543.59 MB (73.26%) -- strings
│  │  │  │  ├──540.04 MB (72.78%) -- string(length=1048628, copies=540, "WCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:13/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:20/nWCF_reportPageError@chrome://torbutton/content/torbutton." (truncated))
│  │  │  │  │  ├──540.03 MB (72.78%) ── malloc-heap/latin1

comment:12 in reply to:  11 Changed 2 years ago by cypherpunks

Replying to bugzilla:

WCF_reportPageError@chrome://torbutton/content/torbutton.js:3066:13/n

I don't know enough about XPCOM programming (or Javascript, for that matter), but this smells like unbounded recursion.

Looking at the code it seems this could be happening since torbutton_console_observer.observe does not properly handle re-entrance. If more than 1 of those web-console-create notifications are delivered, a call to that com.ui.reportPageError thing will forever recurse.

See what I mean?

comment:13 Changed 2 years ago by mcs

Cc: mcs added

comment:14 Changed 2 years ago by gk

Resolution: duplicate
Status: newclosed

This should be fixed by #19273. Marking this one therefore as a duplicate of it.

comment:15 Changed 2 years ago by bugzilla

It's no longer reproducible after switching to ff45esr. #19273 should be fixed (not closed as fixed)

comment:16 Changed 19 months ago by bugzilla

Resolution: duplicate
Status: closedreopened

Unfortunately, this bug is not fixed :(. Torbutton was affected by some underlying problem and made it easier to trigger and faster to go to OOM. Now, to trigger "unbound recursion" (?) you need, for example, to supply constant stream of tiny icons/images on a webpage and see when the process will become self-sustainable without it, and FF will continue to do something by overloading memory throughput, but very slowly growing in size (hours before OOM).

comment:17 in reply to:  16 Changed 8 months ago by cypherpunks

Replying to bugzilla:

"unbound recursion" (?), and FF will continue to do something by overloading memory throughput, but very slowly growing in size (hours before OOM).

or CPU and memory now, in the firefox.exe+0x14c0 thread of a child process with stack, full of xul.dll!ZN7mozilla6scache10PathifyURIEP6nsIURIR19nsACString_internal+0x60xxxxxx calls (more than hundred of them in depth). (Check with js opts off, of course.)

Last edited 8 months ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.