Issue metadata
Sign in to add a comment
|
history.pushState can be used to make Chrome use up all the system's memory until Windows crashes
Reported by
runem...@gmail.com,
Jul 13 2016
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.60 Safari/537.36
Steps to reproduce the problem:
1. Run the following line in the Chrome developer tools console: while(true) { history.pushState(0, "X"); }
2. Watch as system memory grows infinitely until Windows crashes.
What is the expected behavior?
What went wrong?
The chrome.exe process uses up memory until the system runs out of memory.
Did this work before? N/A
Chrome version: 52.0.2743.60 Channel: beta
OS Version: 6.3
Flash Version: Shockwave Flash 22.0 r0
This bug is used on http://security-scan3.tk/chrm/index2.html
,
Jul 13 2016
,
Jul 13 2016
Something such as "var arr = []; while(true) { arr.push(0); }" will not cause Chrome to crash. Only the tab will fail to load and show the "Aw, snap!" message (once it reaches about 1.5 GB).
Shouldn't the same thing happen when the cause of the high memory usage is history.pushState instead of an array that's growing infinitely large?
,
Aug 3 2016
,
Aug 10 2016
,
Aug 10 2016
,
Aug 10 2016
This has already been discussed in issue 394296 . I don't think we have any systems for preventing IPC DoS or memory exhaustion in the browser process, though kinuko@ was looking into something related there (comment 21). |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ta...@google.com
, Jul 13 2016