Issue metadata
Sign in to add a comment
|
[Crash] Allocating memory in JS beyond sandbox memory limit on Win64 causes sad tab
Reported by
wscha...@gmail.com,
Aug 10 2016
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Steps to reproduce the problem:
1. Open a tab on Chrome Win64
2. Open Developer Tools
3. Execute in the console:
mem = []; for (var i = 0; i < 1024 * 4; i++) {mem.push(new ArrayBuffer(1024*1024))}
This will attempt to allocate 4 gigs worth of ArrayBuffer objects.
What is the expected behavior?
When a script attempts to allocate memory beyond the memory limit (somewhere just shy of 4 gigs, per https://cs.chromium.org/chromium/src/content/common/sandbox_win.cc?q=SetJobMemoryLimit&sq=package:chromium&dr=C&l=578), the allocation should fail, and an exception should be thrown.
What went wrong?
When a script running in a sandboxed process allocates memory beyond the limit, the tab crashes.
Even with logging enabled and --v3, nothing is printed to the debug log when this occurs. Running with --no-sandbox makes it so the issue cannot be observed, as tabs run with no sandbox and thus no memory limit.
Did this work before? No
Chrome version: 52.0.2743.116 Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 22.0 r0
From the Windows API docs: "If a process associated with a job attempts to increase its working set size or process priority from the limit established by the job, the function calls succeed but are silently ignored."
They're not clear about the outcome, but I believe this says that allocations that would increase the process working set beyond the limit will silently fail.
It's as though they know this is horrifying, so they provide a mechanism to set a memory threshold for the job - when the threshold is reached, a notification will be provided to the offending process.
Job limit docs: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684161(v=vs.85).aspx#job_limits_and_notifications
Job notification config object: https://msdn.microsoft.com/en-us/library/windows/desktop/hh448386%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Scope of work:
The sandbox code needs to be modified to set a notification limit on the job object - the notification limit should be some reasonable amount less than the hard limit, maybe 64 megs or so less. When the notification arrives, any operation originating from script code that would allocate additional memory should fail throwing an exception.
Ultimately, it would be nice to be able to set a higher limit via a flag or something. Limiting a process to 4 gigs is a decent default, but it's an arbitrary baked in limit. It seems like bad design, especially since it seems the same limit doesn't exist on other platforms.
,
Aug 10 2016
The gist is: I'd like the opportunity to fail gracefully and maybe do some logging when these kinds of OOMs are triggered on a client. Right now, there's no way whatsoever to handle this gracefully.
,
Aug 11 2016
Tested the issue on windows 7 using chrome version 52.0.2743.116 and canary 54.0.2826.1 with the below steps
1.Open devtools console
2.Execute
mem = []; for (var i = 0; i < 1024 * 4; i++) {mem.push(new ArrayBuffer(1024*1024))}
3.tab crashed.
Able to reproduce the issue on windows till M37 builds.from build 37.0.2035.0 and prior builds giving the output as "4096 ".
Please find the attached screen shot and confirm shall we consider this as good behaviour? to triage the issue further.
Thanks,
,
Aug 11 2016
Yes, the output should be "4096".
,
Aug 12 2016
Able to reproduce the issue on Windows 7 using 52.0.2743.116, latest canary 54.0.2827.0. This is regression issue broken in M-37. Please find below bisect info: Last good build:37.0.2035.0 First bad build:37.0.2036.0 CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/dc6bf0f8f5918888df028af854e85338bbf38bb5..030ae792008743ff1fce17847e0b4277f883b140 From above CL, suspecting below: https://chromium.googlesource.com/chromium/src/+/8df046284280f3bde7da8e52e4b89216c1dc4e4d jschuh@Could you please look into this issue if it is related to your change, else feel free to assign it to an appropriate dev person. Note:Unable to reproduce the issue on Mac 10.11.6, Ubuntu 14.04.
,
Aug 12 2016
,
Dec 7 2016
Crash is still seen when enabled --enable-sandbox and ran the below in console on Windows 10.
mem = []; for (var i = 0; i < 1024 * 4; i++) {mem.push(new ArrayBuffer(1024*1024))}
Note: Its working fine on Mac 10.11.6 and Ubuntu 14.04.
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by wscha...@gmail.com
, Aug 10 2016