New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 740873 link

Starred by 3 users
Status: Fixed
Owner:
tsepez@chromium.org
Closed: Jul 2017
Cc:
sandeepkumars@chromium.org
tasak@google.com
pbomm...@chromium.org
rbasuvula@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Specific value in input field causes OOM after submitting form

Reported by lysio...@gmail.com, Jul 11 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Open form-crash.html
2. Click Send button

What is the expected behavior?
No crash

What went wrong?
Crash

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 26.0 r0

1. If you delete " (at the beginning) from value in hidden input then no crash can be observed.
2. If you shorten string in value for hidden input, there is no crash also, but take a look in TaskManager that something is allocating much memory (~1,5GB).
form-crash.html
2.9 MB View Download
form-crash-1.png
38.1 KB View Download
form-crash-2.png
42.2 KB View Download

Comment 1 by pbomm...@chromium.org, Jul 11 2017

Cc: pbomm...@chromium.org
Labels: M-60 Needs-Bisect M-59
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue with latest Chrome latest and previous stable(57.0.2987.133, 58.0.3029.110 ,59.0.3071.115) and Beta(60.0.3112.50) on Windows 7,10. Unable to get the crash_id's for these crashes.

Note : The crash isn't observed on mac and Linux with Stable and Beta

Comment 2 by rbasuvula@chromium.org, Jul 12 2017

Cc: rbasuvula@chromium.org
Components: UI>Browser
Labels: -Needs-Bisect -M-59 -M-60 hasbisect-per-revision M-61
Owner: tasak@chromium.org
Status: Assigned (was: Untriaged)
Tested in chrome stable #59.0.3071.115 and canary #61.0.3155.0 on Win 10.0 & 7 able to reproduce the issue.
Below are the Bisect Details:

Bisect Info:
=============
Good Build: 49.0.2599.0(Revision - 366505)
Bad Build: 49.0.2601.0 (Revision - 366761)

Bisect URL:
=========== 
You are probably looking for a change made after 366565 (known good), but no later than 366573 (first known bad).
CHANGELOG URL:
https://chromium.googlesource.com/chromium/src/+log/887f04e9a63dbb81c2abe9eeb4ce780dad92c3ac..ba587a918ca859045437211ebca414e08f61320b

From the CL above, assigning the issue to the concern owner

@ tasak : Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to concern owner.

Review-Url: https://codereview.chromium.org/1521923002
Note: Issue not observed in Mac and Linux.

Comment 3 by tasak@google.com, Jul 13 2017

Owner: tasak@google.com

Comment 4 by tasak@google.com, Jul 13 2017

Cc: tasak@google.com
Owner: tsepez@chromium.org
I finished investigating this issue.
I think, the OOM is caused by XSSAuditor's SuffixTree.

Looking at form-crash.html, 
- the given text size is 2,943,239 (decoded_http_body_.length()=2943239).
- 2,910,047 SuffixTree<ASCIICookbook>::Node (O(text length) nodes) are created.
- ~3GB memory allocation occurs, because since sizeof(Node) * 2,910,047 is 3,049,729,256 (~3GB).
- OOM... if machines don't have enough memory.

tsepez@, would you take a look at this issue?

Comment 5 by tsepez@chromium.org, Jul 13 2017

Owner: ----
SuffixTree.h defines
   typedef Vector<Node*, Codebook::kCodeSize> ChildrenVector;

and each node holds a pre-allocated vector of this size, regardless of whether it needs it.  We should investigate whether we we really want this.

Comment 6 by tsepez@chromium.org, Jul 13 2017

Owner: tsepez@chromium.org

Comment 7 by tsepez@chromium.org, Jul 13 2017

Owner: dcheng@chromium.org
dcheng, you did some resize work with WTF vectors some time ago, so you might enjoy taking a stab at this? If not, bounce it back and i'll see what I can do.

Comment 8 by tsepez@chromium.org, Jul 13 2017

Cc: dcheng@chromium.org
Owner: tsepez@chromium.org
NM, its not a quirk of WFT::Vector, rather a better kind of map is needed.

Comment 9 by sandeepkumars@chromium.org, Jul 14 2017

Cc: sandeepkumars@chromium.org
 Issue 742308  has been merged into this issue.
Project Member

Comment 10 by bugdroid1@chromium.org, Jul 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d

commit 6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d
Author: Tom Sepez <tsepez@chromium.org>
Date: Fri Jul 14 20:03:51 2017

Reduce memory usage in SuffixTree.h

Convert fixed array of pointers to a flat map. Previously, we
were requiring a direct-mapped array of 128 pointers per byte of
input string.

Add a small unit test for SuffixTree.

Bug:  740873 
Change-Id: I03836f5f9f893861bec3076fafaffd7c4e3e04eb
Reviewed-on: https://chromium-review.googlesource.com/571193
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486859}
[modify] https://crrev.com/6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d/third_party/WebKit/Source/platform/BUILD.gn
[modify] https://crrev.com/6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d/third_party/WebKit/Source/platform/text/SuffixTree.h
[add] https://crrev.com/6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d/third_party/WebKit/Source/platform/text/SuffixTreeTest.cpp

Comment 11 by tsepez@chromium.org, Jul 14 2017

Status: Fixed (was: Assigned)

Sign in to add a comment