Loading large file via XMLHTTPRequest crashes entire browser
Reported by
pmawhor...@gmail.com,
Dec 8 2017
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce the problem: 1. Create an XMLHTTPRequest pointed at a local file of at least moderate size (in my case ~200MB). 2. Call the request's send() method. 3. Browser crashes (not just the tab) What is the expected behavior? XMLHTTPRequest onerror should trigger if there's a memory issue, per https://bugs.chromium.org/p/chromium/issues/detail?id=599028 What went wrong? Entire browser crashes (signal 6). Trace via --debug looks like this, and seems like it points to where to fix this (node_channel.cc line 915): [0] /home/pmawhorter > chromium --debug --allow-file-access-from-files 2>&1 | tee ~/tmp/gdb-chromium.txt ATTENTION: default value of option force_s3tc_enable overridden by environment. [14242:14272:1208/151304.563755:FATAL:node_channel.cc(915)] Check failed: message->data_num_bytes() < GetConfiguration().max_message_num_bytes. #0 0x561b871eede7 <unknown> Received signal 6 #0 0x561b871eede7 <unknown> r8: 0000000000000000 r9: 00007f34bf320630 r10: 0000000000000008 r11: 0000000000000246 r12: 00007f34d8d806c0 r13: 00007f34bf320d48 r14: 0000000000000090 r15: 00007f34bf320d40 di: 0000000000000002 si: 00007f34bf320630 bp: 000035faf39f9000 bx: 0000000000000006 dx: 0000000000000000 ax: 0000000000000000 cx: 00007f34d84608a0 sp: 00007f34bf320630 ip: 00007f34d84608a0 efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] Calling _exit(1). Core file will not be generated. Did this work before? N/A Chrome version: 62.0.3202.94 Channel: n/a OS Version: 4.14.3-1-ARCH Flash Version:
,
Dec 9 2017
I agree it should definitely NOT be possible to crash the BROWSER process like this. A Thanks for the report! It sounds like we're hitting a max-size check in mojo at https://cs.chromium.org/chromium/src/mojo/edk/system/node_channel.cc?type=cs&q=%22message-%3Edata_num_bytes()+%3C+GetConfiguration().max_message_num_bytes%22&sq=package:chromium&l=895, so this is likely a new problem (the previous crashes don't sound like browser crashes). At a minimum we should be doing the same check in the renderer and gracefully failing the XHR. Better, of course, is to remove the restriction (eg. by chunking the data or using shared memory or whatever). tyoshino WDYT?
,
Dec 9 2017
Yeah, my guess might be the difference from previous bugs is my os/arch, and the behavior that crashes their tabs crashes my browser instead. Since I'm on Arch Linux, it's possible that this doesn't even affect say, Ubuntu, in which case it might not be high-priority, but should still be in the system :)
,
Dec 12 2017
,
Dec 14 2017
I failed to reproduce the issue (I used a 500MB file). pmawhorter@, can you share your script? You don't have to upload the big file unless the issue depends on the file content.
,
Dec 14 2017
,
Dec 14 2017
Here's a version (you'll have to modify big_file_url) that (tries to) load the file 10000 times. For me this reproducibly crashes an individual window "Oh Snap" when loaded in a freshly-opened browser without any other pages active. If I've got gmail open in another tab, it crashes the whole browser instead. Must be a process-wide limit being hit somewhere? Just loading a single file in an otherwise idle browser didn't do it for me, as you confirmed, so it's likely not dependent on the individual file size.
,
Dec 14 2017
Thank you for providing more feedback. Adding requester "yhirano@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14 2017
Note: The syncrhonous setting on the XHR in that last example shouldn't be necessary; I added that because my original code had it and I thought that that alone might make the difference but it didn't (yes, I know my code shouldn't be using synchronous XHR in the first place :P).
,
Jan 12 2018
I suspect it's the string conversion causing the OOM. Assigning to myself to confirm later.
,
Jan 12 2018
#7 This tries to allocate 200M * 10000 = 2TB of memory, which isn't going to work unless your computer is a lot better than mine. Usually the render process crashes with an out-of-memory error, but sometimes the OS will run out of memory and kill another process instead. If I remove the "mem" array then it doesn't run out of memory, and nothing crashes. If I leave devtools open then it does run out of memory as devtools causes the responses to be retained in memory.
,
Jan 12 2018
That makes sense, and I understand there may not be a reliable way of catching these memory errors and reporting them as exceptions within JS. The note about devtools may have been the root of my initial problems then, because I certainly wasn't loading enough in a single run of the page to use up my computer's memory, but I *was* debugging at the time, so I may have had the devtools open through multiple iterations of the page loading? I don't have time right now but I'll try to reproduce without using up OS memory, since I think I recall triggering the browser crash by having something like gmail + youtube open and then trying to load just a single ~200MB file.
,
Jan 15 2018
,
Mar 27 2018
Marking as WontFix due to inactivity. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by pmawhor...@gmail.com
, Dec 8 2017