Crash when trying to evaluate let/const variable property in dev tools before the variable is initialized
Reported by
max.kore...@gmail.com,
Apr 21 2016
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36 Steps to reproduce the problem: 1. Consider the following code: https://jsfiddle.net/tyqv1e0f/ 2. Open dev tools, click "Run" and hit the "debugger;" 3. type bar.baz (bar.anything) in console and hit enter OR try to evaluate it in any other ways (tooltip on "bar.baz", adding a watch etc.) What is the expected behavior? ReferenceError: ... is not defined What went wrong? The tab crashes Crashed report ID: 0cabc59200000000 How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? N/A Chrome version: 50.0.2661.75 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 21.0 r0 Chrome 49, Opera 36.0.2130.65 are crashing also, seems like a chromium-based issue
,
Apr 21 2016
Yes. Try evaluating not the variable itself, but its property. Reproduced with 50.0.2661.75 and 50.0.2661.87 (extensions off). Also Opera 36.0.2130.65 (clean install).
,
Apr 22 2016
Issue looks similar to earlier reported crash based on stack trace comparison "523912". Hence merging the issue. Thank you!
,
Apr 25 2016
max.korenko, thanks for the report. I'm able to repro with 50.0.2661.86. Cannot repro with 51.0.2704.22/Beta. ashejole, please don't dupe reports with repro instructions into tracker bugs that are marked WontFix. Doing so just loses valuable information, because this report is actionable, whereas 523912 is not actionable and hence will not get looked at. It would be very helpful if someone could bisect this to find out when it got fixed (presumably somewhere between the M50 branch point and the M51 branch point), so we know what we have to backmerge.
,
Apr 26 2016
@jkummerow: Thanks for the suggestion, I will follow the same while triaging actionable crash issue. The above issue is reproducible on All-OS (Windows (10 & 7), Mac 10.11.4 & Ubuntu 14.04) with chrome versions : 50.0.2661.87/86(Stable) with the steps provided in original bug. This issue is fixed in 51.0.2704.22(Beta) & 52.0.2717.0(Canary). Below is the reverse bisect info ================== Last known Bad build: 51.0.2695.0 First known Good build: 51.0.2696.0 Narrow bisect ============= You are probably looking for a change made after 384306 (known bad), but no later than 384321 (first known good). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/4b8cfeaa7bb2abd743076eb419944c845f2b98f5..611d653b4395bc225864e070985f1d442dc347d6 From the narrow bisect, I am suggesting CL from v8: https://chromium.googlesource.com/v8/v8/+/297daf6c37d6e4145e8aaec12ccc9762ac180850, might have fixed the issue ? @yangguo: Hey, can you please check the above issue and see if your CL has fixed the above issue in Beta & Dev ? If so, request you to merge the above issue to M50 if required. Marking the above issue as RB-Stable, feel free to remove if not required. Feel free to route the above issue to concern dev, if your CL has not fixed the above issue. I really appreciate your help. Thank you!
,
Apr 26 2016
This is indeed very likely to be fixed by https://chromium.googlesource.com/v8/v8/+/297daf6c37d6e4145e8aaec12ccc9762ac180850 This is a major rework of debug-evaluate. I don't think it should be merged back. I realize that this crash could irrate users of Devtools. I probably could write a fix for M50 specifically. However, given that we already have a fix, I'm not sure that's worthwhile.
,
Apr 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/215351f8bf4352b98aeb738810468c5665226097 commit 215351f8bf4352b98aeb738810468c5665226097 Author: yangguo <yangguo@chromium.org> Date: Tue Apr 26 14:04:17 2016 [debugger] fix crash in debug-evaluate when retrieving values in TDZ. R=jkummerow@chromium.org BUG= chromium:605581 LOG=N NOTRY=true NOPRESUBMIT=true Review URL: https://codereview.chromium.org/1916413002 Cr-Commit-Position: refs/branch-heads/5.0@{#43} Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215} [modify] https://crrev.com/215351f8bf4352b98aeb738810468c5665226097/include/v8-version.h [modify] https://crrev.com/215351f8bf4352b98aeb738810468c5665226097/src/debug/debug-evaluate.cc [add] https://crrev.com/215351f8bf4352b98aeb738810468c5665226097/test/mjsunit/regress/regress-crbug-605581.js
,
Apr 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/eee6ddb2ac0dab0d3e3ab5d1a9d43709a76f9442 commit eee6ddb2ac0dab0d3e3ab5d1a9d43709a76f9442 Author: yangguo <yangguo@chromium.org> Date: Tue Apr 26 14:09:00 2016 [debugger] add test case for debug-evaluate for values in TDZ. R=jkummerow@chromium.org BUG= chromium:605581 LOG=N Review URL: https://codereview.chromium.org/1920953003 Cr-Commit-Position: refs/heads/master@{#35794} [add] https://crrev.com/eee6ddb2ac0dab0d3e3ab5d1a9d43709a76f9442/test/mjsunit/regress/regress-crbug-605581.js
,
Apr 26 2016
Fixed on V8's 5.0 branch per #7. The next Chrome M50 refresh should pick up the fix.
,
Apr 26 2016
Thanks a lot for the quick turn around, much appreciated.
,
Apr 28 2016
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by elawrence@chromium.org
, Apr 21 2016