New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 607436 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
mlippautz@chromium.org
yangguo@chromium.org
hpayer@chromium.org
ashej...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Chrome snaps when converting large Uint8Array to String

Reported by ro...@mailudc.com, Apr 28 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36

Steps to reproduce the problem:
1. Create large UInt8Array in Javascript
2. Iterate over the array and call String.fromCharCode on each element and keep appending results to string variable
3. Aw snap!

What is the expected behavior?
UInt8Array gets converted to String.

What went wrong?
It seems that building a string from uint8array using String.fromCharCode uses up a lot of memory than before. At around ~50 megabytes of data in Uint8Array chrome starts crashing during conversion (see attached sample). It had no issues before and other browsers (FF, IE, EDGE) have no issues. Also note that using smaller sample size (30mb) other browsers are a lot faster than Chrome.

Crashed report ID: a83123d200000000 (cf113c85-7420-49d3-8bb8-3452ba4a3500)

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? Yes Chrome 49

Chrome version: 50.0.2661.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 21.0 r0

I know this is fairly unusual thing to do. I have 100MB json string that comes compressed with gzip into 6MB. I need to inflate that compressed data and last part of the process is converting Uint8array into string (that later gets parsed into json). This has been working just fine for the last 3 years and suddenly "Aw snap" in Chrome V50+.
uint8_to_string_snap.html
2.1 KB View Download

Comment 1 by ashej...@chromium.org, Apr 28 2016

Cc: ashej...@chromium.org
Mergedinto: 607152
Status: Duplicate (was: Unconfirmed)
Issue dupe of earlier reported crash issue based on stack trace comparison '607152', status is in Fixed status. Hence merging.

Thank you!

Comment 2 by mlippautz@chromium.org, Apr 28 2016

Status: Untriaged (was: Duplicate)
The bug merged into is for a single specific issue that happened 1 day ago and is now fixed. 

This happens on stable, so if it is really a OOM then it should be merged somewhere else.

Comment 3 by msrchandra@chromium.org, May 13 2016

Labels: M-52 OS-Linux OS-Mac
This is a Non-Regression issue existing from M42# 42.0.2311.68 builds and is seen on Windows, Mac and Linux.
Providing the Stack Trace for the Crash Id -- c3fcda0a00000000

Stack Trace ::
===============
Thread 0 CRASHED [EXCEPTION_BREAKPOINT @ 0x000007fedc0f0107 ] MAGIC SIGNATURE THREAD
0x000007fedc0f0107	(chrome_child.dll -v8initializer.cpp:95 )	blink::reportFatalErrorInMainThread
0x000007fedb813bd4	(chrome_child.dll -api.cc:321 )	v8::Utils::ReportApiFailure(char const *,char const *)
0x000007fedb813b62	(chrome_child.dll -api.cc:305 )	v8::internal::V8::FatalProcessOutOfMemory(char const *,bool)
0x000007fedc591a30	(chrome_child.dll -factory.cc:79 )	v8::internal::Factory::NewFillerObject(int,bool,v8::internal::AllocationSpace)
0x000007fedc6523ed	(chrome_child.dll -runtime-internal.cc:271 )	v8::internal::Runtime_AllocateInTargetSpace(int,v8::internal::Object * *,v8::internal::Isolate *)
0x0000038910806506		
0x000007fedc69962f	(chrome_child.dll + 0x011f962f )

This is a OOM Crash. Could some one please look into the issue and update.
Thank You.
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 1 2016

Labels: -M-52 M-53 MovedFrom-52
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by cbiesin...@chromium.org, Jun 18 2016

Components: Blink>JavaScript

Comment 6 by hablich@chromium.org, Jun 30 2016

Owner: mlippautz@chromium.org
Status: Assigned (was: Untriaged)
Can you please clarify your comment in #2?

Comment 7 by mlippautz@chromium.org, Jul 4 2016

Cc: hpayer@chromium.org yangguo@chromium.org
Labels: -OS-Linux -OS-Windows -OS-Mac OS-All
#6: Good question :) It's definitely an OOM but since there's a repro let's check what exactly is going on there.

I will have another look as soon as I have some spare cycles.
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 12 2016

Labels: -M-53 MovedFrom-53
This issue has been moved once and is lower than Pri-1. Removing the milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by mlippautz@chromium.org, Feb 8 2017

Cc: mlippautz@chromium.org
Owner: ----
Status: Available (was: Assigned)
Going through my backlog. Not sure why this is actually assigned to me.

Yang, any idea? Is the bloat in this case WAI?

This still OOMs on latest Canary (with devtools open we actually get paused in the debugger).

Comment 10 by mlippautz@chromium.org, Feb 8 2017 

Latest crash id: 4126019c80000000

Comment 11 by yangguo@chromium.org, Feb 8 2017

Status: WontFix (was: Available)
The issue is in this part of the example:

        for (var i = 0; i < sample8.length; i++) {
            str += String.fromCharCode(sample8[i]);
        }

You are creating a con strings for every character that you add. Instead, you should add the results to an array and use Array.prototype.join at the end. You could also apply larger chunks of the sample8 array to String.fromCharCode.

Sign in to add a comment