Issue metadata
Sign in to add a comment
|
Renderer crash when JS maximum call stack size reached if devtools is open |
||||||||||||||||||||||||
Issue descriptionRepro: 1. Load http://calormen.com/jslogo 2. Enter the code: to f :x end f 1 3. Click "Run" Expected: nothing as in Chrome 50 and Firefox Actual, w/o devtools open: * Maximum call stack size exceeded Actual, w/ devtools open: * Renderer crash (The site is a hobby project of mine; I haven't attempted to reduce the repro yet.) The renderer crash seems to happen when constructing the call stack (OOM?), and obviously makes it hard to debug whatever is going on.
,
May 27 2016
Ah, yes - it's that the name of the variable that captures an anonymous function is being applied as the function's name. Here's a repro that behaves differently between Firefox and Chrome 51:
....
function to_arity(func, arity) {
var parms = [];
for (var i = 0; i < arity; i += 1)
parms.push('a' + i);
return eval('(function ' + func.name + '(' + parms.join(',') + ')' +
'{ return func.apply(this, arguments); })');
}
// Note use of 'func' as here and above.
var func = function() { console.log('hi there'); };
try {
to_arity(func, 3)();
} catch (ex) {
console.warn(ex);
}
....
Is that an ES2015/16 thing? Anyway... the OOM with dev tools is perhaps a bigger problem.
,
May 27 2016
,
May 27 2016
,
May 27 2016
,
May 27 2016
The behavioral change is indeed working as intended: ES2015 gives names to functions that previously were anonymous (see issue v8:3699 ).
,
May 27 2016
,
May 31 2016
I've fixed the issue with the site in the initial repro. I'm not sure if the renderer crash occurs with the minimized repro. If not, I can probably put together a stand-alone repro. (or just grab an older copy of the repro site off github)
,
Jun 2 2016
Issue 615756 has been merged into this issue.
,
Jun 6 2017
renderer is not crashing in ToT but debugging still doesn't work as expected. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by jsb...@chromium.org
, May 27 2016The trigger seems to be calling the function minted by to_arity(); the minted function ends up calling itself. Here's a repro that fails in both Chrome and Firefox: ............ function to_arity(func, arity) { var parms = []; for (var i = 0; i < arity; i += 1) { parms.push('a' + i); } var f = eval('(function ' + func.name + '(' + parms.join(',') + ')' + '{ return func.apply(this, arguments); })'); return f; } // Note use of 'func' as function name here and above. var f = to_arity(function func() { console.log('hi there'); }, 3); try { f(); // Boom! } catch (ex) { console.warn(ex); // Maximum call stack size exceeded } ............ And that's obvious - since the name `func` is used in both places this particular case recurses. (Which is a bug that should be fixed.) The question is: why does the full repro not occur in Firefox or old Chrome? The full code has lots of anonymous functions and Promise callbacks. Did we change the behavior of Function.prototype.name in 51?