new Proxy(window) crashes Chrome in endless loop
Reported by
cmarten...@gmail.com,
Jun 26 2016
|
|||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Steps to reproduce the problem:
1. Create a test file to figure out how Proxies work that looks like this:
<script>
myglob = new Proxy(window, {
get: function(target, key, receiver) {
console.log(target, key, receiver);
return 'test'; // no affect anyways
}
});
(function(global) {
global.createElement();
})(myglob);
</script>
2. Is this how Proxies are intended to work? If not, this might be a hard bug and Proxies on window should not be allowed.
3. If you want to feature-detect what modules require what kind of API on window (global), how could you use Proxies to make a list of properties, types, and (functions)?
What is the expected behavior?
Chrome should not crash and not run with 120% CPU load.
What went wrong?
Both the Tab process and Devtools process crash and run in an endless loop. Several methods are constantly accessed in a loop (see SpeechSynthesis logs) on window, so this might be also a bug.
Did this work before? N/A
Chrome version: 51.0.2704.84 Channel: stable
OS Version: Ubuntu 16.04
Flash Version: Shockwave Flash 22.0 r0
How to properly feature-detect required properties on window?
,
Jun 26 2016
More in detail, it seems to be the running typeof property call running behind the scenes that triggers this endless loop:
<script>
var wrapper = {};
var proxy = new Proxy(wrapper, {
get: function(target, key, val) {
console.log('GET', target === wrapper, key, val);
return 'test';
},
set: function(target, key, val) {
console.log('SET', target === wrapper, key, val);
return 'test';
}
});
proxy.property = 4;
typeof proxy.method; // triggers also endless loop, remove this line and it works
</script>
,
Jun 27 2016
I can't reproduce this when DevTools is closed. But it does reproduce when I open DevTools. Steps to reproduce: 1. Visit https://jsbin.com/toteqo 2. Open DevTools (press F12, or Inspect an element) After step #1 the tab is alive (you can select text etc), has negligible CPU usage, and says "Getter was run 0 times.". After step #2, the tab freezes (can no longer select text), CPU usage of both the tab and DevTools goes to ~100%, and hundreds of Javascript errors start occurring every second (but note that the count starts at 0). It also still says "Getter was run 0 times.", but that's just because the tab has frozen and stopped painting. So it seems to somehow be an interaction with DevTools? n.b. that jsbin example is based on comment 2 but I removed the `set` method which seems unnecessary. 51.0.2704.103 beta / gTrusty
,
Jun 30 2016
,
Jun 30 2016
Seems already fixed in issue 581495 .
,
Jul 29 2016
,
Jul 29 2016
I checked in ToT and in current beta (53.0.2785.34). It works good. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by cmarten...@gmail.com
, Jun 26 2016Just figured out that this seems to be not related to the window object. A further reduced test case like this still causes the same issues: <script> var proxy = new Proxy({}, { get: function(target, key, val) { console.log(target, key, val); return 'test'; } }); proxy.methodDoesntExist(); </script> Warning: This will still crash the Tab process and the Devtools process.