Issue metadata
Sign in to add a comment
|
WebAssembly grow_memory crashes the entire tab
Reported by
alexande...@gmx.net,
Dec 6 2016
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14
Steps to reproduce the problem:
<html>
<head>
<script>
function base64ToArrayBuffer(base64) {
const binaryString = window.atob(base64),
length = binaryString.length,
array = new Uint8Array(length);
for(var i = 0; i < length; ++i)
array[i] = binaryString.charCodeAt(i);
return array.buffer;
}
// WAST code:
// (module
// (memory $memory 1)
// (export "memory" (memory $memory))
// (export "main" (func $main))
// (func $main (param $0 i32) (result i32)
// (grow_memory (i32.const 1))
// )
// )
const code = base64ToArrayBuffer('AGFzbQ0AAAABhoCAgAABYAF/AX8DgoCAgAABAAWDgICAAAEAAQeRgICAAAIGbWVtb3J5AgAEbWFpbgAACoyAgIAAAYaAgIAAAEEBQAAL');
// Without (export "memory" (memory $memory)) : AGFzbQ0AAAABhoCAgAABYAF/AX8DgoCAgAABAAWDgICAAAEAAQeIgICAAAEEbWFpbgAACoyAgIAAAYaAgIAAAEEBQAAL
WebAssembly.compile(code).then(function(module) {
const instance = new WebAssembly.Instance(module);
instance.exports.main();
});
</script>
</head>
</html>
What is the expected behavior?
Seeing a blank page (and the wasm module having 2 pages of memory)
What went wrong?
The tab crashes and I get the typical error message:
"DevTools was disconnected from the page.
Once page is reloaded, DevTools will automatically reconnect."
Did this work before? Yes Around 57.0.2938.2
Chrome version: 57.0.2943.0 Channel: canary
OS Version: OS X 10.10.5
Flash Version: Shockwave Flash 23.0 r0
I first noticed this in 57.0.2939.0 canary
And when the memory is not exported, it doesn't crash.
A crash report file is attached.
,
Dec 6 2016
,
Dec 7 2016
Able to reproduce this issue on windows 7, Mac 10.11.6 with Chrome latest Canary version-57.0.2943.0. Note: Issue not seen on Linux Ubuntu 14.04 with version #56.0.2924.18 Providing Per revision Bisect information below: Manual Bisect: -------------- Bad—57.0.2933.0—Revision—434540 Good—57.0.2931.0—Revision—434310 Bisect Tool Info: -------------------- You are probably looking for a change made after 434356 (known good), but no later than 434357 (first known bad). CHANGELOG URL: -------------- The script might not always return single CL as suspectas some perf builds might get missing due to failure. https://chromium.googlesource.com/chromium/src/+log/e3ca5daad95ee7478760d552f115427cd1b0a324..c92ebd9f63bc726e3d091115626c3bdbbc90e912 Possible suspect: -------------- https://chromium.googlesource.com/v8/v8/+/e108f90d5c17588910f1f91c56ceba2580277000 gdeepti@ assigning to you, as you were listed as one of the reviewers for this CL. Kindly take a look and please help us to reassign this issue to a right owner if not with respect to this change. Thanks.!
,
Dec 7 2016
,
Dec 9 2016
Fix for this issue landed in V8, manually tested for chrome on mac. Should be in canary over the next couple of days. https://chromium.googlesource.com/v8/v8.git/+/0061089aa01d031c91373477dab422a35fb1d5fc
,
Dec 13 2016
Issue 671783 has been merged into this issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by alexande...@gmx.net
, Dec 6 2016