dev tools experiment "Object previews": console.dir() + expanding this specific xml element crashes the tab
Reported by
huglovef...@gmail.com,
Apr 3 2017
|
|||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3060.0 Safari/537.36
Steps to reproduce the problem:
1. Enable chrome://flags/#enable-devtools-experiments
2. Enable the "Object previews" experiment in devtools > settings > experiments (may have to close and re-open the dev tools to apply the setting)
3. Run this code in the console:
var parser = new DOMParser();
var result = parser.parseFromString(`<posts><post id="3628785"/></posts>`, "application/xml");
console.dir(result.documentElement);
4. Click the logged item to expand it.
What is the expected behavior?
It should show all properties of the "posts" element.
What went wrong?
It crashes the tab and disconnects the dev tools.
Did this work before? N/A
Chrome version: 59.0.3060.0 Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 25.0 r0
The crash doesn't occur if you rename or remove the "id" attribute, or replace "application/xml" with "text/html".
I got this stack trace looking thing by using the flags "--enable-logging --no-sandbox":
#
# Fatal error in c:\b\build\slave\win64-pgo\build\src\v8\src\inspector\v8-injected-script-host.cc, line 108
# Check failed: info.Length() == 1 && info[0]->IsObject().
#
Backtrace:
ChromeMain [0x00007FFE7F2CEEA5+5293829]
IsSandboxedProcess [0x00007FFE801E15A6+2288390]
ChromeMain [0x00007FFE7F2C3A1C+5247612]
ChromeMain [0x00007FFE7F5191A6+7694854]
ovly_debug_event [0x00007FFE7E81E6C5+167269]
ovly_debug_event [0x00007FFE7E81DA36+164054]
ovly_debug_event [0x00007FFE7E81D471+162577]
ovly_debug_event [0x00007FFE7E81D382+162338]
(No symbol) [0x00000347AE584421]
Maybe related: https://bugs.chromium.org/p/chromium/issues/detail?id=405845 (one of two search hits for "object previews")
,
Apr 3 2017
,
Apr 5 2017
Able to reproduce the issue on Windows-7, Mac-10.12.3 and Linux Ubuntu-14.04 using chrome canary 59.0.3062.0.This is regression issue ,broken in M59. Narrow Bisect:: =============== Good::59.0.3050.0 -- (build revision 459323) Bad ::59.0.3053.0 -- (build revision 459685) After executing the per-revision bisect script , got the following CL's between good and bad build versions =========================================== https://chromium.googlesource.com/chromium/src/+log/34dcca73d8f6406f791804d4ee90a60191878573..2c3a8eadbab11669e64e6134ba7c08b463aa96a9 Review-Url: https://codereview.chromium.org/2767333007 v8-autoroll- Could you please look into this issue, if it's related to your change, if not could you please help us to reassign this issue to the right owner. Thanks.
,
Apr 5 2017
kozy@: Could this be related to https://codereview.chromium.org/2767323002 from the above v8-changelog.
,
Apr 5 2017
Yes, it's related. Started: https://codereview.chromium.org/2801763002/.
,
Apr 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2e5dd217dfc3221f05a6186c1223947e300e8a8f commit 2e5dd217dfc3221f05a6186c1223947e300e8a8f Author: kozyatinskiy <kozyatinskiy@chromium.org> Date: Mon Apr 10 15:44:49 2017 [inspector] fixed injected-script-host crash It's possible to get undefined as a result of Object.getOwnPropertyDescriptor. We should be ready for this. BUG= chromium:707670 R=alph@chromium.org Review-Url: https://codereview.chromium.org/2801763002 Cr-Commit-Position: refs/heads/master@{#44532} [modify] https://crrev.com/2e5dd217dfc3221f05a6186c1223947e300e8a8f/src/inspector/injected-script-source.js [modify] https://crrev.com/2e5dd217dfc3221f05a6186c1223947e300e8a8f/src/inspector/v8-injected-script-host.cc
,
Apr 19 2017
Tested in latest canary #60.0.3074.0 & M59 Dev #59.0.3071.9 by following steps mentioned in the original comment. Observed that all properties of the "posts" element displaying as expected. @kozyatinskiy: Can you please confirm fix merged into M-59 Thanks!
,
Apr 19 2017
It wasn't merged but it was landed before 5.9 branch cut off, so you can find this commit in the list of landed CLs [1]. [1] https://chromium.googlesource.com/v8/v8.git/+log/5.9-lkgr
,
Apr 19 2017
[Auto-generated comment by a script] We noticed that this issue is targeted for M-59; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-59 label, otherwise remove Merge-TBD label. Thanks.
,
Apr 20 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by woxxom@gmail.com
, Apr 3 2017