New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 727000 link

Starred by 2 users
Status: Fixed
Owner:
verwa...@chromium.org
Closed: Jun 2017
Cc:
kavvaru@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Stackoverflow in v8::internal::Object::IsArray(v8::internal::Handle<v8::internal::Object>) using Proxy

Reported by june901...@gmail.com, May 27 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
1. open a poc.html in chrome

What is the expected behavior?
maybe true

What went wrong?
crash occurs.

In v8, object.cc

  842 Maybe<bool> Object::IsArray(Handle<Object> object) {
  843   if (object->IsJSArray()) return Just(true);
  844   if (object->IsJSProxy()) {
  845     Handle<JSProxy> proxy = Handle<JSProxy>::cast(object);
  846     Isolate* isolate = proxy->GetIsolate();
  847     if (proxy->IsRevoked()) {
  848       isolate->Throw(*isolate->factory()->NewTypeError(
  849           MessageTemplate::kProxyRevoked,
  850           isolate->factory()->NewStringFromAsciiChecked("IsArray")));
  851       return Nothing<bool>();
  852     }
  853     return Object::IsArray(handle(proxy->target(), isolate)); // <<-- calls Object:IsArray infinitely
  854   }
  855   return Just(false);
  856 }

Crashed report ID: daffc851-27a2-41aa-af2f-185b3ae7699c

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: stable
OS Version: 10.0
Flash Version:
poc.html
159 bytes View Download

Comment 1 by kavvaru@chromium.org, May 31 2017

Cc: kavvaru@chromium.org
Components: Blink>JavaScript
Labels: -Type-Bug -Pri-2 M-61 has-bisect-per-revision Pri-1 Type-Bug-Regression
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on windows 7 using chrome version 58.0.3029.110 and canary 61.0.3115.0.
This is regression issue broken in M49.Please find the bisect information as below
Narrow bisect::
Good:: 49.0.2619.0  ---   (build revision 368754)
Bad:: 49.0.2620.0  ---    (build revision 369070)

Change Log::
https://chromium.googlesource.com/chromium/src/+log/6c48548a2fd21c154b10d98db6b257209e8d10fc..c4ddaf6d3b396b92914f1a185036cf5e3880b014

V8 Roll::
https://chromium.googlesource.com/v8/v8/+log/6d5737e4..65f09d9b

Unable to find the exact suspect from both URLs.
Could any one from dev team please look into this issue.

Thanks,

Comment 2 by danno@chromium.org, Jun 6 2017

Owner: verwa...@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by verwa...@chromium.org, Jun 8 2017

Status: Fixed (was: Assigned)

Comment 5 by kkaluri@chromium.org, Jun 9 2017

Labels: TE-Verified-61.0.3124.10 TE-Verified-M61
Verified this issue on Windows 10 with chrome #61.0.3124.10 and didn't observe any crash while loading provided html in comment #0.Hence adding TE-Verified labels

Attaching the screen-cast for reference.

Thank You...
727000.mp4
485 KB View Download

Sign in to add a comment