New issue
Advanced search Search tips

Issue 740488 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

DevTool causes crash when accessing element on very large array

Reported by lysio...@gmail.com, Jul 10 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
1. Open attached file (array-crash.html)
2. The press F12 to open DevTools
3. Type a and press Enter
4. Then type a[1] and press Enter

What is the expected behavior?
No crash and I should be provided with value of element a[1] (which is 1).

What went wrong?
OOM

Crashed report ID: 359d2be9-6fc5-4492-ae4c-e67fcc55a53c

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

In html file there is no problem with accessing elements: 1, 1000, 1000000 and even 10000000.
 
array-crash.html
253 bytes View Download

Comment 1 by lysio...@gmail.com, Jul 10 2017

740488-array-crash.mp4
862 KB View Download
Labels: Needs-Triage-M59

Comment 3 by woxxom@gmail.com, Jul 11 2017

Same here.
Crash Report ID 902c24be40000000

Cc: pbomm...@chromium.org
Components: Blink>JavaScript
Labels: -Needs-Triage-M59 M-61 Needs-Bisect OS-Linux OS-Mac
Status: Available (was: Unconfirmed)
Able to reproduce the issue with latest and older versions of Chrome stable i.e., 57.0.2987.133,58.0.3029.110,59.0.3071.115, Chrome beta(60.0.3112.66), Dev(61.0.3153.0)

crash_id :  5c79b44268000000

Note : Tagging this bug with M61 since this crash is present for quite long time.


Comment 5 by ajha@chromium.org, Jul 17 2017

Cc: ajha@chromium.org
Labels: -Needs-Bisect
This is reproducible on the latest canary(61.0.3159.0) of Windows-10, Mac OS 10.12.5 and Linux Ubuntu 14.04.

This is non-regression issue as similar behavior is observed older chrome version(45.0.2454.101) as well. Removing the needs-bisect label.

Comment 6 by cbruni@chromium.org, Aug 16 2017

Components: -Blink>JavaScript Platform>DevTools>JavaScript
pushing over to devtools.
Owner: l...@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 8 by bugdroid1@chromium.org, Dec 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1beaf80f9d9ef6d4d3ea3394944c24b0cfe9d5c2

commit 1beaf80f9d9ef6d4d3ea3394944c24b0cfe9d5c2
Author: Erik Luo <luoe@chromium.org>
Date: Tue Dec 12 21:52:02 2017

DevTools: Do not crash upon autocomplete for large Arrays

DevTools currently bails out when trying to autocomplete large
TypedArrays. This relaxes our condition to bail out on large regular
Arrays, too.

The original condition is introduced here:
https://crbug.com/444116

Bug:  740488 
Change-Id: I65e04fc8497fe848d25a78cfad049fcc1e1919a9
Reviewed-on: https://chromium-review.googlesource.com/820935
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Commit-Queue: Erik Luo <luoe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523568}
[modify] https://crrev.com/1beaf80f9d9ef6d4d3ea3394944c24b0cfe9d5c2/third_party/WebKit/LayoutTests/http/tests/devtools/sources/debugger/debugger-completions-on-call-frame-expected.txt
[modify] https://crrev.com/1beaf80f9d9ef6d4d3ea3394944c24b0cfe9d5c2/third_party/WebKit/LayoutTests/http/tests/devtools/sources/debugger/debugger-completions-on-call-frame.js
[modify] https://crrev.com/1beaf80f9d9ef6d4d3ea3394944c24b0cfe9d5c2/third_party/WebKit/Source/devtools/front_end/object_ui/JavaScriptAutocomplete.js

Comment 9 by l...@chromium.org, Dec 12 2017

Status: Fixed (was: Assigned)

Sign in to add a comment