Chrome tab crashes when alert() is called with > 100MB string
Reported by
root....@gmail.com,
Jan 20 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce the problem: 1. Open https://jsfiddle.net/ha0o2d67/ 2. Click "Choose file" and pick any file bigger than 100 Mb 3. Wait few seconds What is the expected behavior? Tab isn't crashed What went wrong? Tab is crashed: Aw, Snap! Did this work before? N/A Does this work in other browsers? Yes Chrome version: 63.0.3239.132 Channel: stable OS Version: 10.0 Flash Version:
,
Jan 26 2018
,
Jan 26 2018
When I try to reproduce this, the crash is not in creating the data URL, but instead it is in trying to display that several 100MB string in an alert(). Stack trace from https://crash.corp.google.com/browse?q=reportid=%271461de01ecac3d07%27#0: 0x000055758f14524c (chrome -ipc_channel_proxy.cc:540 ) IPC::ChannelProxy::SendInternal(IPC::Message*) 0x000055758f14d77e (chrome -ipc_sync_channel.cc:623 ) IPC::SyncChannel::Send(IPC::Message*) 0x00005575922d0c43 (chrome -render_frame_impl.cc:1681 ) content::RenderFrameImpl::RunJavaScriptDialog(content::JavaScriptDialogType, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, GURL const&, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> >*) 0x00005575922df8af (chrome -render_frame_impl.cc:4437 ) content::RenderFrameImpl::RunModalAlertDialog(blink::WebString const&) 0x0000557591edcd99 (chrome -ChromeClientImpl.cpp:356 ) blink::ChromeClientImpl::OpenJavaScriptAlertDelegate(blink::LocalFrame*, WTF::String const&) 0x0000557591edb662 (chrome -ChromeClient.cpp:135 ) blink::ChromeClient::OpenJavaScriptAlert(blink::LocalFrame*, WTF::String const&) 0x0000557591a393cd (chrome -LocalDOMWindow.cpp:782 ) blink::LocalDOMWindow::alert(blink::ScriptState*, WTF::String const&) 0x000055759174bb3d (chrome -V8Window.cpp:4733 ) blink::V8Window::alertMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) 0x000055758e3e57c3 (chrome -api-arguments.cc:25 ) v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) 0x000055758e45e7e6 (chrome -builtins-api.cc:112 ) v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) 0x000055758e45ded6 (chrome -builtins-api.cc:142 ) v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)
,
Jun 20 2018
It dies trying to shovel 100mb over IPC. We should truncate the string sooner.
,
Jun 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504 commit 03a7b9c13ccf8f8433b4d4f8e26b905c04f51504 Author: Avi Drissman <avi@chromium.org> Date: Mon Jun 25 15:40:14 2018 Truncate JavaScript dialog message strings before IPC. This moves message size metrics to be before IPC (and before truncation) and removes three metrics. JSDialogs.CountOfJSDialogMessageCharacters is removed; JSDialogs.CharacterCount.MainFrame/Subframe is replacing it. JSDialogs.CountOfJSDialogMessageNewlines is not useful as we do rectangular truncation. JSDialogs.CharacterCountUserSuppressed was just broken as it was gated by "if (did_suppress_message)", and "did_suppress_message" was a non-null bool pointer. BUG= 804081 Change-Id: I874e0aebf545096939dc12299843ba85a6dad121 Reviewed-on: https://chromium-review.googlesource.com/1112471 Reviewed-by: Leonard Grey <lgrey@chromium.org> Reviewed-by: Steven Holte <holte@chromium.org> Commit-Queue: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#570047} [modify] https://crrev.com/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504/chrome/browser/ui/javascript_dialogs/javascript_dialog_tab_helper.cc [modify] https://crrev.com/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504/components/app_modal/javascript_dialog_manager.cc [modify] https://crrev.com/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504/content/renderer/render_frame_impl.cc [modify] https://crrev.com/03a7b9c13ccf8f8433b4d4f8e26b905c04f51504/tools/metrics/histograms/histograms.xml
,
Jun 25 2018
,
Jun 26 2018
Able to reproduce the issue on reported version, hence verifying the fix on latest canary 69.0.3473.0 using Windows 10, Mac 10.13.3 and Linux debian. Now on loading 125MB file(>100 MB) no crash is seen and alert box is seen. Attaching screenshot for reference. As fix is working as expected adding Verified labels. Thanks! |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by sc00335...@techmahindra.com
, Jan 22 2018Components: Blink>HTML
Labels: Triaged-ET M-66 FoundIn-66 Target-66 Needs-Triage-M63 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)