chrome is crash when serialize huge arraybuffer
Reported by
blackmil...@gmail.com,
Jun 28 2018
|
|||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Steps to reproduce the problem:
load crash.html in chrome and you'll see the crash, my reproduce environment is 64 bit chrome in Ubuntu.
What is the expected behavior?
don't crash
What went wrong?
maybe you think this is work as design, but it can be handled more elegant. it should throw an exception but no a crash.
0 0x00007ffff7d3d33f in base::internal::PartitionExcessiveAllocationSize () at ../../base/allocator/partition_allocator/partition_oom.cc:14
#1 0x00007ffff7d34109 in base::PartitionReallocGenericFlags (root=0x7fffe656cd00 <WTF::lazy_buffer+8>, flags=0, ptr=0x22bc69004010, new_size=4294967296,
type_name=0x7fffe6a2934f "SerializedScriptValue buffer") at ../../base/allocator/partition_allocator/partition_alloc.cc:281
#2 0x00007ffff7d34421 in base::PartitionRootGeneric::Realloc (this=0x7fffe656cd00 <WTF::lazy_buffer+8>, ptr=0x22bc69004010, new_size=4294967296,
type_name=0x7fffe6a2934f "SerializedScriptValue buffer") at ../../base/allocator/partition_allocator/partition_alloc.cc:341
#3 0x00007fffe75f07fd in WTF::Partitions::BufferRealloc (p=0x22bc69004010, n=4294967296, type_name=0x7fffe6a2934f "SerializedScriptValue buffer")
at ../../third_party/blink/renderer/platform/wtf/allocator/partitions.h:114
#4 0x00007fffe75eee9f in blink::V8ScriptValueSerializer::ReallocateBufferMemory (this=0x7fffb6c4b680, old_buffer=0x22bc69004010, size=4294967296, actual_size=0x7fffb6c4ac60)
at ../../third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.cc:581
#5 0x00007fffea83962d in v8::internal::ValueSerializer::ExpandBuffer (this=<optimized out>, required_capacity=<optimized out>) at ../../v8/src/value-serializer.cc:302
#6 0x00007fffea83d8cd in ReserveRawBytes (this=<optimized out>, bytes=<optimized out>) at ../../v8/src/value-serializer.cc:287
#7 WriteRawBytes (this=<optimized out>, source=<optimized out>, length=<optimized out>) at ../../v8/src/value-serializer.cc:277
#8 v8::internal::ValueSerializer::WriteJSArrayBuffer (this=<optimized out>, array_buffer=...) at ../../v8/src/value-serializer.cc:833
#9 0x00007fffea83a228 in v8::internal::ValueSerializer::WriteJSReceiver (this=<optimized out>, receiver=...) at ../../v8/src/value-serializer.cc:507
#10 0x00007fffea839f0c in v8::internal::ValueSerializer::WriteObject (this=<optimized out>, object=...) at ../../v8/src/value-serializer.cc:378
#11 0x00007fffea83aff2 in v8::internal::ValueSerializer::WriteJSArray (this=<optimized out>, array=...) at ../../v8/src/value-serializer.cc:643
#12 0x00007fffea83a238 in v8::internal::ValueSerializer::WriteJSReceiver (this=<optimized out>, receiver=...) at ../../v8/src/value-serializer.cc:482
#13 0x00007fffea839f0c in v8::internal::ValueSerializer::WriteObject (this=<optimized out>, object=...) at ../../v8/src/value-serializer.cc:378
#14 0x00007fffe9eef174 in v8::ValueSerializer::WriteValue (this=<optimized out>, context=..., value=...) at ../../v8/src/api.cc:3237
#15 0x00007fffe75ebc7f in blink::V8ScriptValueSerializer::Serialize (this=0x7fffb6c4b680, value=..., exception_state=...)
at ../../third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.cc:93
#16 0x00007fffe36faea1 in blink::SerializedScriptValueForModulesFactory::Create (this=0x178492e180d8, isolate=0x174759b6b020, value=..., options=..., exception_state=...)
at ../../third_party/blink/renderer/bindings/modules/v8/serialization/serialized_script_value_for_modules_factory.cc:22
#17 0x00007fffe75cc884 in blink::SerializedScriptValue::Serialize (isolate=0x174759b6b020, value=..., options=..., exception=...)
at ../../third_party/blink/renderer/bindings/core/v8/serialization/serialized_script_value.cc:74
#18 0x00007fffe9003f35 in blink::DedicatedWorkerV8Internal::postMessageImpl (interfaceName=0x7fffe6a74e19 "Worker", instance=0x3a8ffaaa2d78, info=...)
at gen/third_party/blink/renderer/bindings/core/v8/v8_worker.cc:149
#19 0x00007fffe90039cb in blink::V8Worker::postMessageMethodCallback (info=...) at gen/third_party/blink/renderer/bindings/core/v8/v8_worker.cc:260
#20 0x00007fffe9fbca03 in v8::internal::FunctionCallbackArguments::Call (this=<optimized out>, handler=<optimized out>) at ../../v8/src/api-arguments-inl.h:94
#21 0x00007fffe9fbad53 in v8::internal::(anonymous namespace)::HandleApiCallHelper<false> (isolate=<optimized out>, function=..., new_target=..., fun_data=..., receiver=..., args=...)
at ../../v8/src/builtins/builtins-api.cc:109
#22 0x00007fffe9fb9109 in v8::internal::Builtin_Impl_HandleApiCall (args=..., isolate=<optimized out>) at ../../v8/src/builtins/builtins-api.cc:139
#23 0x00007fffe9fb8b4d in v8::internal::Builtin_HandleApiCall (args_length=<optimized out>, args_object=<optimized out>, isolate=<optimized out>)
at ../../v8/src/builtins/builtins-api.cc:127
the root cause is this function
https://cs.chromium.org/chromium/src/v8/src/value-serializer.cc?rcl=56b60a2ebac6c90c3989fb5ad0d9109d9c35ae76&l=295
never return is the allocation fails.
Maybe<bool> ValueSerializer::ExpandBuffer(size_t required_capacity) {
DCHECK_GT(required_capacity, buffer_capacity_);
size_t requested_capacity =
std::max(required_capacity, buffer_capacity_ * 2) + 64;
size_t provided_capacity = 0;
void* new_buffer = nullptr;
if (delegate_) {
new_buffer = delegate_->ReallocateBufferMemory(buffer_, requested_capacity,
&provided_capacity);----------------->this line never return null, allocation fail will crash the chrome.
} else {
new_buffer = realloc(buffer_, requested_capacity);
provided_capacity = requested_capacity;
}
if (new_buffer) {
DCHECK(provided_capacity >= requested_capacity);
buffer_ = reinterpret_cast<uint8_t*>(new_buffer);
buffer_capacity_ = provided_capacity;
return Just(true);
} else {---------------->this branch never be executed in chrome.
out_of_memory_ = true;
return Nothing<bool>();
}
}
suggested fix:
maybe you can call the function PartitionReallocGenericFlags with flag PartitionAllocReturnNull.
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? N/A
Did this work before? N/A
Chrome version: 67.0.3396.87 Channel: n/a
OS Version:
Flash Version:
,
Jun 28 2018
,
Jun 29 2018
Able to reproduce this issue on reported version 67.0.3396.87, latest stable 67.0.3359.99, latest beta 68.0.3396.42 and latest canary 69.0.3475.0 using Mac 10.13.3, Windows 10 and Debian Bisect Info: ================ Good Build: 66.0.3344.0 Bad Build: 66.0.3345.0 CHANGELOG URL from per-revison bisect: https://chromium.googlesource.com/chromium/src/+log/7c8c2adeebc15680883e797753e3e47a5f5d9845..7c8bea61a9e0bd02932fce9d164965f7ade0a124 Reviewed-on: https://chromium-review.googlesource.com/912108 Suspecting same from changelog. @bbudge: Please confirm the bug and help in re-assigning if this is not related to your change. Thanks!
,
Jul 16
The crash.html file fails to allocate the large ArrayBuffer on ToT Chrome, so it doesn't hit the OOM crash when serializing the AB as it did before. However, it's still possible to cause serialization to run out of memory, and we still shouldn't crash in this case.
,
Jul 17
@bbudge you are right, maybe we can fix the issue by calling the function PartitionReallocGenericFlags in the stack back trace with the flag PartitionAllocReturnNull
,
Jul 18
Yep, the fix should land today on ToT Chromium. It will take a while to roll out to Stable unless it's merged.
,
Jul 18
Actually, there's a hangup and this still needs review. Follow along at: https://chromium-review.googlesource.com/c/chromium/src/+/1138859
,
Jul 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8c0d96189ba455f5ab1c90377356ab33e57e2b6d commit 8c0d96189ba455f5ab1c90377356ab33e57e2b6d Author: Bill Budge <bbudge@chromium.org> Date: Tue Jul 24 15:47:38 2018 [page allocator] Allow some partition Realloc's to return nullptr - Modifies partition allocator, adding a TryRealloc method that returns nullptr on failure, rather than OOM crashing. - Modifies the single call site in Blink for buffer resizing during serialization. Bug: chromium:857387 Change-Id: I9bf8d3ced837a9dd4f96a953bb52ccad3078dfa1 Reviewed-on: https://chromium-review.googlesource.com/1138859 Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#577561} [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/base/allocator/partition_allocator/partition_alloc_unittest.cc [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.cc [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.h [modify] https://crrev.com/8c0d96189ba455f5ab1c90377356ab33e57e2b6d/third_party/blink/renderer/platform/wtf/allocator/partitions.h
,
Jul 24
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by woxxom@gmail.com
, Jun 28 2018