New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 914048 link

Starred by 3 users
Status: Assigned
Owner:
dhai@google.com
Last visit > 30 days ago
Cc:
vamshi.kommuri@chromium.org
bmeu...@chromium.org
hablich@chromium.org
pbomm...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Chrome 71.0 crashses on javascript

Reported by d3c...@gmail.com, Dec 11 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36

Steps to reproduce the problem:
I have a build process that has worked to produce a script that works on firefox, chrome, edge, opera.  With the latest update to chrome, the page crashes with an 'Aww Snap' something bad happened.

Chrome dev tools gets disconncted.

Steps: visit https://www.chatment.com/testApp

Looks like this simple script fails.

π="͎ɂͥůȏ+Ů%Ǫ;Ŭɥ\u0019Ȭh͊dzɯ+ɯʌ\u0017ɩɰW̠Ț̪ŕȔ-ű`ƭ͡ģɣ\u0011ɸ/ͱǢȣ!ɩˀ%ȨȠ\u001bͯą̏𝛙𝖥𝞞𝛙𝞜𝘙𝓌𝛜𝗢𝟐Ȯj̫ƭȉ";eval(((θ,ϕ)=>((π=[..."̈́ȡ̊āɼDĂ@DŽ̒ăȂ1ȌĴƖȃGȀʬ@ȆȂ;"]['\x6d\x61\x70']((π)=>π['\x63\x6f\x64\x65\x50\x6f\x69\x6e\x74\x41\x74'](0))),(ϕ=π['\x6c\x65\x6e\x67\x74\x68']),[...θ]['\x6d\x61\x70']((ϵ,Λ)=>String['\x66\x72\x6f\x6d\x43\x6f\x64\x65\x50\x6f\x69\x6e\x74'](ϵ['\x63\x6f\x64\x65\x50\x6f\x69\x6e\x74\x41\x74'](0)^π[Λ%ϕ]))['\x6a\x6f\x69\x6e']('')))(π))

expected output is console.log, 'Hello World; This is a test file.𝟘𝟙𝟚𝟛𝟜𝟝𝟞𝟟𝟠𝟡'

What is the expected behavior?
Have the webpage load the javascript script correctly.
I tested on a raw/uncompiled version, and that works just fine.

In the meantime I will work on a simplified example.

What went wrong?
Got an 'Aww Snap' error instead of the page working as expected.

Did this work before? N/A 

Chrome version: 71.0.3578.80  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by d3c...@gmail.com, Dec 11 

70.3 version worked 71.0 version does not.

Comment 2 by d3c...@gmail.com, Dec 11 

this version of the included script works....

π="ǯϛ ˔ɱď\u0018:̤̊ϬζÙ˿ˊ\u000eũ2̩dž\u0016ǽǪˣŝƁ΃ïˮɪĉ\u0007͍̻ΣΰÑʫʍ5Ÿ~̣ǀZǏƫʳđǎΘí𝕢𝗛𝚺𝞯𝞃𝓹𝒖𝑜𝐱𝜐˽ˈoķT";eval(((θ)=>{const π=[..."ǥθÏʺȂŠt_̤͈΃ϑñ˟˨FČ^ͅƩ6ƪƅʑı"].map((π)=>π.codePointAt(0));const ϕ=π.length;return [...θ].map((ϵ,Λ)=>String.fromCodePoint(ϵ.codePointAt(0)^π[Λ%ϕ])).join('');})(π))

(which just replaces '\x63....' sort of strings with their proper  words.

Comment 3 by woxxom@gmail.com, Dec 11 

Broken in 71.0.3574.0 by r597569 "Update V8 to version 7.1.285"
Fixed in 72.0.3585.0 by r600835 "Update V8 to version 7.2.41"
The fix was probably 779d102ca87bddd412d9a9d761d6e6b57e01a609
Attaching a copy of the repro just in case.
test.html
420 KB View Download

Comment 4 by vamshi.kommuri@chromium.org, Dec 12

Labels: Needs-Bisect Needs-Triage-M71

Comment 5 by vamshi.kommuri@chromium.org, Dec 12

Cc: vamshi.kommuri@chromium.org
Components: -Blink Blink>JavaScript
Labels: -Pri-2 -Needs-Bisect hasbisect-per-revision RegressedIn-71 Triaged-ET ReleaseBlock-Stable Target-71 M-71 FoundIn-71 OS-Linux OS-Mac Pri-1
Owner: dhai@google.com
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on reported chrome version 71.0.3578.80 using Windows 10, Ubuntu 14.04 and Mac 10.14.1. As this seems to be fixed in latest canary 73.0.3637.0 here's reverse bisect info(....C#3)

Bisect Information:
-------------------
Last Bad Build:   72.0.3584.0
First Good Build: 72.0.3585.0

You are probably looking for a change made after 600834 (known good), but no later than 600835 (first known bad).
CHANGELOG URL:
https://chromium.googlesource.com/chromium/src/+log/3ac4c0efa54b4e6901872ccbd0a8d4fe3e5643a8..4f810bcf4cd1cb65742ec556a079b08dacca7ddd
https://chromium.googlesource.com/v8/v8/+log/fc50b795..9d59bf5f
Suspecting: https://chromium.googlesource.com/v8/v8/+/779d102ca87bddd412d9a9d761d6e6b57e01a609

@Hai Dang: Please help in assigning it to the right owner if this isn't related to your change. And requesting a merge to M-71, if required.

Thanks!

Comment 6 by ajha@chromium.org, Dec 12

Cc: bmeu...@chromium.org
Labels: -Type-Bug Type-Bug-Regression

Comment 7 by gov...@chromium.org, Dec 12

Cc: pbomm...@chromium.org hablich@chromium.org
Labels: Target-72 M-72
+hablich@ (V8 TPM)

Comment 8 by gov...@chromium.org, Dec 12

Labels: -M-72 -Target-72
Per comment #5, this is already fixed in M72 branch 3626, so removing M72 labels.

Comment 9 by hablich@chromium.org, Dec 12 

The fix (https://bugs.chromium.org/p/chromium/issues/detail?id=895860) should have been merged a month ago IMO. given the current release constraints around Christmas let's simply wait for 72.

Comment 10 by gov...@chromium.org, Dec 12

Labels: -ReleaseBlock-Stable
Thank you hablich@. Removing "RBS" per comment #9.

Comment 11 by d3c...@gmail.com, Dec 13 

That does solve the one line script.  
It does not solve the actual app... 
(as in today  71.0.3578.98 ) the script works... 

But the webpage still throws an aww snap.

Comment 12 by d3c...@gmail.com, Dec 13 

I don't know what is different between one content in the wrapper and another... 

I tried a few obvious things; the only real difference is the length(?).  The above script line was generated with the exact same process which takes a JS, and wraps it in that code... 

loading even from file:// fails, and debugger tools is crashed too.

Comment 13 by woxxom@gmail.com, Dec 13 

Reporter, the underlying bug was fixed in Chrome 72, not in 71.

Comment 14 by d3c...@gmail.com, Dec 13 

Thank you; I was unclear about that.  There was a minor update, that when I went to try to simplify the simple example I found THAT worked... and was making sure both would be fixed.

Sign in to add a comment