Aw Snap on large Typed Array allocations
Reported by
andersso...@gmail.com,
Dec 27
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Steps to reproduce the problem: 1. Hard reload empty page 2. Enter in dev console: var a=new Uint8Array(256*256*256*127 +64) 3. Aw Snap appears What is the expected behavior? Either successful allocation or "RangeError: Invalid typed array length: 2130706496" What went wrong? Aw Snap appears with no error or exception thrown in JS. Did this work before? N/A Chrome version: 71.0.3578.98 Channel: stable OS Version: 10.0 Flash Version:
,
Dec 27
Additional information: var a=new Uint8Array(256*256*256*127) works and successfully allocates array. var a=new Uint8Array(256*256*256*128) throws "RangeError: Invalid typed array length: 2147483648" , which is fine. It seems values in between these two limits trigger the AwSnap
,
Dec 27
Tested on OS X 10.14.2 , here the same problem does not occur. var a=new Uint8Array(256*256*256*128) throws "RangeError: Invalid typed array length: 2147483648" , which is fine. var a=new Uint8Array(256*256*256*128 -1) // Allocates array of length 2147483647
,
Dec 27
Exposed in 69 by r563360 "DevTools: enable Eager Evaluation by default" Fixed in 70 by crrev.com/c/1181136 "[ptr-compr] Switch Smis to 31-bit on 64-bit platforms." Broken in 70 by crrev.com/c/1186341 "Revert "[ptr-compr] Switch Smis to 31-bit on 64-bit platforms." Still broken in stable and canary.
,
Dec 27
Tried checking the issue on reported chrome version 71.0.3578.98 using Windows 10, able to reproduce the issue but very inconsistently. Hence marking it as Untriaged and cc'ing Igor Sheludko from comment#4 for further inputs. Thanks!
,
Dec 27
,
Jan 7
|
||||
►
Sign in to add a comment |
||||
Comment 1 by viswa.karala@chromium.org
, Dec 27