Chrome crashes, when more than 128 MB is sent over XMLHttpRequest
Reported by
ivan.kuc...@gmail.com,
Jan 6
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Steps to reproduce the problem: Go to https://jsfiddle.net/fd0g6eLr/ and run the 6 lines of code. What is the expected behavior? Data should be sent (as it works in Firefox and other browsers). What went wrong? Chrome window (frame) crashes. Did this work before? N/A Chrome version: 71.0.3578.98 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: I have 16 GB of RAM in my computer. Allocating 4 GB of memory with JS in Chrome works fine, but giving 128 MB to XMLHttpRequest kills my app. I really do need (hundreds of my users need) to send so much data in my use case. I can show it to you, if you want. This works fine in Firefox though.
,
Jan 7
Crash Report ID ea3e8a7ae598fe89 Judging by the crash site, there's a hard-limit at 256MiB. It's not clear though why it triggers for the test case which allocates only 135*10^6 Uint8 bytes. https://cs.chromium.org/chromium/src/mojo/core/node_channel.cc?l=726&rcl=7ac4da10 Anyway, you can send even bigger stuff by using FormData and Blob APIs.
,
Jan 7
So it seems like replacing xhr.send(data.buffer); with xhr.send(new Blob([data.buffer])); does the job. But why is there such limitation? I remember, when people wrote webs in a certain "strange" way 15 years ago, to overcome bugs in Internet Explorer, because it held the majority of the market. I really don't want us to do the same thing in the future because of Chrome(ium) :/
,
Jan 7
Able to reproduce the issue on reported chrome version #71.0.3578.98 and latest chrome #73.0.3664.0 using Mac OS 10.13.6, Ubuntu 17.10 and Windows 10 by following steps as per comment#0. The behaviour is seen from M-60 builds(#60.0.3112.113), considering it as non-regression hence marking it as untriaged and requesting someone from the dev team to look into the issue. Note: In chrome version #60.0.3112.113, the whole page gets crashed after navigating to the "https://jsfiddle.net/fd0g6eLr/". Attached screenshot for reference. Thanks.!
,
Jan 7
I wonder if this is a "double the buffer" growth problem triggering the 2GB memory limit on the renderer.
,
Jan 7
I collected a crash report: crash/7a9825b80f5f7b20
,
Jan 7
,
Jan 7
There is a hard limit of 128MB per message in mojo: https://cs.chromium.org/chromium/src/ipc/ipc_channel.h?l=144&rcl=ebe14882b66eaa8c1a6fe0476684489cae490b53 The XHR code needs to use some kind of chunked messaging to support uploads greater than this limit.
,
Jan 7
Maybe it'd be easier to automatically wrap it in something blob-like when the size is big since blobs are fine. Provided the output will remain the same, of course.
,
Jan 7
Blobs are only fine if they are file-backed. I believe memory-backed blobs have the same problem. At least, the demo crashed for me when I tried using a blob created by javascript.
,
Jan 7
Seems to send a ~2 GiB blob just fine in Chrome 71.
Assuming you run python -m SimpleHTTPServer 80
<script>
var str = Array(10e6).join('a'.repeat(10));
var blob = new Blob(Array(21).fill(str), {type: 'text/plain'});
document.write((blob.size / (1024*1024)).toFixed(1) + ' MiB');
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://localhost');
xhr.send(blob);
</script>
And up to 1.5GiB since 72.0.3604.0:
https://chromium.googlesource.com/chromium/src/+log/75812456..18a9ef45?pretty=fuller
Judging by the stacktrace, it's something in V8.
,
Jan 7
DevTools seems to interfere. Try replacing 21 with something lower like 15 or 10 or run via an html file. Anyway, my point was a memory-backed Blob doesn't have that 128/256 MiB restriction.
,
Jan 15
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by susan.boorgula@chromium.org
, Jan 7