RESOLVED WONTFIX 107115
Web Inspector: Crash for console.log(<large array object>) 
https://bugs.webkit.org/show_bug.cgi?id=107115
Summary Web Inspector: Crash for console.log(<large array object>)
Andrey Adaikin
Reported 2013-01-17 04:36:15 PST
The following test case crashes Chrome: var g = []; g[4294967294] = 4294967294; console.dir(g); Patch to follow.
Attachments
Patch (9.09 KB, patch)
2013-01-17 04:39 PST, Andrey Adaikin 		no flags
DetailsFormatted DiffDiff
Patch (8.94 KB, patch)
2013-01-21 03:28 PST, Andrey Adaikin 		yurys: review-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Andrey Adaikin
Comment 1 2013-01-17 04:39:56 PST
Created attachment 183163 [details] Patch
Andrey Adaikin
Comment 2 2013-01-21 03:28:25 PST
Created attachment 183748 [details] Patch
Yury Semikhatsky
Comment 3 2013-01-21 05:28:01 PST
Comment on attachment 183748 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=183748&action=review > Source/WebCore/bindings/v8/ScriptValue.h:131 > + bool isArray(unsigned* length = 0) const; I'd rename it to arrayLength > LayoutTests/inspector/console/console-big-array.html:56 > + g[4294967294] = 4294967294; Should this be fixed in the VM instead? It works fine for sparse arrays with smaller length.
Yury Semikhatsky
Comment 4 2013-01-21 05:31:37 PST
(In reply to comment #3) > (From update of attachment 183748 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=183748&action=review > > Should this be fixed in the VM instead? It works fine for sparse arrays with smaller length. The following code just crashes Chromium tab: <script> var g = []; g[4294967294] = 4294967294; var str = g.toString(); </script> so I don't think fixing it for inspector is enough.
Andrey Adaikin
Comment 5 2013-01-21 06:07:12 PST
Agreed. Filed a bug downstream: https://code.google.com/p/chromium/issues/detail?id=171231
Note You need to log in before you can comment on or make changes to this bug.