Fixed

Bug

Status Update

No update yet.

Description

ch...@google.com

created issue on behalf of rl...@gmail.com #1

Sep 22, 2024 02:13PM

Steps to reproduce the problem

Clone https://github.com/rluvaton/chromium-bug-in-large-text
Open index.html
wait for a second and then it crash

<--- Last few GCs --->

[27023:0x13800ce0000]  1254844 ms: Mark-Compact (reduce) 3203.2 (3276.7) -> 3203.2 (3275.5) MB, pooled: 0 MB, 3.96 / 0.00 ms  (average mu = 1.000, current mu = 0.011) last resort; GC in old space requested

Problem Description

When having very long string concatenation the tab crashes with OOM, when it is a single string it does not crash

Summary

when having a really long string (500KB) concatenation, the tab crashes with out-of-memory (OOM)

Custom Questions

Crashed report ID:

nope

How much crashed?

Just one tab

Is it a problem with a plugin?

No - It's the browser itself

Additional Data

Category: Crashes
Chrome Channel: Stable
Regression: Yes

fields.txt

41 KB

View

Download

Comments

dm...@bringg.com <dm...@bringg.com> #2Sep 23, 2024 08:11AM

the problem seem to be such a big number of string concat operators within a single expresion
rather than in concating big strings itself

Message last modified on Sep 23, 2024 08:12AM

rl...@gmail.com <rl...@gmail.com> #3Sep 23, 2024 09:22AM

It fails in canary (131.0.6734.0) as well

de...@google.com <de...@google.com> #4Sep 23, 2024 01:49PM

Able to reproduce the issue on chrome version #129.0.6668.59 using Mac 14.6,1, @indows 10, Linux Debian as per

comment#1

Reproducible on
=============
131.0.6734.0- Canary
131.0.6724.0- Dev
130.0.6723.6- Beta
129.0.6668.59- Stable

Bisect Information:
-----------------------------
Good Build: 129.0.6625.0
Bad Build: 129.0.6626.0

Bisect Script: python3 bisect_builds.py -o -a mac -g 129.0.6625.0 -b 129.0.6626.0
Change log:

https://chromium.googlesource.com/chromium/src/+/b8188a8e0a3c0131c8de0e9c69c948f71d81218e

Unable to find the relevant suspect from the above change log, hence marking this issue as Untriaged and requesting Dev team to have a look and provide correct suspect.
Adding ReleaseBlock-Stable as the issue break is seen on M129, please feel free to remove it.

Thanks..!!

rl...@gmail.com <rl...@gmail.com> #5Sep 23, 2024 01:51PM

You beat me to it, I'm in the middle of git bisect

rl...@gmail.com <rl...@gmail.com> #6Sep 23, 2024 01:59PM

It looks like `2024-07-29 leszeks@chromium.org [parser] Constant fold string literal addition`, no?

from V8:

https://chromium.googlesource.com/v8/v8.git/+/b287912d23f7f3d88174d7cde2b17d8d3ded034e

Message last modified on Sep 23, 2024 02:02PM

le...@chromium.org <le...@chromium.org> #7Sep 23, 2024 02:32PM

Assigned to le...@chromium.org.

I'll take a look.

rl...@gmail.com <rl...@gmail.com> #8Sep 23, 2024 02:36PM

Is it possible that all string steps (the concat values) are not GCed and it kept in memory?

like: having "AA" + "BBB" + "C"

so the following strings are kept in memory:

"AA"
"BBB"
"C"
"AABBB"
"AABBBC"

and having this with a large amount of strings can easily reach the limit

pe...@google.com <pe...@google.com> #9Sep 23, 2024 02:42PM

This issue appears to be blocking an upcoming release and is therefore an Urgent Release Blocking Issue as per http://go/chrome-slo#release-blocking-issues. Bumping the priority to P0 to better reflect the urgency.

If this is not a release blocking issue, please adjust the release block field. Adjusting the priority will have no affect, P0 will be re-applied whilever this is marked as a release blocking issue.

le...@chromium.org <le...@chromium.org> #10Sep 24, 2024 06:54AM

Lowering prio and removing RB

rl...@gmail.com <rl...@gmail.com> #11Sep 24, 2024 03:54PM

I tried to give it a shot but was unsuccessful, I tried to use the ZoneScope in ParserBase<Impl>::ParseBinaryContinuation to free any intermediate concatenation but was unable to make it work as my v8 codebase knowledge is not the best (I'll try to contribute in the future for sure I think it will help me be better Node.js contributor as well)

rl...@gmail.com <rl...@gmail.com> #12Sep 29, 2024 08:27AM

leszeks@chromium.org Can we revert it?

le...@google.com <le...@google.com> #13Sep 30, 2024 07:23AM

No, OOMs are generally not considered a reason for revert unless they're memory leaks or reproducible on small examples; this one OOMs on a huge JSON, so it would likely be close to OOMing even without that example. Let me take a quick look now though.

rl...@gmail.com <rl...@gmail.com> #14Sep 30, 2024 08:19AM

It's a string it doesn't matter that it's building a JSON

And it's quite common for webpack and babel

Also it's not even close to have OOM before that change as it's only 0.5MB

le...@google.com <le...@google.com> #15Sep 30, 2024 08:40AM

Yeah I agree it's not ideal. I'm thinking we can represent this as a cons string (a "rope") and only flatten at the end -- this would have the advantage that this giant string then also isn't internalized.

le...@chromium.org <le...@chromium.org> #16Sep 30, 2024 08:42AM

That said, this is crashing on heap string allocation, not in the parser...

ap...@google.com <ap...@google.com> #17Oct 1, 2024 06:30PM

Project: v8/v8
Branch: main
Author: Leszek Swirski <leszeks@chromium.org>
Link: https://chromium-review.googlesource.com/5898672

[parser] Fold strings as AstConsString

Expand for full commit details

[parser] Fold strings as AstConsString

To avoid O(N^2) allocations for string constant folding, fold strings as
AstConsString when there is string literal addition, and only flatten
them on final allocation.

This has the consequence that the bytecode constant pool will contain
materialized AstConsStrings, which are currently not internalized. This
shouldn't present a problem since these strings could have equally well
been computed at runtime.

Bug: 368791119
Change-Id: Id1a24e5c076bf6f308e3487f3d4b603ba373ebed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5898672
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#96373}

Files:

M src/ast/ast-value-factory.h
M src/ast/ast.cc
M src/ast/ast.h
M src/ast/prettyprinter.cc
M src/diagnostics/objects-debug.cc
M src/interpreter/bytecode-array-builder.cc
M src/interpreter/bytecode-array-builder.h
M src/interpreter/bytecode-generator.cc
M src/interpreter/constant-array-builder.cc
M src/interpreter/constant-array-builder.h
M src/parsing/parser.cc
M src/parsing/parser.h

Hash: e7c0a6450d4182b44d3fd602d2c214f6150ba0f0
Date: Mon Sep 30 13:23:22 2024

ma...@gmail.com <ma...@gmail.com> #18Oct 7, 2024 12:45PM

Hello Do you know when this commit could be merged? We are facing the issue.
Thank you

le...@chromium.org <le...@chromium.org> #19Oct 8, 2024 12:17PM

It's in 131, which should get to stable in mid-November

so...@gmail.com <so...@gmail.com> #20Feb 13, 2025 04:35PM

Is there any update regarding this issue?

le...@chromium.org <le...@chromium.org> #21Feb 13, 2025 05:36PM

Marked as fixed.

This should be fixed in #17, if it's not please file a bug with a repro.

so...@gmail.com <so...@gmail.com> #22Feb 27, 2025 04:12PM

I cannot figure out which version is this then going to be fixed in?