[v8-dev] Issue 3832 in v8: Array variable suddenly becomes number

Tue, 20 Jan 2015 23:02:13 -0800 

Status: New
Owner: ----
New issue 3832 by [email protected]: Array variable suddenly becomes number 
https://code.google.com/p/v8/issues/detail?id=3832
Within the Quip (https://quip.com) editor we have begun getting exceptions that array.push (where "array" is an array variable is not a function).
Specifically, with the source https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz, we get the following exception: 

TypeError: Cannot read property 'apply' of undefined
at ym (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:784:641) at zy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1423:257) at sy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1101:50) at oy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1098:133) at Hs (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1096:134) at WebSocket.<anonymous> (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1082:305) at WebSocket.J.e (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:796:203) 

Annotating the stack with the source lines gives:
at ym (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:784:641) ym(a,b){a.push.apply(a,b)}function zm(a,b){if(Array.prototype.filter&&a.filter)return a.filter(b);for(var c=[],d=0;d<a.length;d++)b(a[ 
                      ^
at zy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1423:257) zy(a,b){a.zs?ym(a.zs,b):(a.zs=b,a.ED=[],a.BL=I(n(a.cO,a),500))}function my(a,b){a.zs?a.ED.push(b):b()} 
                      ^
at sy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1101:50) 
        
.Jg()==Ww(d)&&zy(d,f));1==a.type&&a.thread_id==bt()&&a.id==uy()&&(d=Wo(a.metadata_json,bg),wy(d));0==a.type&&a.thread_id==bt()&&(d=Wo(
                      ^
at oy (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1098:133) [a])),b=sn());sy(a);if(Lx){var c=b,b=Lx,c=sn()-c,d=a.type;q(d)|| (d=-1);var e=b.Ev[d];e||(e=b.Ev[d]={count:0,total:0});e.count++;e.tota 
                      ^
at Hs (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1096:134) ),by.push(a)):oy(a),a.listen_cursor&&(b=parseInt(a.listen_cursor,10),b<=Qx?so(po,"listen_cursor_decrease",{listen_cursor:Qx,new_listen 
                      ^
at WebSocket.<anonymous> (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:1082:305) ",function(a){d(Yo(a.data))})}function hx(){return Yw.listen}function Yu(a){if(!bx){var b=Zw[a];b&&(delete Zw[a],mn(b.gL),cx(b.hostnam 
                      ^
at WebSocket.J.e (https://d2i1pl9gz4hwa7.cloudfront.net/5jkIA6z7Jd8f0xwqdGgyfA-gz:796:203) tion"]))try{c.call(this,a)}catch(e){throw"paste"!=b&&"cut"!=b|| Qn(a),la(e),e;}};a.addEventListener(b,e,f)}else e=function(a){if(!Pn||" 
                      ^
"ym" corresponds to the following unobfuscated code (we use the Closure Compiler): 

/**
 * Appends all of {@code src} to {@code array}.
 *
 * @param {Array} array
 * @param {arrays.ArrayLike} src
 */
arrays.extend = function(array, src) {
    array.push.apply(array, src);
};

And "zy" to the following:

/**
 * @param {Array.<editor.PendingUpdate>} input
 */
editor.Document.prototype.batchUpdate = function(input) {
    /** @const */
    var kBatchUpdateWindow = 500;
    if (!this.updateBatch_) {
        this.updateBatch_ = input;
        this.updateBatchCallbacks_ = [];
        this.updateBatchTimeout_ = loop.setTimeout(
            base.bind(this.applyBatchUpdate_, this), kBatchUpdateWindow);
    } else {
        arrays.extend(this.updateBatch_, input);
    }
};
Happy to provide more unobfuscated source if it's helpful, but "input" is always an array, and updateBatch_ is only ever assigned "input" or "null".
I have also seen this bug happen when running with raw JavaScript (without the Closure Compiler), thus it is not due to aliasing of properties in the compiled JS.
I have managed to catch it in the debugger once, and observed very perplexing behavior. Within the arrays.extend() frame, "array" is shown as being a number, with the value 2.33237842327835e-310. Within the batchUpdate frame this.updateBatch_ is shown as also being a number, but with the value 1.04191922643814e-310.
We received our first report of this on 2014-11-30T19:33:20.416591 (all times are PST) from a user with the user agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2234.0 Safari/537.36." We have continued to see reports since then, the most recent from 41.0.2272.3 on Mac OS X 10.9.5. I have attached a list of the timestamps of all the reports that we have received and their user agents. Most of them are from Mac users, but I think that's just because of how our user-base skews, there are also a few from Windows and Linux users.
Apologies for not being able to currently provide a consistent reproduction or a reduced test case, but I'm not sure where to start. Let me know if there's any other information I can provide. 

Attachments:
        user-agents.txt  13.7 KB

--
You received this message because this project is configured to send all issue notifications to this address. 
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to