This malformed gradient freezes Brackets when trying to display the popover hover preview, the Brackets Helper process uses 100% CPU:
background-image: -webkit-gradient(linear, left bottom, left top, color-stop(0.25, #ccc), color-stop(0.25, rgba(0,0,0,0));
(note the missing parenthesis not ending the -webkit-gradient())
Tested on OSX 10.7.5 on builds 24, 25, 27, 28, so this has been in Brackets since the hover preview was added in core.
From our irc conversation, @JeffryBooher traced it to the gradient parsing regex exec() call.
extensions/default/quickview/main.js:180
Just to make sure:
- I tried the regex in Chrome itself, and it froze. See for yourself here: http://jsbin.com/eyoful/1/edit - this "works" in FF 22, Safari 6.0.5 (7536.30.1) but hangs Chrome 30.0.1573.2 (a recent Chrome dev), and 30.0.1581.2 (latest Chrome dev ATM) & 30.0.1584.0 (Canary ATM).
It seems the regex is causing exponential backtracking, which v8 doesn't account for (at least this issue https://code.google.com/p/v8/issues/detail?id=430 mentioned it didn't in 2009 — while other browsers' js engines will terminate after a number of backtracking steps has been reached, explaining why Safari and FF eventually end up finishing the regex execution) but should have been caught by the long running script behavior, and it seems some versions of Chrome versions fail to detect it. Chrome version 30.0.1573.2 doesn't show the unresponsive script dialog, and so the process hangs indefinitely, while the 30.0.1581.2 & 30.0.1584.0 were able to detect it in 99% of the cases. It seems still somewhat present in those later versions, as fiddling with hiding and showing the jsbin tab, after asking it to run, the Chrome used 100% CPU without being detected again.
I don't know how/if CEF provides these hooks, but maybe their Chrome rev displays the same bug(s) as these Chrome versions which sometimes don't detect the long running js.
-
Tried on build 20 as well, and since there is no hover preview there, it doesn't hang Brackets.
-
Tried @gruehle's old hover preview extension gradient regex https://github.com/gruehle/HoverPreview/blob/master/main.js#L138 and this one doesn't hang (but of course is incomplete compared to the one in core right now)
So, to sum up: the regex is probably not safe, and there's probably also another Chrome bug in there preventing the regular safeguards from detecting the kind of cases where the regex is not safe.
This malformed gradient freezes Brackets when trying to display the popover hover preview, the Brackets Helper process uses 100% CPU:
background-image: -webkit-gradient(linear, left bottom, left top, color-stop(0.25, #ccc), color-stop(0.25, rgba(0,0,0,0));
(note the missing parenthesis not ending the -webkit-gradient())
Tested on OSX 10.7.5 on builds 24, 25, 27, 28, so this has been in Brackets since the hover preview was added in core.
From our irc conversation, @JeffryBooher traced it to the gradient parsing regex exec() call.
extensions/default/quickview/main.js:180
Just to make sure:
It seems the regex is causing exponential backtracking, which v8 doesn't account for (at least this issue https://code.google.com/p/v8/issues/detail?id=430 mentioned it didn't in 2009 — while other browsers' js engines will terminate after a number of backtracking steps has been reached, explaining why Safari and FF eventually end up finishing the regex execution) but should have been caught by the long running script behavior, and it seems some versions of Chrome versions fail to detect it. Chrome version 30.0.1573.2 doesn't show the unresponsive script dialog, and so the process hangs indefinitely, while the 30.0.1581.2 & 30.0.1584.0 were able to detect it in 99% of the cases. It seems still somewhat present in those later versions, as fiddling with hiding and showing the jsbin tab, after asking it to run, the Chrome used 100% CPU without being detected again.
I don't know how/if CEF provides these hooks, but maybe their Chrome rev displays the same bug(s) as these Chrome versions which sometimes don't detect the long running js.
Tried on build 20 as well, and since there is no hover preview there, it doesn't hang Brackets.
Tried @gruehle's old hover preview extension gradient regex https://github.com/gruehle/HoverPreview/blob/master/main.js#L138 and this one doesn't hang (but of course is incomplete compared to the one in core right now)
So, to sum up: the regex is probably not safe, and there's probably also another Chrome bug in there preventing the regular safeguards from detecting the kind of cases where the regex is not safe.