* feat: capture JS stack trace on renderer OOM
When a renderer process approaches its V8 heap limit, capture the
JavaScript stack trace and write it to both a Crashpad crash key
("js-oom-stack") and stderr.
The stack trace is captured via RequestInterrupt rather than directly
inside the NearHeapLimitCallback because CurrentStackTrace is unsafe
to call during OOM — V8 FATALs on optimized (TurboFan) frames that
have had their deoptimization data garbage-collected. RequestInterrupt
defers the capture to the next V8 safe point, where all frames are
guaranteed to have deopt data available. This matches Node.js's
approach of never capturing JS stacks inside the heap limit callback.
The callback is registered once per isolate via an atomic guard in
RendererClientBase::DidCreateScriptContext, preventing the CHECK
failure V8 raises on duplicate AddNearHeapLimitCallback registrations
(which would otherwise occur on page navigations or multiple contexts).
Refs: #46078
Made-with: Cursor
* Update shell/renderer/oom_stack_trace.cc
Co-authored-by: Niklas Wenzel <dev@nikwen.de>
* Update shell/renderer/oom_stack_trace.cc
Co-authored-by: Niklas Wenzel <dev@nikwen.de>
* test: add crash reporter test for OOM JS stack trace
Add a test that verifies the `electron.v8-oom.stack` crash key contains
the JS stack trace (including function names) when a renderer process
runs out of memory. Also deduplicate the heap info formatting in
oom_stack_trace.cc.
Refs: #46078
Made-with: Cursor
* fix: lint formatting in oom_stack_trace.cc
Made-with: Cursor
* fix: use proper logger API instead of cstdio
* fix: check heap headroom before capturing OOM stack trace
deepak1556: "Should there be check for available heap size [for]
CurrentStackTrace and formatting"
CurrentStackTrace allocates StackTraceInfo + StackFrameInfo on the V8
heap. If the 20 MB bump is partially consumed by the time the interrupt
fires, these allocations trigger a secondary OOM. Guard with a 2 MB
headroom check.
Made-with: Cursor
* fix: handle V8 cage limit when bumping heap for OOM stack capture
deepak1556: "Does this bumping work when we are at the cage limit of
4GB"
V8's pointer compression cage caps the heap at ~4 GB. When
current_heap_limit is already near the ceiling, our 20 MB bump gets
clamped to zero and the interrupt never fires. Detect this and record
heap info as the final crash key instead of waiting for a stack trace
that won't arrive.
Made-with: Cursor
* feat: add V8 heap statistics as OOM crash keys
deepak1556: "V8 seems to capture heap stats as crash keys but it gets
missed today due to the OOM callback override... wonder if we can
include that to get some more heuristics in the dump."
Record heap used/total/limit/available, per-space stats for old_space
and large_object_space, native/detached context counts, and utilization
percentage as crash keys. Also add heap stats in the V8OOMErrorCallback
in node_bindings.cc for the final OOM crash report.
Made-with: Cursor
* feat: support worker thread isolates for OOM stack trace
deepak1556: "You need a separate registration for worker threads via
WorkerScriptReadyForEvaluationOnWorkerThread but that also means the
process global g_registered_isolate would break."
Chromium has one V8 isolate per thread (main + one per web worker), so
thread_local is equivalent to per-isolate storage. Replace the global
atomic + mutex/set with a constinit thread_local OomState* that holds
the isolate pointer and per-isolate is_in_oom flag. The void* data
parameter on AddNearHeapLimitCallback delivers OomState* directly into
callbacks, so the hot path needs no TLS lookup.
Add WorkerScriptReadyForEvaluationOnWorkerThread and
WillDestroyWorkerContextOnWorkerThread overrides to RendererClientBase
so both ElectronRendererClient and ElectronSandboxedRendererClient get
worker OOM registration. Update ElectronRendererClient to call the base
class in both worker lifecycle methods.
Add a web worker OOM test that spawns a dedicated Worker with a memory
leak and verifies the stack trace captures the worker function name.
Made-with: Cursor
* fix: register OOM callback for all script contexts
When context isolation is enabled, ShouldNotifyClient skips
DidCreateScriptContext for the main world, but user JS still runs there
and can OOM. Register in DidInstallConditionalFeatures which fires for
every script context. The TLS dedup guard prevents double-registration
on the same isolate.
Made-with: Cursor
* fix: guard against division by zero and cage size changes in OOM handler
Add a zero-guard on heap_size_limit before computing utilization
percentage — maximizes robustness in an OOM code path.
Add static_assert on kPtrComprCageReservationSize to catch any
upstream V8 change to the cage size at compile time.
Made-with: Cursor
* fix: address review feedback on OOM stack trace PR
- Remove redundant RegisterOomStackTraceCallback from
electron_render_frame_observer.cc; DidCreateScriptContext is sufficient
since main world and isolated world share the same isolate
- Replace thread_local OomState* with base::ThreadLocalOwnedPointer
wrapped in base::NoDestructor per Chromium style for non-trivially
destructible types
- Change heap-headroom and cage-limit logs from ERROR to INFO since
users cannot act on these diagnostics
- Add comment explaining why base class is called last in
WillDestroyWorkerContextOnWorkerThread (OOM deregistration ordering)
Made-with: Cursor
* fix: skip OOM stack trace registration for worklet contexts
Worklets can share a thread and isolate via WorkletThreadHolder's
per-process singleton pattern. With per-thread OOM state, the first
worklet to be destroyed would prematurely remove the callback for
any remaining worklets on the same thread. Skip worklets entirely
to avoid this; can be revisited with ref-counting if needed.
Made-with: Cursor
* fix: prevent dangling raw_ptr<v8::Isolate> in OOM state
The OomState held a raw_ptr<v8::Isolate> that outlived the isolate on
the main thread: gin::IsolateHolder destroyed the isolate during
shutdown, but the OomState (stored in thread-local storage) was only
released later in JavascriptEnvironment::~JavascriptEnvironment. This
triggers a dangling pointer check when building with
enable_dangling_raw_ptr_checks.
Register OomState as a gin::PerIsolateData::DisposeObserver so it
clears the raw_ptr and removes the NearHeapLimitCallback before the
isolate is destroyed, regardless of destructor ordering.
Suggested-by: Deepak Mohan
Made-with: Cursor
* test: verify OOM crash keys end-to-end via crash reporter
Replace stderr-based OOM tests with end-to-end crash dump validation.
Instead of parsing log output, start a crash reporter server, trigger
renderer OOM, and verify the uploaded crash dump contains the expected
`electron.v8-oom.*` annotations — the same code path production crash
reports take.
Consolidate all OOM test scenarios (basic heap leak, JSON.stringify,
web worker) into a single `describe('OOM crash keys')` block inside
api-crash-reporter-spec using the existing crash fixture app with new
renderer-oom-json and renderer-oom-worker crash types.
The web worker test verifies that OOM crash keys are present but does
not assert on the JS function name: the 20 MB heap bump may be
exhausted before V8 reaches a safe point to fire the stack-capture
interrupt, leaving the crash key at "(stack pending)". Increasing the
bump or switching to a synchronous capture strategy would fix this but
is left for a follow-up.
Remove the standalone oom-stack-trace-spec.ts and its fixture app.
Made-with: Cursor
---------
Co-authored-by: Niklas Wenzel <dev@nikwen.de>
fix: fix launch crash when null device is disabled on Windows
add node flag node::ProcessInitializationFlags::kNoStdioInitialization
Co-authored-by: yangzuohui <yangzuohui@bytedance.com>
Co-authored-by: yangliu <yangliu.leo@bytedance.com>
Dynamic ESM import in non-context-isolated preload
Extend `HostImportModuleWithPhaseDynamically`'s routing to support
Node.js import resolution in non-context-isolated preloads through
`v8_host_defined_options` length check. The length of host defined
options is distinct between Blink and Node.js and we can use it to
determine which resolver to use.
* chore: bump chromium in DEPS to 141.0.7352.0
* chore: update patches
* 6830573: Revert 'Migrate WrappableWithNamedPropertyInterceptor to gin::Wrappable' | https://chromium-review.googlesource.com/c/chromium/src/+/6830573
* chore: bump chromium in DEPS to 141.0.7354.0
* chore: bump chromium in DEPS to 141.0.7356.0
* chore: bump chromium in DEPS to 141.0.7357.0
* chore: bump chromium in DEPS to 141.0.7359.0
* chore: bump chromium in DEPS to 141.0.7361.0
* 6838518: [Mac] Correctly deallocate sandbox error buffers and prevent crash resulting from nullptr assignment | https://chromium-review.googlesource.com/c/chromium/src/+/6838518
* 6850973: Reland "Use base::ByteCount in base::SysInfo." | https://chromium-review.googlesource.com/c/chromium/src/+/6850973
* 6506565: [FPF-CI] Create initial NoiseHash in the browser. | https://chromium-review.googlesource.com/c/chromium/src/+/6506565
* chore: update patches
* fixup! 6850973: Reland "Use base::ByteCount in base::SysInfo." | https://chromium-review.googlesource.com/c/chromium/src/+/6850973
* fixup! 6506565: [FPF-CI] Create initial NoiseHash in the browser. | https://chromium-review.googlesource.com/c/chromium/src/+/6506565
* fix: unsafe buffer warning in fix_properly_honor_printing_page_ranges.patch
* fix: FTBFS in src_remove_dependency_on_wrapper-descriptor-based_cppheap.patch
This change should be upstreamed.
Fixes this error:
../../third_party/electron_node/src/env.cc:606:3: error: no matching function for call to 'Wrap'
606 | v8::Object::Wrap<v8::CppHeapPointerTag::kDefaultTag>(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../v8/include/v8-object.h:1076:14: note: candidate function template not viable: cannot convert argument of incomplete type 'void *' to 'v8::Object::Wrappable *' for 3rd argument
1076 | void Object::Wrap(v8::Isolate* isolate, const v8::Local<v8::Object>& wrapper,
| ^
1077 | v8::Object::Wrappable* wrappable) {
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../v8/include/v8-object.h:1084:14: note: candidate function template not viable: no known conversion from 'Local<Object>' to 'const PersistentBase<Object>' for 2nd argument
1084 | void Object::Wrap(v8::Isolate* isolate, const PersistentBase<Object>& wrapper,
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../v8/include/v8-object.h:1093:14: note: candidate function template not viable: no known conversion from 'Local<Object>' to 'const BasicTracedReference<Object>' for 2nd argument
1093 | void Object::Wrap(v8::Isolate* isolate,
| ^
1094 | const BasicTracedReference<Object>& wrapper,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
* [v8-init] Access crash key only from main thread | https://chromium-review.googlesource.com/c/chromium/src/+/6827167
* chore: e patches all
* chore: remove chore_restore_some_deprecated_wrapper_utility_in_gin.patch from patches
this remove line got re-added when rebasing roller/chromium/main
* chore: e patches all
* fix: include base/time/time.h when using base::Time
* chore: update patches
* Make --host-rules an alias for --host-resolver-rules.
Refs https://chromium-review.googlesource.com/c/chromium/src/+/4867872
* ci: update BUILD_TOOLS_SHA
Refs https://github.com/electron/build-tools/pull/746
* [Fontations] Remove Fontations suffix from font names
Refs https://chromium-review.googlesource.com/c/chromium/src/+/6835930
* temp: debug macOS addon build failure
* Revert "temp: debug macOS addon build failure"
This reverts commit 40bc8abab65dc83e17c4ab97cb6e7522a193fb44.
* test: run tests with Xcode 16.4
* ci: fix tccdb update for macOS 15
* spec: disable opening external application for loadURL
on macOS opening unknown external application will bring
up dialog to choose apps from application store which will
break our other test suites that want to capture screen
for pixel matching.
The loadURL spec that tests bad-scheme://foo is sufficient
that we hit the permission handler for openExternal since
at that point we already know the runtime gave up on handling
the scheme.
* chore: rebase patches
* chore: disable codesiging tests
* ci: update ScreenCaptureApprovals.plist for /bin/bash
* ci: try updating tcc permissions
* ci: update TCC permissions
Refs https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
* chore: test with 1st quadrant of the window
* chore: adjust for macOS 15 menubar height
---------
Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Keeley Hammond <khammond@slack-corp.com>
Co-authored-by: Keeley Hammond <vertedinde@electronjs.org>
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Co-authored-by: deepak1556 <hop2deep@gmail.com>
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
* feat: Use DIR_ASSETS path to locate resource bundles
* Use DIR_ASSETS for calculating ASAR relative paths
* Add test to verify 'assets' matches parent dir of 'exe'
* Add Mac-specific test for assets path (but it is failing)
* test: Update app.getPath('assets') to expect an exception on Mac
* docs: Update docs for 'assets' path to indicate that it's only available on Windows + Linux
* fix: Don't define 'assets' mapping on macOS
* refactor: add a v8::Isolate* arg to RendererClientBase::IsWebViewFrame()
Needed for creating gin dictionaries
refactor: add a v8::Isolate* arg to ShouldLoadPreload()
Needed for calling IsWebViewFrame()
* refactor: add a v8::Isolate* arg to electron::util::CompileAndCall()
* refactor: add a v8::Isolate* arg to OnCreatePreloadableV8Context()
* refactor: add a v8::Isolate* arg to InvokeEmitProcessEvent()
* refactor: add a v8::Isolate* arg to ServiceWorkerData's constructor
* refactor: add a v8::Isolate* arg to RendererClientBase::SetupMainWorldOverrides()
* refactor: add a v8::Isolate* arg to RendererClientBase::WilLReleaseScriptContext()
* docs: update docs to avoid v8::Context::GetIsolate()
* refactor: add a v8::Isolate* arg to ElectronSandboxedRendererClient::InitializeBindings()
* refactor: avoid v8::Context::GetIsolate() call in PromiseBase::SettleScope::~SettleScope()
* refactor: add a v8::Isolate* arg to Constructible::GetConstructor()
* refactor: add a v8::Isolate* arg to NodeBindings::Initialize()
This is needed for the GetConstructor() call
* refactor: avoid v8::Context::GetIsolate() call in GetIpcObject() by taking it as an arg
* refactor: avoid v8::Context::GetIsolate() call in ipc_native::EmitIPCEvent() by taking it as an arg
* Remove microtasks_scope.h and microtasks_scope.cc
* Use v8::MicrotasksScope when ignoring browser checkpoint
These call always skip the browser checkpoint, so they are equivalent to using v8::MicrotasksScope directly (modulo the optional wrapper behavior).
* Remove MicrotasksScope from node_bindings.cc
This code seems contradictory: it explicitly specifies "do not run microtasks" yet runs a microtask checkpoint in the browser process.
Looking at its history, it [was introduced][1] with the intention to not run microtasks, but a [subtle C++ language behavior][2] caused it to do the opposite later in the same roll. Since the original intention was to not run microtasks, and since that is also the simplest explanation, we can assume `ignore_browser_checkpoint` should be true and migrate this to `v8::MicrotasksScope` as it is equivalent (modulo the optional wrapper behavior).
[1]: a4ea80dd47 (diff-efe58cf03c97028f37f801db044d396a5f428686da6595d2c692f1c052bbd09c)
[2]: https://github.com/electron/electron/pull/43185
* Migrate gin_helper/promise.h and gin_helper/promise.cc to v8::MicrotasksScope
Restores the [original][1] behavior of running the microtask checkpoint at destruction, but preserves the behavior of running microtasks in the browser process. This had last changed in the migration to gin_helper::MicroTasks.
[1]: https://github.com/electron/electron/pull/16401
* perf: use base::SplitStringPiece() in SetNodeOptions()
* perf: use base::SplitStringPiece() in StringToAccelerator()
* refactor: StringToAccelerator() now takes a std::string_view
fix: javascript heap oom is not raised in node::OOMErrorHandler
node::OOMErrorHandler terminates the process directly without raising an
oom exception. To fix it, set an oom handler into node from electron.
* feat: ServiceWorkerMain
* refactor: disconnect remote
* handle version_info_ nullptr case
* initiate finish request when possible and enumerate errors
* explicit name for test method
* oops
* fix: wait for redundant version to stop before destroying
* docs: clarify when undefined is returned
* chore: remove extra semicolons
* refactor: more return-braced-init-list, this time for v8 and gin objects
* refactor: more return-braced-init-list, this time for v8, gin, std, and base objects
* refactor: move uv_setup_args() calls to startup
* refactor: call base::CommandLine::Init() before ContentMain()
* feat: add ElectronCommandLine::AsUtf8()
* refactor: call base::CommandLine::Init() before NodeMain()
* refactor: use ElectronCommandLine::AsUtf8() in NodeMain()
* fix: -Wunsafe-buffer-usage warning in ElectronCommandLine::Init()
* chore: add a DCHECK to confirm ElectronCommandLine was initialized before AsUtf8() is called
* chore: const correctness in ElectronCommandLine::Init() args
* chore: add ElectronCommandLine to macOS Electron Helper app
* chore: move argc, argvc setup into electron_library_main on macOS
* chore: revert BUILD.gn changes
* fix: WideToUTF8() call in ElectronCommandLine::AsUtf8()
* build: add uv to the include paths for app/electron_main_linux
* build: add uv to the include paths for app/electron_library_main.mm
* chore: revert unrelated changes
these were intended for another branch
* refactor: move scope scaffolding into SettletScope
idea stolen from SpellCheckScope
* refactor: move impl of PromiseBase::RejectPromise() to the cc file
* chore: remove unused #include
* chore: expose system preferences to utility process
* chore: add tests, doc changes and module-list update
* relative link
* use @
* fix test
* chore: disable linux test
* kick
* noop on windows utility process
* feat: support NODE_EXTRA_CA_CERTS
* chore: allow disabling NODE_EXTRA_CA_CERTS
* chore: call base::Environment::UnSetVar
* docs: link to fuses from env vars
* chore: update patch to match upstream
* docs: note enabled by default
* Update environment-variables.md
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
---------
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
