23089 2009-01-03 06:11:43 -0800 [jsfunfuzz] tostring on large array causes oom hang/crash 2012-09-06 17:10:51 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED WORKSFORME P2 Normal --- 13638 1 oliver webkit-unassigned barraclough darin jruderman mjs oldest_to_newest 104233 0 oliver 2009-01-03 06:11:43 -0800 switch(+(Array(2147483647))){default:} 104297 1 oliver 2009-01-03 20:11:49 -0800 Firefox produces a slow script warning on this example, we don't because Array.toString, etc are native code. I'm thinking that a hard cap on toString'd array size + time out checks periodically in the toString conversion and what not would do the trick. Anyone have any better ideas? 104325 2 oliver 2009-01-04 07:17:33 -0800 Hmmm, it occurs to me that relying on the slow script dialog to kill execution won't work in the shell. Also the code has a null check of the data for the buffer (to catch OOM) but vector growing uses the crashing version of malloc Is it possible to make a vector use the non-throwing version? 104326 3 oliver 2009-01-04 07:19:27 -0800 Also, for reference a JS version of Array.toString solves the hang by implicitly having timeout checks. unfortunately it's 35% slower than the C++ version. For compact (non-sparse) arrays it beats firefox though :D 104330 4 darin 2009-01-04 07:40:32 -0800 (In reply to comment #2) > Is it possible to make a vector use the non-throwing version? Sure it's possible, but it changes the contract with clients. What behavior are you suggesting when allocation fails? How will we update all the clients to work with the new behavior? 104334 5 oliver 2009-01-04 08:15:24 -0800 (In reply to comment #4) > (In reply to comment #2) > > Is it possible to make a vector use the non-throwing version? > > Sure it's possible, but it changes the contract with clients. > > What behavior are you suggesting when allocation fails? How will we update all > the clients to work with the new behavior? > No i dind't mean in general --i was asking (somewhat vaguely i guess) whether there a template parameter or something that control which malloc a vector would use. 104338 6 darin 2009-01-04 08:55:56 -0800 (In reply to comment #5) > No i dind't mean in general --i was asking (somewhat vaguely i guess) whether > there a template parameter or something that control which malloc a vector > would use. Sure, we could. But then we'd still need to define what various operations do when allocation fails when that template parameter was set. It might be better to have a completely separate class template. We could still share implementation with Vector. 713854 7 barraclough 2012-09-06 16:49:38 -0700 *** Bug 13638 has been marked as a duplicate of this bug. *** 713876 8 barraclough 2012-09-06 17:10:51 -0700 This test case is equivalent to Array(2147483647).toString(). This completes with appropriate performance. Works for me.