23089 – [jsfunfuzz] tostring on large array causes oom hang/crash

Bug 23089 - [jsfunfuzz] tostring on large array causes oom hang/crash

Summary: [jsfunfuzz] tostring on large array causes oom hang/crash

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Duplicates (1):	13638 (view as bug list)
Depends on:
Blocks:	13638
	Show dependency tree / graph

Reported:	2009-01-03 06:11 PST by Oliver Hunt
Modified:	2012-09-06 17:10 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Hunt 2009-01-03 06:11:43 PST

switch(+(Array(2147483647))){default:}

Comment 1 Oliver Hunt 2009-01-03 20:11:49 PST

Firefox produces a slow script warning on this example, we don't because Array.toString, etc are native code.

I'm thinking that a hard cap on toString'd array size + time out checks periodically in the toString conversion and what not would do the trick.  Anyone have any better ideas?

Comment 2 Oliver Hunt 2009-01-04 07:17:33 PST

Hmmm, it occurs to me that relying on the slow script dialog to kill execution won't work in the shell.

Also the code has a null check of the data for the buffer (to catch OOM) but vector growing uses the crashing version of malloc

Is it possible to make a vector use the non-throwing version?

Comment 3 Oliver Hunt 2009-01-04 07:19:27 PST

Also, for reference a JS version of Array.toString solves the hang by implicitly having timeout checks.  unfortunately it's 35% slower than the C++ version.  For compact (non-sparse) arrays it beats firefox though :D

Comment 4 Darin Adler 2009-01-04 07:40:32 PST

(In reply to comment #2)
> Is it possible to make a vector use the non-throwing version?

Sure it's possible, but it changes the contract with clients.

What behavior are you suggesting when allocation fails? How will we update all the clients to work with the new behavior?

Comment 5 Oliver Hunt 2009-01-04 08:15:24 PST

(In reply to comment #4)
> (In reply to comment #2)
> > Is it possible to make a vector use the non-throwing version?
> 
> Sure it's possible, but it changes the contract with clients.
> 
> What behavior are you suggesting when allocation fails? How will we update all
> the clients to work with the new behavior?
> 

No i dind't mean in general --i was asking (somewhat vaguely i guess)  whether there a template parameter or something that control which malloc a vector would use.

Comment 6 Darin Adler 2009-01-04 08:55:56 PST

(In reply to comment #5)
> No i dind't mean in general --i was asking (somewhat vaguely i guess)  whether
> there a template parameter or something that control which malloc a vector
> would use.

Sure, we could. But then we'd still need to define what various operations do when allocation fails when that template parameter was set.

It might be better to have a completely separate class template. We could still share implementation with Vector.

Comment 7 Gavin Barraclough 2012-09-06 16:49:38 PDT

*** Bug 13638 has been marked as a duplicate of this bug. ***

Comment 8 Gavin Barraclough 2012-09-06 17:10:51 PDT

This test case is equivalent to Array(2147483647).toString().  This completes with appropriate performance.  Works for me.