Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-78955

Freeze or crash in QJSEngine::evaluate()

    XMLWordPrintable

    Details

    • Commits:
      d1047887a6fd4f890484203a01ee5f1eefc1a20a (qt/qtdeclarative/5.15)

      Description

      Build and run a simple QCoreApplication:

      #include <QCoreApplication>
#include <QJSEngine>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    QJSEngine().evaluate(QByteArray("Array(1E9)|1"));
    return 0;
}

      It will take more than a minute or crash going oom.

      It seems as if this could be handled better because:

      • the JavaScript seems to only return what's behind the "|"
      • Array(1E9)

        will not freeze at all

      • Array(1E10)|1

        does not freeze either.

        Attachments

        For Gerrit Dashboard: QTBUG-78955
        # Subject Branch Project Status CR V
        286078,2 fuzzing: Add JavaScript file which consumes huge memory master qt/qtqa Status: NEW -1 0
        286183,2 Fuzzing: Avoid out-of-memory in QJSEngine::evaluate() 5.14 qt/qtdeclarative Status: NEW 0 0
        276058,1 fuzzing: Add JavaScript file causing freeze master qt/qtqa Status: ABANDONED -1 0
        277423,2 Make ScopedValue's CHECK_EXCEPTION also check isInterrupted 5.14 qt/qtdeclarative Status: MERGED +2 0
        280634,2 RuntimeHelpers: Short-circuit stringToNumber on huge strings 5.14 qt/qtdeclarative Status: MERGED +2 0

          Activity

            People

            • Assignee:
              ulherman Ulf Hermann
              Reporter:
              rlohning Robert Löhning
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Gerrit Reviews

                There are 2 open Gerrit changes