Details
-
Type:
Bug
-
Status: Open
-
Priority:
P2: Important
-
Resolution: Unresolved
-
Affects Version/s: 5.12.5, 5.13.0, 5.14
-
Fix Version/s: 6.3
-
Component/s: QML: Declarative and Javascript Engine
-
Labels:
-
Environment:clang 8.0.1
gcc 9.1.0
-
Commits:d1047887a6fd4f890484203a01ee5f1eefc1a20a (qt/qtdeclarative/5.15)
Description
Build and run a simple QCoreApplication:
#include <QCoreApplication> #include <QJSEngine> int main(int argc, char *argv[]) { QCoreApplication a(argc, argv); QJSEngine().evaluate(QByteArray("Array(1E9)|1")); return 0; }
It will take more than a minute or crash going oom.
It seems as if this could be handled better because:
- the JavaScript seems to only return what's behind the "|"
Array(1E9)
will not freeze at all
Array(1E10)|1
does not freeze either.
Attachments
Gerrit Reviews
| For Gerrit Dashboard: QTBUG-78955 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 276058,1 | fuzzing: Add JavaScript file causing freeze | master | qt/qtqa | Status: ABANDONED | -1 | 0 |
| 277423,2 | Make ScopedValue's CHECK_EXCEPTION also check isInterrupted | 5.14 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 280634,2 | RuntimeHelpers: Short-circuit stringToNumber on huge strings | 5.14 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 286078,2 | fuzzing: Add JavaScript file which consumes huge memory | master | qt/qtqa | Status: ABANDONED | -1 | 0 |
| 286183,2 | Fuzzing: Avoid out-of-memory in QJSEngine::evaluate() | 5.14 | qt/qtdeclarative | Status: ABANDONED | -1 | 0 |