Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-78955

Freeze or crash in QJSEngine::evaluate()

    XMLWordPrintable

Details

    • d1047887a6fd4f890484203a01ee5f1eefc1a20a (qt/qtdeclarative/5.15)

    Description

      Build and run a simple QCoreApplication:

      #include <QCoreApplication>
#include <QJSEngine>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    QJSEngine().evaluate(QByteArray("Array(1E9)|1"));
    return 0;
}

      It will take more than a minute or crash going oom.

      It seems as if this could be handled better because:

      • the JavaScript seems to only return what's behind the "|"
      • Array(1E9)

        will not freeze at all

      • Array(1E10)|1

        does not freeze either.

      Attachments

        For Gerrit Dashboard: QTBUG-78955
        # Subject Branch Project Status CR V
        276058,1 fuzzing: Add JavaScript file causing freeze master qt/qtqa Status: ABANDONED -1 0
        277423,2 Make ScopedValue's CHECK_EXCEPTION also check isInterrupted 5.14 qt/qtdeclarative Status: MERGED +2 0
        280634,2 RuntimeHelpers: Short-circuit stringToNumber on huge strings 5.14 qt/qtdeclarative Status: MERGED +2 0
        286078,2 fuzzing: Add JavaScript file which consumes huge memory master qt/qtqa Status: ABANDONED -1 0
        286183,2 Fuzzing: Avoid out-of-memory in QJSEngine::evaluate() 5.14 qt/qtdeclarative Status: ABANDONED -1 0

        Activity

          People

            ulherman Ulf Hermann
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes