Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81104

Array.includes overflows JS stack and crashes if array is large enough

    XMLWordPrintable

    Details

    • Commits:
      49cf23bd2a14e2ca7236b261d7960588f07f5a0b (qt/qtdeclarative/5.14)

      Description

      Performing Array.includes on a sufficiently large array crashes the engine by overflowing the engine stack into one of the guard pages.

      let arr = new Array(10000000);
      arr.includes(42);
      

      This happens because method_includes (at qv4arrayobject.cpp:1053) turns every object in the array into a ScopedValue, and never cleans it up inbetween even though the object no longer necessarily needs to stay alive once method_includes is done with it (the ScopedValue itself is of course destroyed, but cleanup of the stack only happens when the underlying Scope goes away).

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            fabiankosmale Fabian Kosmale
            Reporter:
            hlt Tobias Holl
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes