Details
-
Type:
Bug
-
Status: Closed
-
Priority:
P1: Critical
-
Resolution: Done
-
Affects Version/s: 5.13.2
-
Fix Version/s: 5.14.1, 5.15.0 Alpha
-
Component/s: QML: Declarative and Javascript Engine
-
Labels:
-
Commits:49cf23bd2a14e2ca7236b261d7960588f07f5a0b (qt/qtdeclarative/5.14)
Description
Performing Array.includes on a sufficiently large array crashes the engine by overflowing the engine stack into one of the guard pages.
let arr = new Array(10000000);
arr.includes(42);
This happens because method_includes (at qv4arrayobject.cpp:1053) turns every object in the array into a ScopedValue, and never cleans it up inbetween even though the object no longer necessarily needs to stay alive once method_includes is done with it (the ScopedValue itself is of course destroyed, but cleanup of the stack only happens when the underlying Scope goes away).