[QTBUG-81104] Array.includes overflows JS stack and crashes if array is large enough - Qt Bug Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: P1: Critical
Resolution: Done
Affects Version/s: 5.13.2
Fix Version/s: 5.14.1, 5.15.0 Alpha
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf

Commits:
49cf23bd2a14e2ca7236b261d7960588f07f5a0b (qt/qtdeclarative/5.14)

Description

Performing Array.includes on a sufficiently large array crashes the engine by overflowing the engine stack into one of the guard pages.

let arr = new Array(10000000);
arr.includes(42);

This happens because method_includes (at qv4arrayobject.cpp:1053) turns every object in the array into a ScopedValue, and never cleans it up inbetween even though the object no longer necessarily needs to stay alive once method_includes is done with it (the ScopedValue itself is of course destroyed, but cleanup of the stack only happens when the underlying Scope goes away).

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Fabian Kosmale

Reporter:: Tobias Holl

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06 Jan '20 14:58

Updated:: 09 Jan '20 18:18

Resolved:: 07 Jan '20 16:00

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

QV4: Array.includes: Support large arrays: Gerrit Review: