Closed Bug 379294 Opened 17 years ago Closed 12 years ago

Hang trying to serialize a sparse JavaScript array

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: hang, testcase) 

js> void (x = [].constructor(0xffffffff));
js> x

Result: hang

I'm not sure this is a bug.
Running the js shell with enabled branch callback terminates the script:

~> js -b 10000
js> void (x = [].constructor(0xffffffff));
void (x = [].constructor(0xffffffff));
js> x
x
native branch callback (10000 callbacks)
js> 

Thus I suggest to mark this as invalid.
Brendan suggests:
* Immediately throw OOM if it's obvious there won't be enough memory to hold the serialized string.
* Improve the speed of array.join (bug 374740).

Even with those fixed, it might still be possible to hang with a similar testcase (using a slightly smaller number).  But I probably deserve that hang for having turned off the slow-script dialog.
void ("" + new Array(0x90000000)) hangs ./js

This makes it painful to use large numbers in jsfunfuzz, which may be necessary for finding certain bugs.
(In reply to comment #3)
> ...
> This makes it painful to use large numbers in jsfunfuzz, which may be
> necessary for finding certain bugs.

(In reply to comment #2)
> ...
> * Improve the speed of array.join (bug 374740).
> 
> Even with those fixed, it might still be possible to hang with a similar
> testcase (using a slightly smaller number).  But I probably deserve that
> hang for having turned off the slow-script dialog.

374740 is fixed
Both testcases still hang.
OS: Mac OS X → All
Hardware: x86 → All
Get's slow-script dialog in the browser which successfully kills it, so resolving invalid.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.