Open Bug 1699351 Opened 4 years ago Updated 4 years ago

Inconsistent behaviour for fake arrays with huge lengths

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

Each of the following statements hang Firefox's JS interpreter:
Array.prototype.lastIndexOf.call({length: Infinity}, 0);
Array.prototype.indexOf.call({length: Infinity}, 0);
Array.prototype.shift.call({length: Infinity});
Array.prototype.reverse.call({length: Infinity});
Array.prototype.join.call({length: Infinity}, '');
Whereas each of the following statements throw Errors:
Array.prototype.sort.call({0: true, length: Infinity});
Array.prototype.unshift.call({length: Infinity}, 0);

Actual results:

For comparison, V8 has reversed behaviour on two of these functions.
Array.prototype.sort.call({0: true, length: Infinity}); -> hangs (Firefox throws with InternalError: allocation size overflow)
Array.prototype.join.call({length: Infinity}, ''); -> throws (Firefox hangs)

Expected results:

The relevant portions of the spec for each of these functions is the same, in that they all use LengthOfArrayLike (7.3.18.2). So either all the above should throw, or all should hang. Personally, I'd prefer a throw to crashing the browser, but the spec would seem to suggest that crashing is preferred.

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Severity: -- → S4
Priority: -- → P5

For triage purposes, we'll mark this as P5; I think there's an interesting question about what should be the behaviour around specification infinite loops, but I'm not thinking this is urgent for us to figure out.

Gut says the things that throw end up allocating, and hence run out of memory, whereas the hangs don't allocate, and so loop indefinitely as expected.

You need to log in before you can comment on or make changes to this bug.