Looping over big integer indexes is very slow
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: sfink, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
101 bytes,
text/html
|
Details |
In bug 1782558, there was an assert triggered on 32-bit. But if you run the same code on 64-bit, it takes a very very long time to execute. Code:
let x = [];
x.length = Math.pow(2, 32) - 1;
"" + x;
What happens is that it stringifies the enormous empty Array. For the first 2G indexes, this goes fine. But after that point, it looks like those indexes get very temporarily materialized as GC strings. The resulting flood of garbage causes repeated GCs and generally take a really really long time.
It doesn't hang, and the interrupt is checked, so a slow script dialog would pop up. But it still seems unfortunate that it's so easy to DOS SpiderMonkey.
In V8 (or with Node, at least), it looks like they cap Arrays at a much smaller size, so this doesn't happen.
|
||
Updated•3 years ago
|
|
||
Comment 1•1 year ago
•
|
||
Profile: https://share.firefox.dev/3V8f3u4
Error in webconsole: Uncaught out of memory within 500ms
|
|
||
Comment 2•1 year ago
|
||
|
|
||
Comment 3•1 year ago
|
||
In Chrome i get this error immediately:
test.html:7 Uncaught RangeError: Invalid string length
at Array.join (<anonymous>)
at Array.toString (<anonymous>)
at test.html:7:4
Description
•