Open Bug 1783082 Opened 2 years ago Updated 2 years ago

Looping over big integer indexes is very slow

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: sfink, Unassigned)

References

(Blocks 1 open bug)

Details

In bug 1782558, there was an assert triggered on 32-bit. But if you run the same code on 64-bit, it takes a very very long time to execute. Code:

let x = [];
x.length = Math.pow(2, 32) - 1;
"" + x;

What happens is that it stringifies the enormous empty Array. For the first 2G indexes, this goes fine. But after that point, it looks like those indexes get very temporarily materialized as GC strings. The resulting flood of garbage causes repeated GCs and generally take a really really long time.

It doesn't hang, and the interrupt is checked, so a slow script dialog would pop up. But it still seems unfortunate that it's so easy to DOS SpiderMonkey.

In V8 (or with Node, at least), it looks like they cap Arrays at a much smaller size, so this doesn't happen.

Blocks: sm-runtime
Severity: -- → S4
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.