[Webkit-unassigned] [Bug 171630] [JSC] Test stringimpl-to-jsstring-on-large-strings-2 uses a lot of RAM
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 3 19:03:34 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171630
--- Comment #8 from Carlos Alberto Lopez Perez <clopez at igalia.com> ---
So.. this is the issue:
function createRegexp() {
var s = "a".repeat(0x3fffffff);
var r = RegExp.prototype.toString.call({
source: s,
flags: s,
});
return [s, r];
};
Both Firefox and chrome abort at var s = "a".repeat(0x3fffffff); with "repeat count must be less than infinity and not overflow maximum string size" (firefox) or "Invalid string length".
But we happily build that monstrous string (which needs around 3GB of RAM!)
I created another test that demonstrates this: https://people.igalia.com/clopez/wkbug/largestrings/large-string-alive.html
Both with WebKitGTK+ and Safari if you click on the button you will see how WebKit uses around 3GB of RAM and doesn't discard it because the test is crafted to keep the string alive. You can actually click the button several times. Each time you click on the button the memory usage will grow by several GBs... You can guess it will be easy to create a malicious page with this that crashes the user's computer due to an OOM situation.
Firefox and Chrome refuse to build that string. I think we need to put also some limit on the string length.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170504/6930a96e/attachment-0001.html>
More information about the webkit-unassigned
mailing list