A problem about calling sort function with long array

Question

A problem about calling sort function with long array

ayuan0828 opened this issue a year ago · 4 comments

Version: JerryScript 2.4.0

Description:

When I run the following program, I have an interesting discovery that jerryscript can neither output "right" normally, just like hermes; At the same time, it will not report overflow errors like xs. I think it may have some problems.

Test case:

a = [];
a.length = 0xfffff;
a.sort();
print("right");

Output of jerryscript:

Output of hermes:

right

Output of xs:

Error: stack overflow

Answer 1 · 2023-03-17T05:45:49.000Z

I think ecma_deref_ecma_string (prop_name_p); is missing at the end of the first loop in ecma_builtin_array_prototype_object_sort

Answer 2 · 2023-03-17T09:57:24.000Z

May I ask if there is a problem when judging whether the length of the array is valid?

Is it executing this part of the code and exiting the loop directly?

 if (ECMA_IS_VALUE_ERROR (get_desc))
    {
      ecma_collection_free (array_index_props_p);
      ecma_deref_ecma_string (prop_name_p);
      return get_desc;
    }

Answer 3 · 2023-03-17T14:37:42.000Z

When I try to execute print (a), if a.length=0xffff, it can output, but if a.length=0xfffff, it cannot. Perhaps this is a problem with handling stack overflows without printing output to the console?

Answer 4 · 2023-03-24T15:20:48.000Z

I checked the latest (1a2c047) jerry, and I got JERRY_FATAL_OUT_OF_MEMORY for this example. It fails when it copies the data into an internal sort buffer.