search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.93k stars 671 forks source link

A bug in concat() #5059

Open Georgezxh opened 1 year ago

Georgezxh commented 1 year ago

JerryScript revision

2.4.0

Build platform

ubuntu20.04

Description

I found jerryscript can not output correctly like other js engines when I ran the following code. However when I set the length to 0xfff or 0xfffff, it can print.

Test case

var a = ['a'];
var b = [];
b.length = 0xffff;
c = a.concat(b);
print(c.length);

Output

Expected behavior

65536

matetokodi commented 1 year ago

This is intended behaviour: By default in jerryscript the default heap size is 512K, and the maximum number of empty items in a fast preallocated array is 65536 before being broken up into a property based array.

Creating and then concatenating preallocated arrays of this size will cause jerryscript to run out of the allowed memory, thus causing a JERRY_FATAL_OUT_OF_MEMORY error.

This can be worked around by (1) Increasing the size of the memory allocated for jerryscript using the

-DJERRY_GLOBAL_HEAP_SIZE=1024

compile time cmake option.

Or (2) Decreasing the maximum number of holes in preallocated arrays, so they will be broken up into slower, property based arrays sooner (these do not use memory for empty items) by changing

#define ECMA_FAST_ARRAY_MAX_HOLE_COUNT (1 << 16)

to something smaller, like

#define ECMA_FAST_ARRAY_MAX_HOLE_COUNT (1 << 12)

in jerry-core/ecma/operations/ecma-array-object.h:63