Status: Accepted
Owner: ----
Labels: Type-Bug Priority-Medium HW-All OS-All ES5
New issue 1929 by [email protected]: getOwnPropertyNames should only
include named properties, not numbered ones
http://code.google.com/p/v8/issues/detail?id=1929
http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf
15.2.3.4 Object.getOwnPropertyNames ( O )
When the getOwnPropertyNames function is called, the following steps are
taken:
<<<<snip>>>
4. For each named own property P of O
<<<<snip>>>
Apart from this violating the spec, including numbered elements can also
lead to OOM crash:
<script>
var oCanvas = document.createElement("CANVAS");/*js_om2*/
var oContext2d=oCanvas.getContext("2d");/*js_om2*/
var iTarget = 0xDEAD
var oImageData = oContext2d.getImageData(0, 0, 1, 1);
var asProps = Object.getOwnPropertyNames(oImageData.data);
for (var i = 0; i < asProps.length;) {
if (asProps[i] == 'length') asProps.splice(i, 1);
else i++;
}
if (asProps) {
if (confirm('In addition to the expected properties, the following were
also present:\r\n"' +
asProps.join('", "') + '".\r\n\r\nWould you like to see if an OOM can
be triggered?')) {
var oImageData = oContext2d.getImageData(0, 0, 1, 0x2000000);
Object.getOwnPropertyNames(oImageData.data);
alert('Apparantly, OOM cannot be triggered');
}
}
</script>
// Return the names of the local indexed properties.
// args[0]: object
RUNTIME_FUNCTION(MaybeObject*, Runtime_GetLocalElementNames) {
HandleScope scope(isolate);
ASSERT(args.length() == 1);
if (!args[0]->IsJSObject()) {
return isolate->heap()->undefined_value();
}
CONVERT_ARG_CHECKED(JSObject, obj, 0);
int n = obj->NumberOfLocalElements(static_cast<PropertyAttributes>(NONE));
Handle<FixedArray> names = isolate->factory()->NewFixedArray(n);
===> for large n, this causes an OOM crash (because of max allocation
limitations in V8, so it will crash even if sufficient memory is avaiable!).
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
