Reviewers: wingo, Sven Panne, marja, Michael Starzinger,
Description:
Parser: Fix crash on stack overflow when lazy-parsing arrow functions
The problem manifests itself when parsing manages to return something
meaningful in the presence of a stack overflow. This happens because
calling ParserBase::Next() will still return one valid token on stack
overflow, before starting to return invalid tokens.
Take the following input as example:
a.map(v => v + 1);
| |
already next token
parsed (which will be an invalid token
(identifier) because of a stack overflow)
The "v" may have been already parsed into a VariableProxy, then if a
stack overflow occurs, next token will be an invalid token (instead
of Token::ARROW), but the parser will return the VariableProxy.
This always happens when lazy-parsing arrow functions, so the position
in the input stream where the the arrow function code ends is known.
This fix adds a check that ensures that parsing ended at the end
position of the arrow function.
BUG=465671
LOG=N
Please review this at https://codereview.chromium.org/1023483003/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+21, -6 lines):
M src/parser.cc
A + test/mjsunit/regress/regress-crbug-465671.js
Index: src/parser.cc
diff --git a/src/parser.cc b/src/parser.cc
index
4bcdfdbda7e2233fd25a710caea8f23d9d6d0510..e8b2bc837bd29d165b7c2762cf6cb1b08bb296cc
100644
--- a/src/parser.cc
+++ b/src/parser.cc
@@ -1145,8 +1145,19 @@ FunctionLiteral* Parser::ParseLazy(Isolate* isolate,
ParseInfo* info,
// from creating unresolved variables in already-resolved scopes.
parsing_lazy_arrow_parameters_ = true;
Expression* expression = ParseExpression(false, &ok);
- DCHECK(expression->IsFunctionLiteral());
- result = expression->AsFunctionLiteral();
+ if (ok) {
+ // Scanning must end at the same position that was recorded
+ // previously. If not, parsing has been interrupted due to a
+ // stack overflow, at which point the partially parsed arrow
+ // function concise body happens to be a valid expression.
+ if (scanner()->location().end_pos == shared_info->end_position()) {
+ DCHECK(expression->IsFunctionLiteral());
+ result = expression->AsFunctionLiteral();
+ } else {
+ result = NULL;
+ ok = false;
+ }
+ }
} else if (shared_info->is_default_constructor()) {
result =
DefaultConstructor(IsSubclassConstructor(shared_info->kind()),
scope, shared_info->start_position(),
Index: test/mjsunit/regress/regress-crbug-465671.js
diff --git a/test/mjsunit/compiler/regress-451012.js
b/test/mjsunit/regress/regress-crbug-465671.js
similarity index 52%
copy from test/mjsunit/compiler/regress-451012.js
copy to test/mjsunit/regress/regress-crbug-465671.js
index
bffc8bc5bdfac32bb561a24153d00157b26ac3a5..24f4d054755bc241d87ad774787d595aad6c0657
100644
--- a/test/mjsunit/compiler/regress-451012.js
+++ b/test/mjsunit/regress/regress-crbug-465671.js
@@ -2,11 +2,15 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-"use strict";
+// Flags: --harmony-arrow-functions
+
+// This used to trigger crash because of an unhandled stack overflow.
function f() {
- for (let v; v; ) {
- let x;
+ var a = [10];
+ try {
+ f();
+ } catch(e) {
+ a.map(v => v + 1);
}
}
-
f();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
