[v8-dev] Don't crash in Array.join() if the resulting string exceeds the max string length. (issue 144533003)

Fri, 31 Jan 2014 04:09:02 -0800 

Reviewers: Sven Panne,

Message:
PTAL

Description:
Don't crash in Array.join() if the resulting string exceeds the max string
length.

LOG=y
BUG=336820

Please review this at https://codereview.chromium.org/144533003/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+8, -3 lines):
  M src/messages.js
  M src/runtime.cc


Index: src/messages.js
diff --git a/src/messages.js b/src/messages.js
index b479494db4838ffba287dceda37bd0e4b5d5fe7c..41e1d9781df37b0ff2f2757392641d32009fe175 100644 
--- a/src/messages.js
+++ b/src/messages.js
@@ -118,6 +118,7 @@ var kMessages = {
   // RangeError
   invalid_array_length:          ["Invalid array length"],
   invalid_array_buffer_length:   ["Invalid array buffer length"],
+  invalid_string_length:         ["Invalid string length"],
   invalid_typed_array_offset:    ["Start offset is too large:"],
   invalid_typed_array_length:    ["Invalid typed array length"],
invalid_typed_array_alignment: ["%0", "of", "%1", "should be a multiple of", "%3"], 
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index b3429fa1f54e2849313c3caf749fdd25d548ca84..3e8d57d039900ac11fc0311b9a45ba35045f9f43 100644 
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -7263,7 +7263,7 @@ static void JoinSparseArrayWithSeparator(FixedArray* elements, 


 RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) {
-  SealHandleScope shs(isolate);
+  HandleScope scope(isolate);
   ASSERT(args.length() == 3);
   CONVERT_ARG_CHECKED(JSArray, elements_array, 0);
   RUNTIME_ASSERT(elements_array->HasFastSmiOrObjectElements());
@@ -7323,8 +7323,12 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) { 
     }
   }
   if (overflow) {
-    // Throw OutOfMemory exception for creating too large a string.
-    V8::FatalProcessOutOfMemory("Array join result too large.");
+    // Throw an exception if the resulting string is too large. See
+    // https://code.google.com/p/chromium/issues/detail?id=336820
+    // for details.
+    return isolate->Throw(*isolate->factory()->
+                          NewRangeError("invalid_string_length",
+                                        HandleVector<Object>(NULL, 0)));
   }

   if (is_ascii) {


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to