[v8-dev] Prevent real stack overflow when handling JavaScript stack overflow (issue 234703006)

Fri, 11 Apr 2014 07:14:24 -0700 

Reviewers: rossberg,

Description:
Prevent real stack overflow when handling JavaScript stack overflow

In stack overflow handling, we invoke Error.stackTraceLimit to limit
the size of produced stack trace. However, if there is a getter
installed on the stackTraceLimit property, we may overflow again
and end up in an infinite loop. This change disallows getters and
setters on Error.stackTraceLimit.

BUG=

Please review this at https://codereview.chromium.org/234703006/

SVN Base: https://v8.googlecode.com/svn/trunk

Affected files (+12, -1 lines):
  M src/messages.js
  M test/mjsunit/stack-traces-overflow.js


Index: src/messages.js
diff --git a/src/messages.js b/src/messages.js
index ff108d6c879dde246ee918c87d28e89a467563c4..72d8823fefb2e10f169f87a7344b85ff95767ba8 100644 
--- a/src/messages.js
+++ b/src/messages.js
@@ -1245,6 +1245,9 @@ SetUpError();

 $Error.captureStackTrace = captureStackTrace;

+// Make sure there are no setters/getters on stackTraceLimit
+%SetProperty($Error, 'stackTraceLimit', UNDEFINED, DONT_DELETE);
+
 %SetProperty($Error.prototype, 'message', '', DONT_ENUM);

 // Global list of error objects visited during ErrorToString. This is
Index: test/mjsunit/stack-traces-overflow.js
diff --git a/test/mjsunit/stack-traces-overflow.js b/test/mjsunit/stack-traces-overflow.js index 7722e93bd26129f91c2dae44b8294fbb76806c19..e19d010016be905f820b835c4091eb5a6be8371d 100644 
--- a/test/mjsunit/stack-traces-overflow.js
+++ b/test/mjsunit/stack-traces-overflow.js
@@ -1,4 +1,4 @@
-// Copyright 2012 the V8 project authors. All rights reserved.
+// Copyright 2014 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -113,6 +113,14 @@ try {
   assertEquals(undefined, e.stack);
 }

+Error.__defineGetter__('stackTraceLimit', function() { rec1(0); });
+try {
+  rec1(0);
+} catch (e) {
+  // Make sure we do not crash.
+  e.stack;
+}
+
 Error.stackTraceLimit = 3;
 Error = "";  // Overwrite Error in the global object.
 try {


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to