[v8-dev] Guard against stack overflow in Runtime::StringReplaceOneCharWithString. (issue 264383006)

[jarin]

Reviewers: Igor Sheludko,

Description:
Guard against stack overflow in Runtime::StringReplaceOneCharWithString.
Unfortunately, this only triggers with "ulimit -s 1024" (or less), so we
cannot have an mjsunit test. The test that fails is
test/mjsunit/string-replace-one-char.js on x64.debug.

R=ish...@chromium.org
BUG=

Please review this at https://codereview.chromium.org/264383006/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+4, -1 lines):
  M src/runtime.cc


Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index  
b82d377f71fda4040cdcb5784c0f14744a64f42b..85260869794cbd9ce978f45cf227a2834942c264  
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4333,7 +4333,10 @@ MaybeHandle<String>  
StringReplaceOneCharWithString(Isolate* isolate,
                                                    Handle<String> replace,
                                                    bool* found,
                                                    int recursion_limit) {
-  if (recursion_limit == 0) return MaybeHandle<String>();
+  StackLimitCheck stackLimitCheck(isolate);
+  if (stackLimitCheck.HasOverflowed() || (recursion_limit == 0)) {
+    return MaybeHandle<String>();
+  }
   recursion_limit--;
   if (subject->IsConsString()) {
     ConsString* cons = ConsString::cast(*subject);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.