Fix fuzzer problem due to allocation of string

Bug: chromium:1130489
Change-Id: I506f2ea418bf3bde9468126534df9d78337e5f82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2422086
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70073}
This commit is contained in:
Frank Tang 2020-09-21 14:23:55 -07:00 committed by Commit Bot
parent ec570b8a80
commit 2b2ebc3b24
2 changed files with 33 additions and 3 deletions

View File

@ -542,12 +542,12 @@ MaybeHandle<JSCollator> JSCollator::New(Isolate* isolate, Handle<Map> map,
Managed<icu::Collator>::FromUniquePtr(isolate, 0, Managed<icu::Collator>::FromUniquePtr(isolate, 0,
std::move(icu_collator)); std::move(icu_collator));
// Now all properties are ready, so we can allocate the result object.
Handle<JSCollator> collator = Handle<JSCollator>::cast(
isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
// We only need to do so if it is different from the collator would return. // We only need to do so if it is different from the collator would return.
Handle<String> locale_str = isolate->factory()->NewStringFromAsciiChecked( Handle<String> locale_str = isolate->factory()->NewStringFromAsciiChecked(
(collator_locale != icu_locale) ? r.locale.c_str() : ""); (collator_locale != icu_locale) ? r.locale.c_str() : "");
// Now all properties are ready, so we can allocate the result object.
Handle<JSCollator> collator = Handle<JSCollator>::cast(
isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
DisallowHeapAllocation no_gc; DisallowHeapAllocation no_gc;
collator->set_icu_collator(*managed_collator); collator->set_icu_collator(*managed_collator);
collator->set_locale(*locale_str); collator->set_locale(*locale_str);

View File

@ -0,0 +1,30 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function runNearStackLimit(f) {
function t() {
try {
return t();
} catch (e) {
return f();
}
}
try {
return t();
} catch (e) {}
}
const str = 'hello';
const locale = new Intl.Locale('ja-u-co-eor-kf-lower-kn-false');
function test(getLocaleFromCollator) {
const localeInCollator = getLocaleFromCollator(locale);
const temp = str("en");
}
runNearStackLimit(() => {
return test(args => {
new Intl.Collator(locale).resolvedOptions().locale;
})}
);