Fix fuzzer problem due to allocation of string

Bug: chromium:1130489 Change-Id: I506f2ea418bf3bde9468126534df9d78337e5f82 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2422086 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#70073}
2020-09-21 14:23:55 -07:00 · 2020-09-21 14:23:55 -07:00 · 2b2ebc3b24
commit 2b2ebc3b24
parent ec570b8a80
2 changed files with 33 additions and 3 deletions
--- a/src/objects/js-collator.cc
+++ b/src/objects/js-collator.cc
@ -542,12 +542,12 @@ MaybeHandle<JSCollator> JSCollator::New(Isolate* isolate, Handle<Map> map,
      Managed<icu::Collator>::FromUniquePtr(isolate, 0,
                                            std::move(icu_collator));

-  // Now all properties are ready, so we can allocate the result object.
-  Handle<JSCollator> collator = Handle<JSCollator>::cast(
-      isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
  // We only need to do so if it is different from the collator would return.
  Handle<String> locale_str = isolate->factory()->NewStringFromAsciiChecked(
      (collator_locale != icu_locale) ? r.locale.c_str() : "");
+  // Now all properties are ready, so we can allocate the result object.
+  Handle<JSCollator> collator = Handle<JSCollator>::cast(
+      isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
  DisallowHeapAllocation no_gc;
  collator->set_icu_collator(*managed_collator);
  collator->set_locale(*locale_str);
--- a/test/intl/regress-1130489.js
+++ b/test/intl/regress-1130489.js
@ -0,0 +1,30 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function runNearStackLimit(f) {
+  function t() {
+    try {
+     return t();
+    } catch (e) {
+      return f();
+    }
+  }
+  try {
+    return t();
+  } catch (e) {}
+}
+
+const str = 'hello';
+const locale = new Intl.Locale('ja-u-co-eor-kf-lower-kn-false');
+
+function test(getLocaleFromCollator) {
+  const localeInCollator = getLocaleFromCollator(locale);
+  const temp = str("en");
+}
+
+runNearStackLimit(() => {
+    return test(args => {
+      new Intl.Collator(locale).resolvedOptions().locale;
+    })}
+);