diff --git a/src/message-template.h b/src/message-template.h index 2ffbfab19e..b6eb4de575 100644 --- a/src/message-template.h +++ b/src/message-template.h @@ -460,7 +460,7 @@ namespace internal { T(TooManyArguments, \ "Too many arguments in function call (only 65535 allowed)") \ T(TooManyParameters, \ - "Too many parameters in function definition (only 65535 allowed)") \ + "Too many parameters in function definition (only 65534 allowed)") \ T(TooManySpreads, \ "Literal containing too many nested spreads (up to 65534 allowed)") \ T(TooManyVariables, "Too many variables declared (only 4194303 allowed)") \ diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h index ec7e3047da..c09864e752 100644 --- a/src/parsing/parser-base.h +++ b/src/parsing/parser-base.h @@ -3544,7 +3544,8 @@ void ParserBase::ParseFormalParameterList(FormalParametersT* parameters) { if (peek() != Token::RPAREN) { while (true) { - if (parameters->arity > Code::kMaxArguments) { + // Add one since we're going to be adding a parameter. + if (parameters->arity + 1 > Code::kMaxArguments) { ReportMessage(MessageTemplate::kTooManyParameters); return; } diff --git a/test/mjsunit/regress/regress-crbug-902610.js b/test/mjsunit/regress/regress-crbug-902610.js new file mode 100644 index 0000000000..11b88f288b --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-902610.js @@ -0,0 +1,11 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +assertThrows(() => { + // Make a function with 65535 args. This should throw a SyntaxError because -1 + // is reserved for the "don't adapt arguments" sentinel. + var f_with_65535_args = + eval("(function(" + Array(65535).fill("x").join(",") + "){})"); + f_with_65535_args(); +}, SyntaxError);