[parser] Fix stackoverflow on function expressions

This merges all the possible targets for 'member expressions' previously parsed in ParseMemberExpression into ParsePrimaryExpression; since that's not independently used anyway. This will make it faster since we don't need to go through unnecessary branches before ParsePrimaryExpression on the fast path, *and* it will make the binary smaller since ParseMemberExpression is inlined but ParsePrimaryExpression is not. It saves 4kb. Yay :) Bug: chromium:913222 Change-Id: Ib92e1c2a128fffff1db85b625bb5f311ec8c24ef Reviewed-on: https://chromium-review.googlesource.com/c/1480379 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#59814}
2019-02-21 17:37:39 +01:00 · 2019-02-21 17:37:39 +01:00 · 4b0c2b32af
commit 4b0c2b32af
parent e14a24d32e
2 changed files with 24 additions and 14 deletions
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@ -1712,6 +1712,17 @@ ParserBase<Impl>::ParsePrimaryExpression() {
    case Token::DIV:
      return ParseRegExpLiteral();

+    case Token::FUNCTION:
+      return ParseFunctionExpression();
+
+    case Token::SUPER: {
+      const bool is_new = false;
+      return ParseSuperExpression(is_new);
+    }
+    case Token::IMPORT:
+      if (!allow_harmony_dynamic_import()) break;
+      return ParseImportExpressions();
+
    case Token::LBRACK:
      return ParseArrayLiteral();

@ -3257,22 +3268,11 @@ ParserBase<Impl>::ParseMemberExpression() {
  //     ('[' Expression ']' | '.' Identifier | Arguments | TemplateLiteral)*
  //
  // The '[' Expression ']' and '.' Identifier parts are parsed by
-  // ParseMemberExpressionContinuation, and the Arguments part is parsed by the
-  // caller.
+  // ParseMemberExpressionContinuation, and everything preceeding it is merged
+  // into ParsePrimaryExpression.

  // Parse the initial primary or function expression.
-  ExpressionT result;
-  if (peek() == Token::FUNCTION) {
-    result = ParseFunctionExpression();
-  } else if (peek() == Token::SUPER) {
-    const bool is_new = false;
-    result = ParseSuperExpression(is_new);
-  } else if (allow_harmony_dynamic_import() && peek() == Token::IMPORT) {
-    result = ParseImportExpressions();
-  } else {
-    result = ParsePrimaryExpression();
-  }
-
+  ExpressionT result = ParsePrimaryExpression();
  return ParseMemberExpressionContinuation(result);
 }

--- a/test/mjsunit/regress/regress-crbug-913222.js
+++ b/test/mjsunit/regress/regress-crbug-913222.js
@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=100
+__v_0 = '(function() {\n';
+for (var __v_1 = 0; __v_1 < 10000; __v_1++) {
+    __v_0 += '  return function() {\n';
+}
+assertThrows(()=>eval(__v_0), RangeError);