[builtins] Add Object#toLocaleString stack check
Fixes a regression causing a seg fault instead of the expected stack overflow. Bug: chromium:796427, v8:6005 Change-Id: Ifc752a4009a25f447f5e87745dcc1bb83722c34e Reviewed-on: https://chromium-review.googlesource.com/838854 Commit-Queue: Peter Wong <peter.wm.wong@gmail.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#50265}
This commit is contained in:
peterwmwong
Commit Bot
parent
c1aec1d708
commit
bd1f8050b0
@ -101,6 +101,8 @@ TF_BUILTIN(ObjectPrototypeToLocaleString, CodeStubAssembler) {
|
||||
TNode<Context> context = CAST(Parameter(Descriptor::kContext));
|
||||
TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
|
||||
|
||||
PerformStackCheck(context);
|
||||
|
||||
Label if_null_or_undefined(this, Label::kDeferred);
|
||||
GotoIf(IsNullOrUndefined(receiver), &if_null_or_undefined);
|
||||
|
||||
|
||||
7
test/mjsunit/regress/regress-796427.js
Normal file
7
test/mjsunit/regress/regress-796427.js
Normal file
@ -0,0 +1,7 @@
|
||||
// Copyright 2017 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
//
|
||||
// Flags: --stack-size=150
|
||||
|
||||
assertThrows(() => "" + { toString: Object.prototype.toLocaleString }, RangeError);
|
||||
Loading…
Reference in New Issue
Block a user