[builtins] Add Object#toLocaleString stack check

Fixes a regression causing a seg fault instead of the
expected stack overflow.

Bug: chromium:796427, v8:6005
Change-Id: Ifc752a4009a25f447f5e87745dcc1bb83722c34e
Reviewed-on: https://chromium-review.googlesource.com/838854
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50265}
This commit is contained in:
peterwmwong 2017-12-21 07:52:04 -06:00 committed by Commit Bot
parent c1aec1d708
commit bd1f8050b0
2 changed files with 9 additions and 0 deletions

View File

@ -101,6 +101,8 @@ TF_BUILTIN(ObjectPrototypeToLocaleString, CodeStubAssembler) {
TNode<Context> context = CAST(Parameter(Descriptor::kContext)); TNode<Context> context = CAST(Parameter(Descriptor::kContext));
TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver)); TNode<Object> receiver = CAST(Parameter(Descriptor::kReceiver));
PerformStackCheck(context);
Label if_null_or_undefined(this, Label::kDeferred); Label if_null_or_undefined(this, Label::kDeferred);
GotoIf(IsNullOrUndefined(receiver), &if_null_or_undefined); GotoIf(IsNullOrUndefined(receiver), &if_null_or_undefined);

View File

@ -0,0 +1,7 @@
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --stack-size=150
assertThrows(() => "" + { toString: Object.prototype.toLocaleString }, RangeError);