[array] Add stack overflow check for Array#flat

This CL adds a stack check to the TFS builtin "FlattenIntoArray" as it is called recursively and can cause a SEGV with a large enough "depth" argument. R=jgruber@chromium.org Bug: v8:8708 Change-Id: I833506531bcff1c4703b9a21678028cf0e63638d Reviewed-on: https://chromium-review.googlesource.com/c/1424858 Commit-Queue: Simon Zünd <szuend@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#58952}
2019-01-21 10:55:43 +01:00 · 2019-01-21 10:55:43 +01:00 · bf17cd2150
commit bf17cd2150
parent a8784a400b
2 changed files with 14 additions and 0 deletions
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@ -3189,6 +3189,10 @@ TF_BUILTIN(FlattenIntoArray, ArrayFlattenAssembler) {
  Node* const start = Parameter(Descriptor::kStart);
  Node* const depth = Parameter(Descriptor::kDepth);

+  // FlattenIntoArray might get called recursively, check stack for overflow
+  // manually as it has stub linkage.
+  PerformStackCheck(CAST(context));
+
  Return(
      FlattenIntoArray(context, target, source, source_length, start, depth));
 }
--- a/test/mjsunit/regress/regress-8708.js
+++ b/test/mjsunit/regress/regress-8708.js
@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=100
+
+let array = new Array(1);
+array.splice(1, 0, array);
+
+assertThrows(() => array.flat(Infinity), RangeError);