8315422762
Previously we would shift the length of the string by three, which could overflow with the new larger string length limit. Now we check that the length will fit without extra allocation before and after the shift, because really large strings will never fit, and will always go to the Checked case. Bug: chromium:748069, v8:6148 Change-Id: I41cac14b0fde6c5e8ca92305a052cbb743111554 Reviewed-on: https://chromium-review.googlesource.com/584611 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#46896}
13 lines
398 B
JavaScript
13 lines
398 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
try {
|
|
var a = 'a'.repeat(1 << 28);
|
|
} catch (e) {
|
|
// If the allocation fails, we don't care, because we can't cause the
|
|
// overflow.
|
|
}
|
|
// Cause an overflow in worst-case calculation for string replacement.
|
|
JSON.stringify(a);
|