v8/test/mjsunit/regress/regress-11115.js
Jakob Kummerow db5ede7ff8 Fix rare stack overflow in instanceof
For a very particular special case (long "chains" of bound
functions with an undefined @@hasInstance handler), evaluating
the `instanceof` operator could lead to a very deep recursion.
This patch adds a stack check to make sure we throw rather than
crash on stack overflow.

Bug: v8:11115
Change-Id: I6bf941b9e75e9fe3a52112ade27388ac4fbbda2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2545624
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71335}
2020-11-23 10:48:49 +00:00

19 lines
471 B
JavaScript

// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --stack-size=100
var f = function() {}
for (var i = 0; i < 1000; ++i) {
f = f.bind();
Object.defineProperty(f, Symbol.hasInstance, {value: undefined});
}
try {
({}) instanceof f; // Don't overflow the stack!
} catch (e) {
// Throwing a RangeError is okay.
}