AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
97eff73b71
v8/test/mjsunit/regress/regress-crbug-1235182.js
Patrick Thier d4711df350 [sparkplug] Fix maximum frame size in prologue. 
Maximum frame size (in bytes) is used to check for stack overflows
in the prologue.
The maximum number of call arguments is pre-calculated and included
in this check. However the count was added to the frame size wihout
converting the count to bytes, resulting in inaccurate stack overflow
checks.

Bug: chromium:1235182
Change-Id: I21bca4e183fccfd055f2f1d5a40b71651c14b911
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3071399
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76090}
2021-08-04 13:58:00 +00:00

8 lines
302 B
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var call_f = new Function('f(' + ('0,').repeat(7023) + ')');
function f() {[1, 2, 3].sort(call_f);}
assertThrows(call_f, RangeError);
Reference in New Issue View Git Blame Copy Permalink