fix assertion failure with --harmony CreateDynamicFunction() in stack overflow conditions

Bug=chromium:707066 R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Change-Id: I24ce0a08816940ef4646d0f2de188d4832c823a0 Reviewed-on: https://chromium-review.googlesource.com/474990Reviewed-by: Daniel Ehrenberg <littledan@chromium.org> Commit-Queue: Josh Wolfe <jwolfe@igalia.com> Cr-Commit-Position: refs/heads/master@{#44668}

fix assertion failure with --harmony CreateDynamicFunction() in stack overflow conditions
Bug=chromium:707066 R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Change-Id: I24ce0a08816940ef4646d0f2de188d4832c823a0 Reviewed-on: https://chromium-review.googlesource.com/474990Reviewed-by: Daniel Ehrenberg <littledan@chromium.org> Commit-Queue: Josh Wolfe <jwolfe@igalia.com> Cr-Commit-Position: refs/heads/master@{#44668}
12363355 · Josh Wolfe · Commit Bot · 27330872 · 12363355 · 12363355
Commit 12363355 authored Apr 13, 2017 by Josh Wolfe Committed by Commit Bot Apr 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

parser-base.h src/parsing/parser-base.h +8 -0

regress-707066.js test/mjsunit/regress/regress-707066.js +25 -0

No files found.
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -3418,6 +3418,10 @@ typename ParserBase<Impl>::ExpressionT ParserBase<Impl>::ParseMemberExpression(
    if (impl()->ParsingDynamicFunctionDeclaration()) {
      // We don't want dynamic functions to actually declare their name
      // "anonymous". We just want that name in the toString().
+      if (stack_overflow()) {
+        *ok = false;
+        return impl()->EmptyExpression();
+      }
      Consume(Token::IDENTIFIER);
      DCHECK(scanner()->CurrentMatchesContextual(Token::ANONYMOUS));
    } else if (peek_any_identifier()) {
@@ -4452,6 +4456,10 @@ ParserBase<Impl>::ParseAsyncFunctionLiteral(bool* ok) {
  if (impl()->ParsingDynamicFunctionDeclaration()) {
    // We don't want dynamic functions to actually declare their name
    // "anonymous". We just want that name in the toString().
+    if (stack_overflow()) {
+      *ok = false;
+      return impl()->EmptyExpression();
+    }
    Consume(Token::IDENTIFIER);
    DCHECK(scanner()->CurrentMatchesContextual(Token::ANONYMOUS));
  } else if (peek_any_identifier()) {

--- a/test/mjsunit/regress/regress-707066.js
+++ b/test/mjsunit/regress/regress-707066.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --harmony-function-tostring
+
+// There was a bug in CreateDynamicFunction where a stack overflow
+// situation caused an assertion failure.
+
+function test(api) {
+  function f() {
+    try {
+      // induce a stack overflow
+      f();
+    } catch(e) {
+      // this might result in even more stack overflows
+      api();
+    }
+  }
+  f();
+}
+
+test((      function (){}).constructor); // Function
+test((      function*(){}).constructor); // GeneratorFunction
+test((async function (){}).constructor); // AsyncFunction