[test] Crash on InvalidStringLength for correctness fuzzer.

Now that the maximum string length varies between platforms, the correctness fuzzer is unhappy. It will ignore crashes, so when we know we have reached platform-dependant behavior just crash if --abort_on_stack_overflow is enabled. Also rename abort_on_stack_overflow to abort_on_stack_or_string_length_overflow. Bug: chromium:748137 Change-Id: Ie4e96709b90029b5ce3c8408064d928f841b3b9f Reviewed-on: https://chromium-review.googlesource.com/589269 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47007}

[test] Crash on InvalidStringLength for correctness fuzzer.
Now that the maximum string length varies between platforms, the correctness fuzzer is unhappy. It will ignore crashes, so when we know we have reached platform-dependant behavior just crash if --abort_on_stack_overflow is enabled. Also rename abort_on_stack_overflow to abort_on_stack_or_string_length_overflow. Bug: chromium:748137 Change-Id: Ie4e96709b90029b5ce3c8408064d928f841b3b9f Reviewed-on: https://chromium-review.googlesource.com/589269 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47007}
1a087f02 · Peter Marshall · Commit Bot · 3c31e109 · 1a087f02 · 1a087f02
Commit 1a087f02 authored Jul 31, 2017 by Peter Marshall Committed by Commit Bot Jul 31, 2017
10 changed files
--- a/src/compiler/js-intrinsic-lowering.cc
+++ b/src/compiler/js-intrinsic-lowering.cc
@@ -103,6 +103,8 @@ Reduction JSIntrinsicLowering::Reduce(Node* node) {
      return ReduceTheHole(node);
    case Runtime::kInlineClassOf:
      return ReduceClassOf(node);
+    case Runtime::kInlineStringMaxLength:
+      return ReduceStringMaxLength(node);
    default:
      break;
  }
@@ -394,6 +396,12 @@ Reduction JSIntrinsicLowering::ReduceClassOf(Node* node) {
  return Changed(node);
 }

+Reduction JSIntrinsicLowering::ReduceStringMaxLength(Node* node) {
+  Node* value = jsgraph()->Constant(String::kMaxLength);
+  ReplaceWithValue(node, value);
+  return Replace(value);
+}
+
 Reduction JSIntrinsicLowering::Change(Node* node, const Operator* op, Node* a,
                                      Node* b) {
  RelaxControls(node);

--- a/src/compiler/js-intrinsic-lowering.h
+++ b/src/compiler/js-intrinsic-lowering.h
@@ -79,6 +79,7 @@ class V8_EXPORT_PRIVATE JSIntrinsicLowering final
  // TODO(turbofan): JavaScript builtins support; drop once all uses of
  // %_ClassOf in JavaScript builtins are eliminated.
  Reduction ReduceClassOf(Node* node);
+  Reduction ReduceStringMaxLength(Node* node);

  Reduction Change(Node* node, const Operator* op);
  Reduction Change(Node* node, const Operator* op, Node* a, Node* b);

--- a/src/debug/debug-evaluate.cc
+++ b/src/debug/debug-evaluate.cc
@@ -296,6 +296,7 @@ bool IntrinsicHasNoSideEffect(Runtime::FunctionId id) {
  V(ThrowSymbolIteratorInvalid)      \
  V(ThrowIteratorResultNotAnObject)  \
  V(NewTypeError)                    \
+  V(ThrowInvalidStringLength)        \
  /* Strings */                      \
  V(StringCharCodeAt)                \
  V(StringIndexOf)                   \
@@ -336,7 +337,8 @@ bool IntrinsicHasNoSideEffect(Runtime::FunctionId id) {
  V(MaxSmi)                          \
  V(NewObject)                       \
  V(FinalizeInstanceSize)            \
-  V(HasInPrototypeChain)
+  V(HasInPrototypeChain)             \
+  V(StringMaxLength)

 #define CASE(Name)       \
  case Runtime::k##Name: \

--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1438,6 +1438,9 @@ Handle<Object> Factory::NewError(Handle<JSFunction> constructor,
 }

 Handle<Object> Factory::NewInvalidStringLengthError() {
+  if (FLAG_abort_on_stack_or_string_length_overflow) {
+    FATAL("Aborting on invalid string length");
+  }
  // Invalidate the "string length" protector.
  if (isolate()->IsStringLengthOverflowIntact()) {
    isolate()->InvalidateStringLengthOverflowProtector();

--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -950,10 +950,11 @@ DEFINE_BOOL(stack_trace_on_illegal, false,
            "print stack trace when an illegal exception is thrown")
 DEFINE_BOOL(abort_on_uncaught_exception, false,
            "abort program (dump core) when an uncaught exception is thrown")
-DEFINE_BOOL(abort_on_stack_overflow, false,
-            "Abort program when stack overflow (as opposed to throwing "
-            "RangeError). This is useful for fuzzing where the spec behaviour "
-            "would introduce nondeterminism.")
+DEFINE_BOOL(abort_on_stack_or_string_length_overflow, false,
+            "Abort program when the stack overflows or a string exceeds "
+            "maximum length (as opposed to throwing RangeError). This is "
+            "useful for fuzzing where the spec behaviour would introduce "
+            "nondeterminism.")
 DEFINE_BOOL(randomize_hashes, true,
            "randomize hashes to avoid predictable hash collisions "
            "(with snapshots this option cannot override the baked-in seed)")

--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -924,7 +924,7 @@ bool Isolate::MayAccess(Handle<Context> accessing_context,


 Object* Isolate::StackOverflow() {
-  if (FLAG_abort_on_stack_overflow) {
+  if (FLAG_abort_on_stack_or_string_length_overflow) {
    FATAL("Aborting on stack overflow");
  }


--- a/src/js/string.js
+++ b/src/js/string.js
@@ -157,7 +157,7 @@ DEFINE_METHODS(

      // The maximum string length is stored in a smi, so a longer repeat
      // must result in a range error.
-      if (n > %_MaxSmi()) throw %make_range_error(kInvalidStringLength);
+      if (n > %_StringMaxLength()) %ThrowInvalidStringLength();

      var r = "";
      while (true) {

--- a/src/regexp/regexp-parser.cc
+++ b/src/regexp/regexp-parser.cc
@@ -77,7 +77,9 @@ void RegExpParser::Advance() {
  if (has_next()) {
    StackLimitCheck check(isolate());
    if (check.HasOverflowed()) {
-      if (FLAG_abort_on_stack_overflow) FATAL("Aborting on stack overflow");
+      if (FLAG_abort_on_stack_or_string_length_overflow) {
+        FATAL("Aborting on stack overflow");
+      }
      ReportError(CStrVector(
          MessageTemplate::TemplateString(MessageTemplate::kStackOverflow)));
    } else if (zone()->excess_allocation()) {

--- a/tools/foozzie/testdata/failure_output.txt
+++ b/tools/foozzie/testdata/failure_output.txt
@@ -9,9 +9,9 @@
 # Compared x64,ignition with x64,ignition_turbo
 #
 # Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 12345 --turbo-filter=~ --noopt
+--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 12345 --turbo-filter=~ --noopt
 # Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 12345
+--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 12345
 #
 # Difference:
 - unknown

--- a/tools/foozzie/v8_foozzie.py
+++ b/tools/foozzie/v8_foozzie.py
@@ -71,8 +71,9 @@ PREAMBLE = [
 ]
 ARCH_MOCKS = os.path.join(BASE_PATH, 'v8_mock_archs.js')

-FLAGS = ['--abort_on_stack_overflow', '--expose-gc', '--allow-natives-syntax',
-         '--invoke-weak-callbacks', '--omit-quit', '--es-staging']
+FLAGS = ['--abort_on_stack_or_string_length_overflow', '--expose-gc',
+         '--allow-natives-syntax', '--invoke-weak-callbacks', '--omit-quit',
+         '--es-staging']

 SUPPORTED_ARCHS = ['ia32', 'x64', 'arm', 'arm64']