Fix fuzzer problem due to allocation of string

Bug: chromium:1130489 Change-Id: I506f2ea418bf3bde9468126534df9d78337e5f82 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2422086Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#70073}

Fix fuzzer problem due to allocation of string
Bug: chromium:1130489 Change-Id: I506f2ea418bf3bde9468126534df9d78337e5f82 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2422086Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#70073}
2b2ebc3b · Frank Tang · Commit Bot · ec570b8a · 2b2ebc3b · 2b2ebc3b
Commit 2b2ebc3b authored Sep 21, 2020 by Frank Tang Committed by Commit Bot Sep 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 3 deletions

js-collator.cc src/objects/js-collator.cc +3 -3

regress-1130489.js test/intl/regress-1130489.js +30 -0

No files found.
--- a/src/objects/js-collator.cc
+++ b/src/objects/js-collator.cc
@@ -542,12 +542,12 @@ MaybeHandle<JSCollator> JSCollator::New(Isolate* isolate, Handle<Map> map,
      Managed<icu::Collator>::FromUniquePtr(isolate, 0,
                                            std::move(icu_collator));

-  // Now all properties are ready, so we can allocate the result object.
-  Handle<JSCollator> collator = Handle<JSCollator>::cast(
-      isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
  // We only need to do so if it is different from the collator would return.
  Handle<String> locale_str = isolate->factory()->NewStringFromAsciiChecked(
      (collator_locale != icu_locale) ? r.locale.c_str() : "");
+  // Now all properties are ready, so we can allocate the result object.
+  Handle<JSCollator> collator = Handle<JSCollator>::cast(
+      isolate->factory()->NewFastOrSlowJSObjectFromMap(map));
  DisallowHeapAllocation no_gc;
  collator->set_icu_collator(*managed_collator);
  collator->set_locale(*locale_str);

--- a/test/intl/regress-1130489.js
+++ b/test/intl/regress-1130489.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function runNearStackLimit(f) {
+  function t() {
+    try {
+     return t();
+    } catch (e) {
+      return f();
+    }
+  }
+  try {
+    return t();
+  } catch (e) {}
+}
+
+const str = 'hello';
+const locale = new Intl.Locale('ja-u-co-eor-kf-lower-kn-false');
+
+function test(getLocaleFromCollator) {
+  const localeInCollator = getLocaleFromCollator(locale);
+  const temp = str("en");
+}
+
+runNearStackLimit(() => {
+    return test(args => {
+      new Intl.Collator(locale).resolvedOptions().locale;
+    })}
+);