Commit 3214cf11 authored by bmeurer@chromium.org's avatar bmeurer@chromium.org

Don't crash in Array.join() if the resulting string exceeds the max string length.

LOG=y
BUG=336820
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/144533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18986 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 2aa17c6e
...@@ -118,6 +118,7 @@ var kMessages = { ...@@ -118,6 +118,7 @@ var kMessages = {
// RangeError // RangeError
invalid_array_length: ["Invalid array length"], invalid_array_length: ["Invalid array length"],
invalid_array_buffer_length: ["Invalid array buffer length"], invalid_array_buffer_length: ["Invalid array buffer length"],
invalid_string_length: ["Invalid string length"],
invalid_typed_array_offset: ["Start offset is too large:"], invalid_typed_array_offset: ["Start offset is too large:"],
invalid_typed_array_length: ["Invalid typed array length"], invalid_typed_array_length: ["Invalid typed array length"],
invalid_typed_array_alignment: ["%0", "of", "%1", "should be a multiple of", "%3"], invalid_typed_array_alignment: ["%0", "of", "%1", "should be a multiple of", "%3"],
......
...@@ -7263,7 +7263,7 @@ static void JoinSparseArrayWithSeparator(FixedArray* elements, ...@@ -7263,7 +7263,7 @@ static void JoinSparseArrayWithSeparator(FixedArray* elements,
RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) { RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) {
SealHandleScope shs(isolate); HandleScope scope(isolate);
ASSERT(args.length() == 3); ASSERT(args.length() == 3);
CONVERT_ARG_CHECKED(JSArray, elements_array, 0); CONVERT_ARG_CHECKED(JSArray, elements_array, 0);
RUNTIME_ASSERT(elements_array->HasFastSmiOrObjectElements()); RUNTIME_ASSERT(elements_array->HasFastSmiOrObjectElements());
...@@ -7323,8 +7323,12 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) { ...@@ -7323,8 +7323,12 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_SparseJoinWithSeparator) {
} }
} }
if (overflow) { if (overflow) {
// Throw OutOfMemory exception for creating too large a string. // Throw an exception if the resulting string is too large. See
V8::FatalProcessOutOfMemory("Array join result too large."); // https://code.google.com/p/chromium/issues/detail?id=336820
// for details.
return isolate->Throw(*isolate->factory()->
NewRangeError("invalid_string_length",
HandleVector<Object>(NULL, 0)));
} }
if (is_ascii) { if (is_ascii) {
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
assertThrows((function() {
s = "Hello World!\n";
while (true) {
x = new Array();
x[0] = s;
x[1000] = s;
x[1000000] = s;
s = x.join("::");
}}), RangeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment