[stubs] Properly handle length overflow in StringAddStub.

Using the Hydrogen code stub bailout mechanism is not correct for the string length overflow check in the StringAddStub. Instead make sure we just throw the proper exception. R=mstarzinger@chromium.org BUG=chromium:627934 Review-Url: https://codereview.chromium.org/2146353002 Cr-Commit-Position: refs/heads/master@{#37758}

[stubs] Properly handle length overflow in StringAddStub.
Using the Hydrogen code stub bailout mechanism is not correct for the string length overflow check in the StringAddStub. Instead make sure we just throw the proper exception. R=mstarzinger@chromium.org BUG=chromium:627934 Review-Url: https://codereview.chromium.org/2146353002 Cr-Commit-Position: refs/heads/master@{#37758}
6530a16e · bmeurer · Commit bot · 8226c88b · 6530a16e · 6530a16e
Commit 6530a16e authored Jul 14, 2016 by bmeurer Committed by Commit bot Jul 14, 2016
4 changed files
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -2413,7 +2413,20 @@ HValue* HGraphBuilder::BuildAddStringLengths(HValue* left_length,
  HValue* length = AddUncasted<HAdd>(left_length, right_length);
  // Check that length <= kMaxLength <=> length < MaxLength + 1.
  HValue* max_length = Add<HConstant>(String::kMaxLength + 1);
-  Add<HBoundsCheck>(length, max_length);
+  if (top_info()->IsStub()) {
+    // This is a mitigation for crbug.com/627934; the real fix
+    // will be to migrate the StringAddStub to TurboFan one day.
+    IfBuilder if_invalid(this);
+    if_invalid.If<HCompareNumericAndBranch>(length, max_length, Token::GT);
+    if_invalid.Then();
+    {
+      Add<HCallRuntime>(
+          Runtime::FunctionForId(Runtime::kThrowInvalidStringLength), 0);
+    }
+    if_invalid.End();
+  } else {
+    Add<HBoundsCheck>(length, max_length);
+  }
  return length;
 }


--- a/src/runtime/runtime-internal.cc
+++ b/src/runtime/runtime-internal.cc
@@ -230,6 +230,12 @@ RUNTIME_FUNCTION(Runtime_ThrowIncompatibleMethodReceiver) {
      NewTypeError(MessageTemplate::kIncompatibleMethodReceiver, arg0, arg1));
 }

+RUNTIME_FUNCTION(Runtime_ThrowInvalidStringLength) {
+  HandleScope scope(isolate);
+  THROW_NEW_ERROR_RETURN_FAILURE(
+      isolate, NewRangeError(MessageTemplate::kInvalidStringLength));
+}
+
 RUNTIME_FUNCTION(Runtime_ThrowIteratorResultNotAnObject) {
  HandleScope scope(isolate);
  DCHECK(args.length() == 1);

--- a/src/runtime/runtime.h
+++ b/src/runtime/runtime.h
@@ -292,6 +292,7 @@ namespace internal {
  F(ThrowCannotConvertToPrimitive, 0, 1)            \
  F(ThrowIllegalInvocation, 0, 1)                   \
  F(ThrowIncompatibleMethodReceiver, 2, 1)          \
+  F(ThrowInvalidStringLength, 0, 1)                 \
  F(ThrowIteratorResultNotAnObject, 1, 1)           \
  F(ThrowNotGeneric, 1, 1)                          \
  F(ThrowGeneratorRunning, 0, 1)                    \

--- a/test/mjsunit/regress/regress-crbug-627934.js
+++ b/test/mjsunit/regress/regress-crbug-627934.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var x = "1".repeat(32 * 1024 * 1024);
+for (var z = x;;) {
+  try {
+    z += {toString: function() { return x; }};
+  } catch (e) {
+    break;
+  }
+}