parseStatementListItem needs a stack overflow check
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 May 2019 19:40:42 +0000 (19:40 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 May 2019 19:40:42 +0000 (19:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197749
JSTests:

Reviewed by Saam Barati.

* stress/many-nested-functions-parser-stack-overflow.js: Added.

Source/JavaScriptCore:

<rdar://problem/50302697>

Reviewed by Saam Barati.

There currently exists a path in the parser where you can loop
arbibrarily many times without a stack overflow check. This patch
adds a check to parseStatementListItem to break that cycle.

* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseStatementListItem):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245152 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/many-nested-functions-parser-stack-overflow.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/parser/Parser.cpp

index 50c268a..b64bc21 100644 (file)
@@ -1,3 +1,12 @@
+2019-05-09  Keith Miller  <keith_miller@apple.com>
+
+        parseStatementListItem needs a stack overflow check
+        https://bugs.webkit.org/show_bug.cgi?id=197749
+
+        Reviewed by Saam Barati.
+
+        * stress/many-nested-functions-parser-stack-overflow.js: Added.
+
 2019-05-08  Saam barati  <sbarati@apple.com>
 
         AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
diff --git a/JSTests/stress/many-nested-functions-parser-stack-overflow.js b/JSTests/stress/many-nested-functions-parser-stack-overflow.js
new file mode 100644 (file)
index 0000000..ab3c7d9
--- /dev/null
@@ -0,0 +1,13 @@
+var code = "function f1() {\n".repeat(80000); 
+code += code; 
+code += ", x" + -2147483648 + " = " + 1; 
+code += ";\n"; 
+code += "  return 80000;\n"; 
+code += "}\n"; 
+eval(code); 
\ No newline at end of file
index 211b315..8895238 100644 (file)
@@ -1,5 +1,20 @@
 2019-05-09  Keith Miller  <keith_miller@apple.com>
 
+        parseStatementListItem needs a stack overflow check
+        https://bugs.webkit.org/show_bug.cgi?id=197749
+        <rdar://problem/50302697>
+
+        Reviewed by Saam Barati.
+
+        There currently exists a path in the parser where you can loop
+        arbibrarily many times without a stack overflow check. This patch
+        adds a check to parseStatementListItem to break that cycle.
+
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseStatementListItem):
+
+2019-05-09  Keith Miller  <keith_miller@apple.com>
+
         REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory
         https://bugs.webkit.org/show_bug.cgi?id=197740
 
index dce4551..a3b851c 100644 (file)
@@ -652,6 +652,7 @@ template <class TreeBuilder> TreeStatement Parser<LexerType>::parseStatementList
     // http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
     DepthManager statementDepth(&m_statementDepth);
     m_statementDepth++;
+    failIfStackOverflow();
     TreeStatement result = 0;
     bool shouldSetEndOffset = true;
     bool shouldSetPauseLocation = false;