Narrowly address async function stack overflow parsing case
This patch just checks for a stack overflow and returns failure
from the cases which Clusterfuzz found. However, there may be
more locations in the parser which need similar treatment.
R=caitpotter88@gmail.com,neis
BUG=v8:4483,chromium:624300
Review-Url: https://codereview.chromium.org/2135503002
Cr-Commit-Position: refs/heads/master@{#37655}
diff --git a/src/parsing/parser.cc b/src/parsing/parser.cc
index 8669b03..4308b33 100644
--- a/src/parsing/parser.cc
+++ b/src/parsing/parser.cc
@@ -1098,8 +1098,14 @@
bool is_async = allow_harmony_async_await() && shared_info->is_async();
if (is_async) {
DCHECK(!scanner()->HasAnyLineTerminatorAfterNext());
- Consume(Token::ASYNC);
- DCHECK(peek_any_identifier() || peek() == Token::LPAREN);
+ if (!Check(Token::ASYNC)) {
+ CHECK(stack_overflow());
+ return nullptr;
+ }
+ if (!(peek_any_identifier() || peek() == Token::LPAREN)) {
+ CHECK(stack_overflow());
+ return nullptr;
+ }
}
// TODO(adamk): We should construct this scope from the ScopeInfo.
diff --git a/test/mjsunit/harmony/regress/regress-624300.js b/test/mjsunit/harmony/regress/regress-624300.js
new file mode 100644
index 0000000..f96fbbb
--- /dev/null
+++ b/test/mjsunit/harmony/regress/regress-624300.js
@@ -0,0 +1,13 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-async-await
+
+(function f() {
+ try {
+ f();
+ } catch (e) {
+ (async() => await 1).length;
+ }
+})();