Guard against stack overflow in Runtime::StringReplaceOneCharWithString.

Unfortunately, this only triggers with "ulimit -s 1024" (or less), so we
cannot have an mjsunit test. The test that fails is
test/mjsunit/string-replace-one-char.js on x64.debug.

R=ishell@chromium.org
BUG=

Review URL: https://codereview.chromium.org/264383006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21262 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/runtime.cc b/src/runtime.cc
index acc711b..ec2834e 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4295,7 +4295,10 @@ MaybeHandle<String> StringReplaceOneCharWithString(Isolate* isolate,
                                                    Handle<String> replace,
                                                    bool* found,
                                                    int recursion_limit) {
-  if (recursion_limit == 0) return MaybeHandle<String>();
+  StackLimitCheck stackLimitCheck(isolate);
+  if (stackLimitCheck.HasOverflowed() || (recursion_limit == 0)) {
+    return MaybeHandle<String>();
+  }
   recursion_limit--;
   if (subject->IsConsString()) {
     ConsString* cons = ConsString::cast(*subject);