From 511edabed27134e45e17eb098b872d3966e01baa Mon Sep 17 00:00:00 2001 From: "jkummerow@chromium.org" Date: Wed, 2 Apr 2014 12:24:42 +0000 Subject: [PATCH] Fix HGraphBuilder::BuildAddStringLengths length == String::kMaxLength is fine and should not bail out. BUG=chromium:357052 LOG=n R=yangguo@chromium.org Review URL: https://codereview.chromium.org/222113002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20433 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/hydrogen.cc | 3 ++- test/mjsunit/regress/regress-crbug-357052.js | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-crbug-357052.js diff --git a/src/hydrogen.cc b/src/hydrogen.cc index 24c2ab4..6587ce9 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -1794,7 +1794,8 @@ HValue* HGraphBuilder::BuildAddStringLengths(HValue* left_length, HValue* right_length) { // Compute the combined string length and check against max string length. HValue* length = AddUncasted(left_length, right_length); - HValue* max_length = Add(String::kMaxLength); + // Check that length <= kMaxLength <=> length < MaxLength + 1. + HValue* max_length = Add(String::kMaxLength + 1); Add(length, max_length); return length; } diff --git a/test/mjsunit/regress/regress-crbug-357052.js b/test/mjsunit/regress/regress-crbug-357052.js new file mode 100644 index 0000000..9cde1b6 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-357052.js @@ -0,0 +1,11 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function f() { + var str = ""; + for (var i = 0; i < 30; i++) { + str += "abcdefgh12345678" + str; + } +} +assertThrows(f); -- 2.7.4