From f5c62871b8245c8468e9893795933b7554ee49f9 Mon Sep 17 00:00:00 2001
From: "jarin@chromium.org"
 <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 12 May 2014 11:36:47 +0000
Subject: [PATCH] Guard against stack overflow in
 Runtime::StringReplaceOneCharWithString.

Unfortunately, this only triggers with "ulimit -s 1024" (or less), so we
cannot have an mjsunit test. The test that fails is
test/mjsunit/string-replace-one-char.js on x64.debug.

R=ishell@chromium.org
BUG=

Review URL: https://codereview.chromium.org/264383006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21262 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/runtime.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/runtime.cc b/src/runtime.cc
index acc711b..ec2834e 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4295,7 +4295,10 @@ MaybeHandle<String> StringReplaceOneCharWithString(Isolate* isolate,
                                                    Handle<String> replace,
                                                    bool* found,
                                                    int recursion_limit) {
-  if (recursion_limit == 0) return MaybeHandle<String>();
+  StackLimitCheck stackLimitCheck(isolate);
+  if (stackLimitCheck.HasOverflowed() || (recursion_limit == 0)) {
+    return MaybeHandle<String>();
+  }
   recursion_limit--;
   if (subject->IsConsString()) {
     ConsString* cons = ConsString::cast(*subject);
-- 
2.7.4