tyler.durden/test262
1
0
Fork 0
mirror of https://github.com/tc39/test262.git synced 2025-10-30 11:13:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
test262/implementation-contributed/v8/mjsunit/regress/regress-670671.js
test262-automation 7298a38552 [v8-test262-automation] Updated curation log with latest revision sha's from export and changed files. 
sourceRevisionAtLastExport: 33f2fb0e53d135f0ee17cfccd9d993eb2a6f47de targetRevisionAtLastExport: 31340cbd9add103f586d501b0c3354b7b182abc0
2018-09-14 12:32:18 -04:00

24 lines
833 B
JavaScript
Raw Blame History

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Trigger an infinite loop through RegExp.prototype[@@match], which results
// in unbounded growth of the results array.
// Limit the number of iterations to avoid OOM while still triggering large
// object space allocation.
const min_ptr_size = 4;
const max_regular_heap_object_size = 507136;
const num_iterations = max_regular_heap_object_size / min_ptr_size;
let i = 0;
const re = /foo.bar/;
const RegExpPrototypeExec = RegExp.prototype.exec;
re.exec = (str) => {
return (i++ < num_iterations) ? RegExpPrototypeExec.call(re, str) : null;
};
re.__defineGetter__("global", () => true); // Triggers infinite loop.
"foo*bar".match(re); // Should not crash.
Reference in New Issue View Git Blame Copy Permalink