OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 // Trigger an infinite loop through RegExp.prototype[@@match], which results |
| 6 // in unbounded growth of the results array. |
| 7 |
| 8 // Limit the number of iterations to avoid OOM while still triggering large |
| 9 // object space allocation. |
| 10 const min_ptr_size = 4; |
| 11 const max_regular_heap_object_size = 507136; |
| 12 const num_iterations = max_regular_heap_object_size / min_ptr_size; |
| 13 |
| 14 const RegExpPrototypeExec = RegExp.prototype.exec; |
| 15 |
| 16 let i = 0; |
| 17 |
| 18 RegExp.prototype.__defineGetter__("global", () => true); |
| 19 RegExp.prototype.exec = function(str) { |
| 20 return (i++ < num_iterations) ? RegExpPrototypeExec.call(this, str) : null; |
| 21 }; |
| 22 |
| 23 "a".match(); |
OLD | NEW |