Fix stack overflow in parseConditionalExpression

Summary: Both the consequent and alternate are subject to parsing stack overflows, since we call `parseAssignmentExpression` for both of them. However, we currently only check for recursion on the consequent path, which means that something like `a?b:a?b:a...` can cause an overflow. To repro: ``` echo "a" "?b:a"{1..10000} | bin/hermesc -dump-ast - Segmentation fault: 11 ``` Reviewed By: avp Differential Revision: D38667566 fbshipit-source-id: 1cf8364c3b00d7d85bdde6dac37d5159dd25aa5e
ayroblu · Aug 13, 2022 · 29018f8 · 29018f8
1 parent 528af7a
commit 29018f8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/lib/Parser/JSParserImpl.cpp b/lib/Parser/JSParserImpl.cpp
@@ -4223,12 +4223,15 @@ Optional<ESTree::Node *> JSParserImpl::parseConditionalExpression(
   }
 #endif
 
+  // Calls to parseAssignmentExpression may recursively invoke
+  // parseConditionalExpression.
+  CHECK_RECURSION;
+
   // Only try with AllowTypedArrowFunction::No if we haven't already set
   // up the consequent using AllowTypedArrowFunction::Yes.
   if (!consequent) {
     // Consume the '?' (either for the first time or after savePoint.restore()).
     advance();
-    CHECK_RECURSION;
     auto optConsequent = parseAssignmentExpression(
         ParamIn, AllowTypedArrowFunction::No, CoverTypedParameters::No);
     if (!optConsequent)

diff --git a/test/Parser/large-nested-ternary.js b/test/Parser/large-nested-ternary.js
@@ -0,0 +1,11 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: (! echo "a" "?b:a"{1..10000} | %hermesc -dump-ast - 2>&1 ) | %FileCheck -match-full-lines %s
+// RUN: (! echo "a" "?b"{1..10000} | %hermesc -dump-ast - 2>&1 ) | %FileCheck -match-full-lines %s
+
+// CHECK: {{.*}}: error: Too many nested expressions/statements/declarations