• Simon Zünd's avatar
    Fix crash in JSPromise::Resolve when 'then' getter is terminating · 4c28563b
    Simon Zünd authored
    The crash scenario is as follows:
      1) Add a getter for 'then' to the Object prototype that is
         considered side-effecting.
      2) Evaluate a simple string using 'REPL' mode with side-effect checks
         enabled.
         Note: REPL mode is not strictly necessary, but it causes a 'then'
         lookup as the evaluation result is not a promise.
      3) Calling the 'then' getter causes a termination exception, due
         to the side-effect check. JSPromise::Resolve then tries to
         put the termination exception as the reject reason, which causes
         a CHECK failure.
    
    The solution is to check for termination in the "abrupt completion"
    case when 'then' was retrieved.
    
    Bug: chromium:1140845
    Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
    Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
    Commit-Queue: Simon Zünd <szuend@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#70785}
    4c28563b
objects.cc 275 KB