Commit 18dc491c authored by Caitlin Potter's avatar Caitlin Potter Committed by Commit Bot

[builtins] abort FrameFunctionIterator::next if frame summary empty

Previously, FrameFunctionIterator::next() assumed that the frame summary
was non-empty. It's now possible for the list not to be empty, if the
JS microtask pump invokes a builtin function which uses
FrameFunctionIterator directly. While this is unlikely to show up in
real world code, it is necessary to handle it to prevent crashes.

BUG=chromium:794744
R=mstarzinger@chromium.org, cbruni@chromium.org, verwaest@chromium.org

Change-Id: Ie95c2228544f57730d1c6c1ff955b2c94ff1c06b
Reviewed-on: https://chromium-review.googlesource.com/833266Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50221}
parent 17a6ec1b
...@@ -952,16 +952,17 @@ class FrameFunctionIterator { ...@@ -952,16 +952,17 @@ class FrameFunctionIterator {
private: private:
MaybeHandle<JSFunction> next() { MaybeHandle<JSFunction> next() {
while (true) { while (true) {
inlined_frame_index_--; if (inlined_frame_index_ <= 0) {
if (inlined_frame_index_ == -1) {
if (!frame_iterator_.done()) { if (!frame_iterator_.done()) {
frame_iterator_.Advance(); frame_iterator_.Advance();
frames_.clear(); frames_.clear();
inlined_frame_index_ = -1;
GetFrames(); GetFrames();
} }
if (inlined_frame_index_ == -1) return MaybeHandle<JSFunction>(); if (inlined_frame_index_ == -1) return MaybeHandle<JSFunction>();
inlined_frame_index_--;
} }
--inlined_frame_index_;
Handle<JSFunction> next_function = Handle<JSFunction> next_function =
frames_[inlined_frame_index_].AsJavaScript().function(); frames_[inlined_frame_index_].AsJavaScript().function();
// Skip functions from other origins. // Skip functions from other origins.
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Object.getOwnPropertyDescriptors loads %FunctionPrototype%.caller, an
// accessor property which inspects the current callstack. Verify that this
// callstack iteration doesn't crash when there are no JS frames on the stack.
Promise.resolve(function () {}).then(Object.getOwnPropertyDescriptors);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment