[keys] Handle RangeError in GetKeysWithPrototypeInfoCache

Drive-by-fix: Add V8_WARN_UNUSED_RESULT to MaybeHandle::ToHandle

Bug: chromium:1057653
Change-Id: I2834806ca498a2fa43a64f5391606cdbfb4af4fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2084814Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66582}

src/handles/maybe-handles.h

@@ -50,7 +50,7 @@ class MaybeHandle final {
 
   // Convert to a Handle with a type that can be upcasted to.
   template <typename S>
-  V8_INLINE bool ToHandle(Handle<S>* out) const {
+  V8_WARN_UNUSED_RESULT V8_INLINE bool ToHandle(Handle<S>* out) const {
     if (location_ == nullptr) {
       *out = Handle<T>::null();
       return false;

src/objects/keys.cc

@@ -572,15 +572,17 @@ MaybeHandle<FixedArray> FastKeyAccumulator::GetKeysWithPrototypeInfoCache(
     GetKeysConversion keys_conversion) {
   Handle<FixedArray> own_keys;
   if (may_have_elements_) {
+    MaybeHandle<FixedArray> maybe_own_keys;
     if (receiver_->map().is_dictionary_map()) {
-      GetOwnKeysWithElements<false>(isolate_, Handle<JSObject>::cast(receiver_),
-                                    keys_conversion, skip_indices_)
-          .ToHandle(&own_keys);
+      maybe_own_keys = GetOwnKeysWithElements<false>(
+          isolate_, Handle<JSObject>::cast(receiver_), keys_conversion,
+          skip_indices_);
     } else {
-      GetOwnKeysWithElements<true>(isolate_, Handle<JSObject>::cast(receiver_),
-                                   keys_conversion, skip_indices_)
-          .ToHandle(&own_keys);
+      maybe_own_keys = GetOwnKeysWithElements<true>(
+          isolate_, Handle<JSObject>::cast(receiver_), keys_conversion,
+          skip_indices_);
     }
+    ASSIGN_RETURN_ON_EXCEPTION(isolate_, own_keys, maybe_own_keys, FixedArray);
   } else {
     own_keys = KeyAccumulator::GetOwnEnumPropertyKeys(
         isolate_, Handle<JSObject>::cast(receiver_));

src/objects/objects.cc

@@ -6092,17 +6092,18 @@ Handle<Object> JSPromise::TriggerPromiseReactions(Isolate* isolate,
       secondary_handler = handle(reaction->fulfill_handler(), isolate);
     }
 
+    bool has_handler_context = false;
     if (primary_handler->IsJSReceiver()) {
-      JSReceiver::GetContextForMicrotask(
-          Handle<JSReceiver>::cast(primary_handler))
-          .ToHandle(&handler_context);
+      has_handler_context = JSReceiver::GetContextForMicrotask(
+                                Handle<JSReceiver>::cast(primary_handler))
+                                .ToHandle(&handler_context);
     }
-    if (handler_context.is_null() && secondary_handler->IsJSReceiver()) {
-      JSReceiver::GetContextForMicrotask(
-          Handle<JSReceiver>::cast(secondary_handler))
-          .ToHandle(&handler_context);
+    if (!has_handler_context && secondary_handler->IsJSReceiver()) {
+      has_handler_context = JSReceiver::GetContextForMicrotask(
+                                Handle<JSReceiver>::cast(secondary_handler))
+                                .ToHandle(&handler_context);
     }
-    if (handler_context.is_null()) handler_context = isolate->native_context();
+    if (!has_handler_context) handler_context = isolate->native_context();
 
     STATIC_ASSERT(
         static_cast<int>(PromiseReaction::kSize) ==

test/cctest/compiler/test-run-jsobjects.cc

@@ -14,8 +14,8 @@ namespace compiler {
 TEST(ArgumentsMapped) {
   FunctionTester T("(function(a) { return arguments; })");
 
-  Handle<Object> arguments;
-  T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
+  Handle<Object> arguments =
+      T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
   CHECK(arguments->IsJSObject() && !arguments->IsJSArray());
   CHECK(JSObject::cast(*arguments).HasSloppyArgumentsElements());
   Handle<String> l = T.isolate->factory()->length_string();
@@ -28,8 +28,8 @@ TEST(ArgumentsMapped) {
 TEST(ArgumentsUnmapped) {
   FunctionTester T("(function(a) { 'use strict'; return arguments; })");
 
-  Handle<Object> arguments;
-  T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
+  Handle<Object> arguments =
+      T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
   CHECK(arguments->IsJSObject() && !arguments->IsJSArray());
   CHECK(!JSObject::cast(*arguments).HasSloppyArgumentsElements());
   Handle<String> l = T.isolate->factory()->length_string();
@@ -42,8 +42,8 @@ TEST(ArgumentsUnmapped) {
 TEST(ArgumentsRest) {
   FunctionTester T("(function(a, ...args) { return args; })");
 
-  Handle<Object> arguments;
-  T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
+  Handle<Object> arguments =
+      T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
   CHECK(arguments->IsJSObject() && arguments->IsJSArray());
   CHECK(!JSObject::cast(*arguments).HasSloppyArgumentsElements());
   Handle<String> l = T.isolate->factory()->length_string();

test/cctest/heap/test-heap.cc

@@ -5709,8 +5709,7 @@ TEST(Regress631969) {
 
   // Allocate a cons string and promote it to a fresh page in the old space.
   heap::SimulateFullSpace(heap->old_space());
-  Handle<String> s3;
-  factory->NewConsString(s1, s2).ToHandle(&s3);
+  Handle<String> s3 = factory->NewConsString(s1, s2).ToHandleChecked();
   CcTest::CollectGarbage(NEW_SPACE);
   CcTest::CollectGarbage(NEW_SPACE);
 

test/mjsunit/regress/regress-crbug-1057653.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Object.prototype.length = 3642395160;
+const array = new Float32Array(2**28);
+
+assertThrows(() => {for (const key in array) {}}, RangeError);