Fix the Context used for Promise-Reject exceptions

When a Promise-Reject handler throws an unhandled exception, we should
use that promise's context for reporting the exception to the runtime.
This avoids a null-pointer deref.

Fixed: chromium:1263994
Change-Id: I3792a1884af4a83991249d612caf15588ea77dad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250912
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77652}

src/builtins/builtins-microtask-queue-gen.cc

@@ -331,7 +331,7 @@ void MicrotaskQueueBuiltinsAssembler::RunSingleMicrotask(
   BIND(&if_exception);
   {
     // Report unhandled exceptions from microtasks.
-    CallRuntime(Runtime::kReportMessageFromMicrotask, current_context,
+    CallRuntime(Runtime::kReportMessageFromMicrotask, GetCurrentContext(),
                 var_exception.value());
     RewindEnteredContext(saved_entered_context_count);
     SetCurrentContext(current_context);

test/mjsunit/regress/regress-crbug-1263994.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function main() {
+  // This isn't really a Wasm-related test (so doesn't belong in regress/wasm/),
+  // but it does use WebAssembly.instantiate to trigger the original issue.
+  if (typeof WebAssembly === 'undefined') return;
+
+  Object.defineProperty(Promise, Symbol.species, {
+    value: function (f) {
+      f(() => { throw 111}, () => { throw 222});
+    }
+  });
+  const promise = WebAssembly.instantiate(new ArrayBuffer(0x10));
+  promise.then();
+}
+main();