[debug] Fix catch prediction for optimized frames

Catch prediction for optimized frames had two issues:

Inlined frames were iterated from caller-to-callee (which could
result in incorrect predictions if one frame predicted CAUGHT and
another predicted PROMISE).

When encountering a builtin frame, we'd unconditionally return its
prediction (which is wrong if it predicted UNCAUGHT and another inlined
frame predicted either CAUGHT or PROMISE).

This CL fixes both issues and refactors the function to reduce nesting.

BUG=v8:6536

Change-Id: I764a4ec033e4476bd840134b5eacfe0e08b3c1a4
Reviewed-on: https://chromium-review.googlesource.com/555519
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46358}

src/isolate.cc

@@ -1374,10 +1374,13 @@ HandlerTable::CatchPrediction PredictException(JavaScriptFrame* frame) {
       // tables on the unoptimized code objects.
       List<FrameSummary> summaries;
       frame->Summarize(&summaries);
-      for (const FrameSummary& summary : summaries) {
+      for (int i = summaries.length() - 1; i >= 0; i--) {
+        const FrameSummary& summary = summaries[i];
         Handle<AbstractCode> code = summary.AsJavaScript().abstract_code();
         if (code->IsCode() && code->kind() == AbstractCode::BUILTIN) {
-          return code->GetCode()->GetBuiltinCatchPrediction();
+          prediction = code->GetCode()->GetBuiltinCatchPrediction();
+          if (prediction == HandlerTable::UNCAUGHT) continue;
+          return prediction;
         }
 
         if (code->kind() == AbstractCode::OPTIMIZED_FUNCTION) {