[wasm] Check the result of Promise::Resolver

We check that if we do not get a result, or if we get a negative result, then there has to be a scheduled exception. R=clemensh@chromium.org TEST=mjsunit/regress/wasm/regression-704127 BUG=chromium:704127 Change-Id: I3fef3cc02f685a9cbc3f10203e2a59b61b3702d5 Reviewed-on: https://chromium-review.googlesource.com/458282Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#44144}

[wasm] Check the result of Promise::Resolver
We check that if we do not get a result, or if we get a negative result, then there has to be a scheduled exception. R=clemensh@chromium.org TEST=mjsunit/regress/wasm/regression-704127 BUG=chromium:704127 Change-Id: I3fef3cc02f685a9cbc3f10203e2a59b61b3702d5 Reviewed-on: https://chromium-review.googlesource.com/458282Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#44144}
6ad5ca59 · Andreas Haas · Commit Bot · 3d82e557 · 6ad5ca59 · 6ad5ca59
Commit 6ad5ca59 authored Mar 27, 2017 by Andreas Haas Committed by Commit Bot Mar 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 8 deletions

wasm-js.cc src/wasm/wasm-js.cc +12 -6

wasm-module.cc src/wasm/wasm-module.cc +2 -2

regression-704127.js test/mjsunit/regress/wasm/regression-704127.js +15 -0

No files found.
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -192,7 +192,8 @@ void WebAssemblyCompile(const v8::FunctionCallbackInfo<v8::Value>& args) {
  auto bytes = GetFirstArgumentAsBytes(args, &thrower);
  if (!IsCompilationAllowed(i_isolate, &thrower, args[0], true)) {
    auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-    CHECK(!maybe.IsNothing());
+    CHECK_IMPLIES(!maybe.FromMaybe(false),
+                  i_isolate->has_scheduled_exception());
    return;
  }
  DCHECK(!thrower.error());
@@ -347,7 +348,8 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
        "Argument 0 must be provided and must be either a buffer source or a "
        "WebAssembly.Module object");
    auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-    CHECK(!maybe.IsNothing());
+    CHECK_IMPLIES(!maybe.FromMaybe(false),
+                  i_isolate->has_scheduled_exception());
    return;
  }
@@ -356,20 +358,23 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
    thrower.TypeError(
        "Argument 0 must be a buffer source or a WebAssembly.Module object");
    auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-    CHECK(!maybe.IsNothing());
+    CHECK_IMPLIES(!maybe.FromMaybe(false),
+                  i_isolate->has_scheduled_exception());
    return;
  }
  auto maybe_imports = GetSecondArgumentAsImports(args, &thrower);
  if (thrower.error()) {
    auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-    CHECK(!maybe.IsNothing());
+    CHECK_IMPLIES(!maybe.FromMaybe(false),
+                  i_isolate->has_scheduled_exception());
    return;
  }
  if (!IsInstantiationAllowed(i_isolate, &thrower, args[0], maybe_imports,
                              true)) {
    auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-    CHECK(!maybe.IsNothing());
+    CHECK_IMPLIES(!maybe.FromMaybe(false),
+                  i_isolate->has_scheduled_exception());
    return;
  }
  i::Handle<i::JSPromise> promise = Utils::OpenHandle(*resolver->GetPromise());
@@ -383,7 +388,8 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
    auto bytes = GetFirstArgumentAsBytes(args, &thrower);
    if (thrower.error()) {
      auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
-      CHECK(!maybe.IsNothing());
+      CHECK_IMPLIES(!maybe.FromMaybe(false),
+                    i_isolate->has_scheduled_exception());
      return;
    }
    i::wasm::AsyncCompileAndInstantiate(i_isolate, promise, bytes,

--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -2875,7 +2875,7 @@ void RejectPromise(Isolate* isolate, ErrorThrower* thrower,
  Handle<Context> context(isolate->context(), isolate);
  auto maybe = resolver->Reject(v8::Utils::ToLocal(context),
                   v8::Utils::ToLocal(thrower->Reify()));
-  CHECK(!maybe.IsNothing());
+  CHECK_IMPLIES(!maybe.FromMaybe(false), isolate->has_scheduled_exception());
 }
 void ResolvePromise(Isolate* isolate, Handle<JSPromise> promise,
@@ -2885,7 +2885,7 @@ void ResolvePromise(Isolate* isolate, Handle<JSPromise> promise,
  Handle<Context> context(isolate->context(), isolate);
  auto maybe = resolver->Resolve(v8::Utils::ToLocal(context),
                                 v8::Utils::ToLocal(result));
-  CHECK(!maybe.IsNothing());
+  CHECK_IMPLIES(!maybe.FromMaybe(false), isolate->has_scheduled_exception());
 }
 }  // namespace

--- a/test/mjsunit/regress/wasm/regression-704127.js
+++ b/test/mjsunit/regress/wasm/regression-704127.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+assertThrows( () => {
+var v4 = {};
+Object.prototype.__defineGetter__(0, function() {
+this[0] = 1;
+})
+Object.prototype.__defineSetter__(0, function() {
+    WebAssembly.compile();
+this[0] = v4;
+});
+ v14 = new Intl.Collator();
+var v34 = eval("");}, RangeError);