Fix crash from turning on DevTools in the middle of catch prediction

If DevTools is turned on in the middle of doing some things with async functions, then more items may be popped from the Promise stack than were pushed to it. In this sort of case, it's OK to have a catch misprediction, but a crash is unacceptable. This patch defensively handles this edge case where the Promise stack is unexpectedly empty for that reason. BUG=v8:5167 Review-Url: https://codereview.chromium.org/2361333003 Cr-Commit-Position: refs/heads/master@{#39705}

Fix crash from turning on DevTools in the middle of catch prediction
If DevTools is turned on in the middle of doing some things with async functions, then more items may be popped from the Promise stack than were pushed to it. In this sort of case, it's OK to have a catch misprediction, but a crash is unacceptable. This patch defensively handles this edge case where the Promise stack is unexpectedly empty for that reason. BUG=v8:5167 Review-Url: https://codereview.chromium.org/2361333003 Cr-Commit-Position: refs/heads/master@{#39705}
cd049c2c · littledan · Commit bot · 900920df · cd049c2c · cd049c2c
Commit cd049c2c authored Sep 24, 2016 by littledan Committed by Commit bot Sep 24, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 1 deletion

isolate.cc src/isolate.cc +4 -1

async-debug-caught-exception.js test/mjsunit/harmony/async-debug-caught-exception.js +21 -0

No files found.
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -1751,13 +1751,16 @@ Handle<Object> Isolate::GetPromiseOnStackOnThrow() {
        }
        return retval;
      case HandlerTable::PROMISE:
-        return promise_on_stack->promise();
+        return promise_on_stack
+                   ? Handle<Object>::cast(promise_on_stack->promise())
+                   : undefined;
      case HandlerTable::ASYNC_AWAIT: {
        // If in the initial portion of async/await, continue the loop to pop up
        // successive async/await stack frames until an asynchronous one with
        // dependents is found, or a non-async stack frame is encountered, in
        // order to handle the synchronous async/await catch prediction case:
        // assume that async function calls are awaited.
+        if (!promise_on_stack) return retval;
        retval = promise_on_stack->promise();
        if (PromiseHasUserDefinedRejectHandler(retval)) {
          return retval;

--- a/test/mjsunit/harmony/async-debug-caught-exception.js
+++ b/test/mjsunit/harmony/async-debug-caught-exception.js
@@ -121,3 +121,24 @@ assertNull(exception);

 Debug.clearBreakOnUncaughtException();
 Debug.setListener(null);
+
+// If devtools is turned on in the middle, then catch prediction
+// could be wrong (here, it mispredicts the exception as caught),
+// but shouldn't crash.
+
+log = [];
+
+var resolve;
+var turnOnListenerPromise = new Promise(r => resolve = r);
+async function confused() {
+  await turnOnListenerPromise;
+  throw foo
+}
+confused();
+Promise.resolve().then(() => {
+  Debug.setListener(listener);
+  Debug.setBreakOnUncaughtException();
+  resolve();
+});
+
+assertEquals([], log);