[debug] Bail out for non-JSFunctions passed to ScopeIterator

Bug: v8:7040 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I537b5d96e8d9275b695a3c56c57899e88b8b199d Reviewed-on: https://chromium-review.googlesource.com/776654 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#49475}

[debug] Bail out for non-JSFunctions passed to ScopeIterator
Bug: v8:7040 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I537b5d96e8d9275b695a3c56c57899e88b8b199d Reviewed-on: https://chromium-review.googlesource.com/776654 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#49475}
e7551913 · jgruber · Jakob Gruber · 11c55d9c · e7551913 · e7551913
Commit e7551913 authored Nov 20, 2017 by jgruber Committed by Jakob Gruber Nov 20, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 7 deletions

debug-scope-iterator.cc src/debug/debug-scope-iterator.cc +13 -4

v8-debugger.cc src/inspector/v8-debugger.cc +1 -3

No files found.
--- a/src/debug/debug-scope-iterator.cc
+++ b/src/debug/debug-scope-iterator.cc
@@ -15,13 +15,22 @@ namespace v8 {

 std::unique_ptr<debug::ScopeIterator> debug::ScopeIterator::CreateForFunction(
    v8::Isolate* v8_isolate, v8::Local<v8::Function> v8_func) {
-  internal::Handle<internal::JSFunction> func =
-      internal::Handle<internal::JSFunction>::cast(Utils::OpenHandle(*v8_func));
+  internal::Handle<internal::JSReceiver> receiver =
+      internal::Handle<internal::JSReceiver>::cast(Utils::OpenHandle(*v8_func));
+
+  // Besides JSFunction and JSBoundFunction, {v8_func} could be an
+  // ObjectTemplate with a CallAsFunctionHandler. We only handle plain
+  // JSFunctions.
+  if (!receiver->IsJSFunction()) return nullptr;
+
+  internal::Handle<internal::JSFunction> function =
+      internal::Handle<internal::JSFunction>::cast(receiver);
+
  // Blink has function objects with callable map, JS_SPECIAL_API_OBJECT_TYPE
  // but without context on heap.
-  if (!func->has_context()) return nullptr;
+  if (!function->has_context()) return nullptr;
  return std::unique_ptr<debug::ScopeIterator>(new internal::DebugScopeIterator(
-      reinterpret_cast<internal::Isolate*>(v8_isolate), func));
+      reinterpret_cast<internal::Isolate*>(v8_isolate), function));
 }

 std::unique_ptr<debug::ScopeIterator>

--- a/src/inspector/v8-debugger.cc
+++ b/src/inspector/v8-debugger.cc
@@ -680,10 +680,8 @@ v8::MaybeLocal<v8::Array> V8Debugger::internalProperties(
  }
  if (value->IsFunction()) {
    v8::Local<v8::Function> function = value.As<v8::Function>();
-    v8::Local<v8::Value> boundFunction = function->GetBoundFunction();
    v8::Local<v8::Value> scopes;
-    if (boundFunction->IsUndefined() &&
-        functionScopes(context, function).ToLocal(&scopes)) {
+    if (functionScopes(context, function).ToLocal(&scopes)) {
      createDataProperty(context, properties, properties->Length(),
                         toV8StringInternalized(m_isolate, "[[Scopes]]"));
      createDataProperty(context, properties, properties->Length(), scopes);