[runtime] set AsyncFunctionNext/Throw to adapt arguments

Prevent crash/UB during stack frame iteration through functions, which occurs when debugging, when building stacktraces, etc. Also prevents these functions from appearing in stacktraces, by unsetting the "native" flag. BUG=v8:4483, v8:5025 R=yangguo@chromium.org, littledan@chromium.org, adamk@chromium.org Review-Url: https://codereview.chromium.org/1990803005 Cr-Commit-Position: refs/heads/master@{#36339}

[runtime] set AsyncFunctionNext/Throw to adapt arguments
Prevent crash/UB during stack frame iteration through functions, which occurs when debugging, when building stacktraces, etc. Also prevents these functions from appearing in stacktraces, by unsetting the "native" flag. BUG=v8:4483, v8:5025 R=yangguo@chromium.org, littledan@chromium.org, adamk@chromium.org Review-Url: https://codereview.chromium.org/1990803005 Cr-Commit-Position: refs/heads/master@{#36339}
f6865cb1 · caitpotter88 · Commit bot · dc37f6e6 · f6865cb1 · f6865cb1
Commit f6865cb1 authored May 18, 2016 by caitpotter88 Committed by Commit bot May 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 4 deletions

bootstrapper.cc src/bootstrapper.cc +4 -4

async-debug-basic.js test/mjsunit/harmony/async-debug-basic.js +40 -0

No files found.
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -2466,12 +2466,12 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,

      Handle<JSFunction> async_function_next =
          SimpleInstallFunction(container, "AsyncFunctionNext",
-                                Builtins::kGeneratorPrototypeNext, 2, false);
+                                Builtins::kGeneratorPrototypeNext, 1, true);
      Handle<JSFunction> async_function_throw =
          SimpleInstallFunction(container, "AsyncFunctionThrow",
-                                Builtins::kGeneratorPrototypeThrow, 2, false);
-      async_function_next->shared()->set_native(true);
-      async_function_throw->shared()->set_native(true);
+                                Builtins::kGeneratorPrototypeThrow, 1, true);
+      async_function_next->shared()->set_native(false);
+      async_function_throw->shared()->set_native(false);
    }
  }
 }

--- a/test/mjsunit/harmony/async-debug-basic.js
+++ b/test/mjsunit/harmony/async-debug-basic.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags:  --harmony-async-await --allow-natives-syntax --expose-debug-as debug
+
+// Get the Debug object exposed from the debug context global object.
+Debug = debug.Debug
+
+listenerComplete = false;
+breakPointCount = 0;
+
+async function f() {
+  await (async function() { var a = "a"; await 1; debugger; })();
+
+  var b = "b";
+
+  assertTrue(listenerDone);
+  assertFalse(exception);
+  assertEquals(1, breakpointCount);
+}
+
+function listener(event, exec_state, event_data, data) {
+  try {
+    if (event != Debug.DebugEvent.Break) return;
+
+    breakpointCount++;
+    listenerDone = true;
+    assertEquals("a", exec_state.frame(0).evaluate("a"));
+    assertEquals("b", exec_state.frame(1).evaluate("b"));
+    assertEquals("c", exec_state.frame(2).evaluate("c"));
+  } catch (e) {
+    exception = e;
+  };
+};
+
+Debug.setListener(listener);
+
+var c = "c";
+f();