1. 27 Oct, 2020 1 commit
    • Simon Zünd's avatar
      Fix crash in JSPromise::Resolve when 'then' getter is terminating · 4c28563b
      Simon Zünd authored
      The crash scenario is as follows:
        1) Add a getter for 'then' to the Object prototype that is
           considered side-effecting.
        2) Evaluate a simple string using 'REPL' mode with side-effect checks
           enabled.
           Note: REPL mode is not strictly necessary, but it causes a 'then'
           lookup as the evaluation result is not a promise.
        3) Calling the 'then' getter causes a termination exception, due
           to the side-effect check. JSPromise::Resolve then tries to
           put the termination exception as the reject reason, which causes
           a CHECK failure.
      
      The solution is to check for termination in the "abrupt completion"
      case when 'then' was retrieved.
      
      Bug: chromium:1140845
      Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Commit-Queue: Simon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#70785}
      4c28563b