-
Simon Zünd authored
The crash scenario is as follows: 1) Add a getter for 'then' to the Object prototype that is considered side-effecting. 2) Evaluate a simple string using 'REPL' mode with side-effect checks enabled. Note: REPL mode is not strictly necessary, but it causes a 'then' lookup as the evaluation result is not a promise. 3) Calling the 'then' getter causes a termination exception, due to the side-effect check. JSPromise::Resolve then tries to put the termination exception as the reject reason, which causes a CHECK failure. The solution is to check for termination in the "abrupt completion" case when 'then' was retrieved. Bug: chromium:1140845 Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283Reviewed-by:Yang Guo <yangguo@chromium.org> Reviewed-by:
Camillo Bruni <cbruni@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#70785}
4c28563b
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| benchmarks | ||
| cctest | ||
| common | ||
| debugger | ||
| debugging | ||
| fuzzer | ||
| fuzzilli | ||
| inspector | ||
| intl | ||
| js-perf-test | ||
| memory | ||
| message | ||
| mjsunit | ||
| mkgrokdump | ||
| mozilla | ||
| test262 | ||
| torque | ||
| unittests | ||
| wasm-api-tests | ||
| wasm-js | ||
| wasm-spec-tests | ||
| webkit | ||
| BUILD.gn | ||
| OWNERS |