• Simon Zünd's avatar
    Fix crash in JSPromise::Resolve when 'then' getter is terminating · 4c28563b
    Simon Zünd authored
    The crash scenario is as follows:
      1) Add a getter for 'then' to the Object prototype that is
         considered side-effecting.
      2) Evaluate a simple string using 'REPL' mode with side-effect checks
         enabled.
         Note: REPL mode is not strictly necessary, but it causes a 'then'
         lookup as the evaluation result is not a promise.
      3) Calling the 'then' getter causes a termination exception, due
         to the side-effect check. JSPromise::Resolve then tries to
         put the termination exception as the reject reason, which causes
         a CHECK failure.
    
    The solution is to check for termination in the "abrupt completion"
    case when 'then' was retrieved.
    
    Bug: chromium:1140845
    Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
    Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
    Commit-Queue: Simon Zünd <szuend@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#70785}
    4c28563b
Name
Last commit
Last update
..
console Loading commit data...
counters Loading commit data...
cpu-profiler Loading commit data...
debugger Loading commit data...
heap-profiler Loading commit data...
runtime Loading commit data...
runtime-call-stats Loading commit data...
sessions Loading commit data...
type-profiler Loading commit data...
BUILD.gn Loading commit data...
DEPS Loading commit data...
DIR_METADATA Loading commit data...
OWNERS Loading commit data...
inspector-test.cc Loading commit data...
inspector.status Loading commit data...
isolate-data.cc Loading commit data...
isolate-data.h Loading commit data...
json-parse-expected.txt Loading commit data...
json-parse.js Loading commit data...
print-method-not-found-expected.txt Loading commit data...
print-method-not-found.js Loading commit data...
protocol-test.js Loading commit data...
task-runner.cc Loading commit data...
task-runner.h Loading commit data...
testcfg.py Loading commit data...
wasm-inspector-test.js Loading commit data...