Message formatting: handle unexpected case of failing property lookup.

author yangguo <yangguo@chromium.org>

Mon, 24 Aug 2015 13:40:21 +0000 (06:40 -0700)

committer Commit bot <commit-bot@chromium.org>

Mon, 24 Aug 2015 13:40:27 +0000 (13:40 +0000)
author yangguo <yangguo@chromium.org>
Mon, 24 Aug 2015 13:40:21 +0000 (06:40 -0700)
committer Commit bot <commit-bot@chromium.org>
Mon, 24 Aug 2015 13:40:27 +0000 (13:40 +0000)
diff --git a/src/messages.cc b/src/messages.cc

index fd10d45..a8afa3f 100644 (file)
--- a/src/messages.cc
+++ b/src/messages.cc
@@ -449,6 +449,7 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate,
  bool ErrorToStringHelper::ShadowsInternalError(
      Isolate* isolate, LookupIterator* property_lookup,
      LookupIterator* internal_error_lookup) {
+  if (!property_lookup->IsFound()) return false;
    Handle<JSObject> holder = property_lookup->GetHolder<JSObject>();
    // It's fine if the property is defined on the error itself.
    if (holder.is_identical_to(property_lookup->GetReceiver())) return true;
diff --git a/test/mjsunit/regress/regress-crbug-523308.js b/test/mjsunit/regress/regress-crbug-523308.js

new file mode 100644 (file)

index 0000000..5715762
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-523308.js
@@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var error;
+try { reference_error(); } catch (e) { error = e; }
+toString = error.toString;
+error.__proto__ = [];
+assertEquals("ReferenceError: reference_error is not defined",
+             toString.call(error));
author	yangguo <yangguo@chromium.org>
	Mon, 24 Aug 2015 13:40:21 +0000 (06:40 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Mon, 24 Aug 2015 13:40:27 +0000 (13:40 +0000)
src/messages.cc		patch \| blob \| history
test/mjsunit/regress/regress-crbug-523308.js	[new file with mode: 0644]	patch \| blob