Make %DebugPushPromise more robust wrt fuzzing.

If %DebugPushPromise and throwing is called outside its intended context,
we may encounter assertion failures.

R=hpayer@chromium.org
BUG=401915
LOG=N

Review URL: https://codereview.chromium.org/453933002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/debug.cc b/src/debug.cc
index dec51b9..2ae8630 100644 (file)
--- a/src/debug.cc
+++ b/src/debug.cc
@@ -1316,11 +1316,9 @@ Handle<Object> Debug::GetPromiseOnStackOnThrow() {
       return thread_local_.promise_on_stack_->promise();
     }
     handler = handler->next();
-    // There must be a try-catch handler if a promise is on stack.
-    DCHECK_NE(NULL, handler);
     // Throwing inside a Promise can be intercepted by an inner try-catch, so
     // we stop at the first try-catch handler.
-  } while (!handler->is_catch());
+  } while (handler != NULL && !handler->is_catch());
   return undefined;
 }
 

diff --git a/test/mjsunit/regress/regress-crbug-401915.js b/test/mjsunit/regress/regress-crbug-401915.js
new file mode 100644 (file)
index 0000000..96dce04
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-401915.js
@@ -0,0 +1,20 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-debug-as debug
+
+Debug = debug.Debug;
+Debug.setListener(function() {});
+Debug.setBreakOnException();
+
+try {
+  try {
+    %DebugPushPromise(new Promise(function() {}));
+  } catch (e) {
+  }
+  throw new Error();
+} catch (e) {
+}
+
+Debug.setListener(null);