Fixed a couple of proxies-related unhandled exceptions.

BUG=chromium:506956, chromium:505907
LOG=N

Review URL: https://codereview.chromium.org/1215463012

Cr-Commit-Position: refs/heads/master@{#29530}

diff --git a/src/objects.cc b/src/objects.cc
index 3734361..874c775 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3999,7 +3999,7 @@ Maybe<PropertyAttributes> JSProxy::GetPropertyAttributesWithHandler(
     Handle<Object> error = isolate->factory()->NewTypeError(
         MessageTemplate::kProxyPropNotConfigurable, handler, name, trap);
     isolate->Throw(*error);
-    return Just(NONE);
+    return Nothing<PropertyAttributes>();
   }
 
   int attributes = NONE;

diff --git a/src/runtime/runtime-scopes.cc b/src/runtime/runtime-scopes.cc
index 700925d..953a09f 100644 (file)
--- a/src/runtime/runtime-scopes.cc
+++ b/src/runtime/runtime-scopes.cc
@@ -230,6 +230,10 @@ RUNTIME_FUNCTION(Runtime_DeclareLookupSlot) {
   BindingFlags binding_flags;
   Handle<Object> holder =
       context->Lookup(name, flags, &index, &attributes, &binding_flags);
+  if (holder.is_null()) {
+    // In case of JSProxy, an exception might have been thrown.
+    if (isolate->has_pending_exception()) return isolate->heap()->exception();
+  }
 
   Handle<JSObject> object;
   Handle<Object> value =
@@ -308,6 +312,10 @@ RUNTIME_FUNCTION(Runtime_InitializeLegacyConstLookupSlot) {
   BindingFlags binding_flags;
   Handle<Object> holder =
       context->Lookup(name, flags, &index, &attributes, &binding_flags);
+  if (holder.is_null()) {
+    // In case of JSProxy, an exception might have been thrown.
+    if (isolate->has_pending_exception()) return isolate->heap()->exception();
+  }
 
   if (index >= 0) {
     DCHECK(holder->IsContext());
@@ -855,6 +863,8 @@ RUNTIME_FUNCTION(Runtime_DeleteLookupSlot) {
 
   // If the slot was not found the result is true.
   if (holder.is_null()) {
+    // In case of JSProxy, an exception might have been thrown.
+    if (isolate->has_pending_exception()) return isolate->heap()->exception();
     return isolate->heap()->true_value();
   }
 
@@ -1009,8 +1019,10 @@ RUNTIME_FUNCTION(Runtime_StoreLookupSlot) {
   BindingFlags binding_flags;
   Handle<Object> holder =
       context->Lookup(name, flags, &index, &attributes, &binding_flags);
-  // In case of JSProxy, an exception might have been thrown.
-  if (isolate->has_pending_exception()) return isolate->heap()->exception();
+  if (holder.is_null()) {
+    // In case of JSProxy, an exception might have been thrown.
+    if (isolate->has_pending_exception()) return isolate->heap()->exception();
+  }
 
   // The property was found in a context slot.
   if (index >= 0) {

diff --git a/test/mjsunit/regress/regress-crbug-505907.js b/test/mjsunit/regress/regress-crbug-505907.js
new file mode 100644 (file)
index 0000000..761261e
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-505907.js
@@ -0,0 +1,12 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-proxies
+
+try {
+  var p = Proxy.create({ getPropertyDescriptor: function() { return [] } });
+  var o = Object.create(p);
+  with (o) { unresolved_name() }
+} catch(e) {
+}

diff --git a/test/mjsunit/regress/regress-crbug-506956.js b/test/mjsunit/regress/regress-crbug-506956.js
new file mode 100644 (file)
index 0000000..5862ddb
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-506956.js
@@ -0,0 +1,12 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-proxies
+
+try {
+  var p = Proxy.create({ getPropertyDescriptor: function() { throw "boom"; } });
+  var o = Object.create(p);
+  with (o) { delete unresolved_name; }
+} catch(e) {
+}