From 413b20b6c1d6e3666f90a122019f6411823ca459 Mon Sep 17 00:00:00 2001 From: "yangguo@chromium.org" Date: Mon, 11 Aug 2014 07:59:10 +0000 Subject: [PATCH] Make %DebugPushPromise more robust wrt fuzzing. If %DebugPushPromise and throwing is called outside its intended context, we may encounter assertion failures. R=hpayer@chromium.org BUG=401915 LOG=N Review URL: https://codereview.chromium.org/453933002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/debug.cc | 4 +--- test/mjsunit/regress/regress-crbug-401915.js | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-401915.js diff --git a/src/debug.cc b/src/debug.cc index dec51b9..2ae8630 100644 --- a/src/debug.cc +++ b/src/debug.cc @@ -1316,11 +1316,9 @@ Handle Debug::GetPromiseOnStackOnThrow() { return thread_local_.promise_on_stack_->promise(); } handler = handler->next(); - // There must be a try-catch handler if a promise is on stack. - DCHECK_NE(NULL, handler); // Throwing inside a Promise can be intercepted by an inner try-catch, so // we stop at the first try-catch handler. - } while (!handler->is_catch()); + } while (handler != NULL && !handler->is_catch()); return undefined; } diff --git a/test/mjsunit/regress/regress-crbug-401915.js b/test/mjsunit/regress/regress-crbug-401915.js new file mode 100644 index 0000000..96dce04 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-401915.js @@ -0,0 +1,20 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-debug-as debug + +Debug = debug.Debug; +Debug.setListener(function() {}); +Debug.setBreakOnException(); + +try { + try { + %DebugPushPromise(new Promise(function() {})); + } catch (e) { + } + throw new Error(); +} catch (e) { +} + +Debug.setListener(null); -- 2.7.4