From dc9f0d46425b5be5b34e7ed75a4914600bccb04c Mon Sep 17 00:00:00 2001
From: yangguo <yangguo@chromium.org>
Date: Thu, 28 May 2015 00:05:01 -0700
Subject: [PATCH] Throw illegal exception when formatting with invalid template
 index.

R=arv@chromium.org
BUG=chromium:492526
LOG=N

Review URL: https://codereview.chromium.org/1146923004

Cr-Commit-Position: refs/heads/master@{#28671}
---
 src/messages.cc                              | 7 +++----
 test/mjsunit/regress/regress-crbug-492526.js | 7 +++++++
 2 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-492526.js

diff --git a/src/messages.cc b/src/messages.cc
index daf6c82..84ce4c3 100644
--- a/src/messages.cc
+++ b/src/messages.cc
@@ -331,6 +331,7 @@ MaybeHandle<String> MessageTemplate::FormatMessage(int template_index,
                                                    Handle<String> arg0,
                                                    Handle<String> arg1,
                                                    Handle<String> arg2) {
+  Isolate* isolate = arg0->GetIsolate();
   const char* template_string;
   switch (template_index) {
 #define CASE(NAME, STRING)    \
@@ -341,12 +342,10 @@ MaybeHandle<String> MessageTemplate::FormatMessage(int template_index,
 #undef CASE
     case kLastMessage:
     default:
-      UNREACHABLE();
-      template_string = "";
-      break;
+      isolate->ThrowIllegalOperation();
+      return MaybeHandle<String>();
   }
 
-  Isolate* isolate = arg0->GetIsolate();
   IncrementalStringBuilder builder(isolate);
 
   unsigned int i = 0;
diff --git a/test/mjsunit/regress/regress-crbug-492526.js b/test/mjsunit/regress/regress-crbug-492526.js
new file mode 100644
index 0000000..e8ea298
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-492526.js
@@ -0,0 +1,7 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertThrows(function() { %FormatMessageString(-1, "", "", ""); });
-- 
2.7.4