[inspector] Fix crash when building preview with a proxy prototype

This CL fixes a CHECK that checks the wrong thing. Specifically when we `Advance` the debug::PropertyIterator it can throw an exception. We have a CHECK that verifies that a corresponding v8::TryCatch catches the exception when the return value indicates this. Unfortunately, the CHECK was looking at the wrong v8::TryCatch scope. R=jarin@chromium.org Bug: chromium:1353051 Change-Id: Ic52e4efd44b89f8e4d1f6acace234c6065e081cb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829543 Commit-Queue: Simon Zünd <szuend@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/main@{#82489}
2022-08-16 14:10:23 +02:00 · 2022-08-16 14:10:23 +02:00 · fb8bda3a85
commit fb8bda3a85
parent 6a9c2bec2d
3 changed files with 35 additions and 1 deletions
--- a/src/inspector/value-mirror.cc
+++ b/src/inspector/value-mirror.cc
@ -1485,7 +1485,7 @@ bool ValueMirror::getProperties(v8::Local<v8::Context> context,
    if (!accumulator->Add(std::move(mirror))) return true;

    if (!iterator->Advance().FromMaybe(false)) {
-      CHECK(tryCatch.HasCaught());
+      CHECK(tryCatchAttributes.HasCaught());
      return false;
    }
  }
--- a/test/inspector/regress/regress-crbug-1353051-expected.txt
+++ b/test/inspector/regress/regress-crbug-1353051-expected.txt
@ -0,0 +1,16 @@
+Don't crash when building a preview with a revoked proxy prototype
+{
+    className : Array
+    description : Array(0)
+    objectId : <objectId>
+    preview : {
+        description : Array(0)
+        overflow : false
+        properties : [
+        ]
+        subtype : array
+        type : object
+    }
+    subtype : array
+    type : object
+}
--- a/test/inspector/regress/regress-crbug-1353051.js
+++ b/test/inspector/regress/regress-crbug-1353051.js
@ -0,0 +1,18 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const { Protocol } = InspectorTest.start('Don\'t crash when building a preview with a revoked proxy prototype');
+
+(async () => {
+  const { result: { result } } = await Protocol.Runtime.evaluate({
+    expression: `
+      const {proxy, revoke} = Proxy.revocable({}, {});
+      revoke();
+      Object.setPrototypeOf([], proxy);`,
+    generatePreview: true,
+  });
+  InspectorTest.logMessage(result);
+
+  InspectorTest.completeTest();
+})();