AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
6b1586e32b
v8/test/mjsunit/es8/regress/regress-794744.js
Caitlin Potter 18dc491c7a [builtins] abort FrameFunctionIterator::next if frame summary empty 
Previously, FrameFunctionIterator::next() assumed that the frame summary
was non-empty. It's now possible for the list not to be empty, if the
JS microtask pump invokes a builtin function which uses
FrameFunctionIterator directly. While this is unlikely to show up in
real world code, it is necessary to handle it to prevent crashes.

BUG=chromium:794744
R=mstarzinger@chromium.org, cbruni@chromium.org, verwaest@chromium.org

Change-Id: Ie95c2228544f57730d1c6c1ff955b2c94ff1c06b
Reviewed-on: https://chromium-review.googlesource.com/833266
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50221}
2017-12-20 00:08:35 +00:00

9 lines
468 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Object.getOwnPropertyDescriptors loads %FunctionPrototype%.caller, an
// accessor property which inspects the current callstack. Verify that this
// callstack iteration doesn't crash when there are no JS frames on the stack.
Promise.resolve(function () {}).then(Object.getOwnPropertyDescriptors);
Reference in New Issue View Git Blame Copy Permalink