4c28563bd7
The crash scenario is as follows:
1) Add a getter for 'then' to the Object prototype that is
considered side-effecting.
2) Evaluate a simple string using 'REPL' mode with side-effect checks
enabled.
Note: REPL mode is not strictly necessary, but it causes a 'then'
lookup as the evaluation result is not a promise.
3) Calling the 'then' getter causes a termination exception, due
to the side-effect check. JSPromise::Resolve then tries to
put the termination exception as the reject reason, which causes
a CHECK failure.
The solution is to check for termination in the "abrupt completion"
case when 'then' was retrieved.
Bug: chromium:1140845
Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70785}
39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
Regression test for crbug.com/1140845. Check that a "then" gettter on the object prototype does not crash V8
|
|
Evaluating a simple string 'foo' does not cause a crash, but a side-effect exception.
|
|
{
|
|
id : <messageId>
|
|
result : {
|
|
exceptionDetails : {
|
|
columnNumber : -1
|
|
exception : {
|
|
className : EvalError
|
|
description : EvalError: Possible side-effect in debug-evaluate
|
|
objectId : <objectId>
|
|
subtype : error
|
|
type : object
|
|
}
|
|
exceptionId : <exceptionId>
|
|
lineNumber : -1
|
|
scriptId : <scriptId>
|
|
text : Uncaught
|
|
}
|
|
result : {
|
|
className : EvalError
|
|
description : EvalError: Possible side-effect in debug-evaluate
|
|
objectId : <objectId>
|
|
subtype : error
|
|
type : object
|
|
}
|
|
}
|
|
}
|
|
Evaluating a simple string 'foo' with side-effets should give us the string.
|
|
{
|
|
id : <messageId>
|
|
result : {
|
|
result : {
|
|
type : string
|
|
value : foo
|
|
}
|
|
}
|
|
}
|