AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
9c40b865ee
v8/test/inspector/runtime/regression-1140845.js
Simon Zünd 4c28563bd7 Fix crash in JSPromise::Resolve when 'then' getter is terminating 
The crash scenario is as follows:
  1) Add a getter for 'then' to the Object prototype that is
     considered side-effecting.
  2) Evaluate a simple string using 'REPL' mode with side-effect checks
     enabled.
     Note: REPL mode is not strictly necessary, but it causes a 'then'
     lookup as the evaluation result is not a promise.
  3) Calling the 'then' getter causes a termination exception, due
     to the side-effect check. JSPromise::Resolve then tries to
     put the termination exception as the reject reason, which causes
     a CHECK failure.

The solution is to check for termination in the "abrupt completion"
case when 'then' was retrieved.

Bug: chromium:1140845
Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70785}
2020-10-27 09:06:52 +00:00

37 lines
1.2 KiB
JavaScript
Raw Blame History

// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let {session, contextGroup, Protocol} =
InspectorTest.start('Regression test for crbug.com/1140845. Check that a "then" gettter on the object prototype does not crash V8');
const setupScript = `
let obj = Object.prototype;
obj.__defineGetter__('then', function() {console.log("foo")});
`;
(async function() {
await Protocol.Debugger.enable();
// Set a custom `then` method on the Object prototype. This causes termination
// when 'then' is retrieved, as the 'then' getter is side-effecting.
await Protocol.Runtime.evaluate({
expression: setupScript,
});
InspectorTest.log(`Evaluating a simple string 'foo' does not cause a crash, but a side-effect exception.`);
InspectorTest.logMessage(await Protocol.Runtime.evaluate({
expression: `"foo"`,
replMode: true,
throwOnSideEffect: true,
}));
InspectorTest.log(`Evaluating a simple string 'foo' with side-effets should give us the string.`);
InspectorTest.logMessage(await Protocol.Runtime.evaluate({
expression: `"foo"`,
replMode: true,
}));
InspectorTest.completeTest();
})();
Reference in New Issue View Git Blame Copy Permalink