AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
d180d40d28
v8/test/inspector/regress/regress-crbug-1080638.js
Simon Zünd af7e68931f Forward exceptions while using DebugPropertyIterator 
The V8 inspector is using the DebugPropertyIterator (a debug only
interface) while building RemoteObjects. The DebugPropertyIterator
uses the `KeyAccumulator::GetKeys` for this, which can potentially
throw, but the DebugPropertyIterator ignores exceptions and keeps
iterating. If multiple iteration steps throw an exception
(e.g. due to a pending stack overflow), we run into a CHECK in
Isolate::Throw, as we can't throw exceptions while another
exception is still pending.

This CL fixes the CHECK crash by properly propagating exceptions
after the iterator is created or advanced and returning early
in the inspector if an exception happens.

Please note that the regression test that showcases this behavior
is still disabled, as fixing the crash causes currently an
endless loop. While the exception in `ValueMirror::getProperties`
is handled by early returing, we still need to forward it as
the result of the `Runtime::evaluate` all the way up the stack.

R=bmeurer@chromium.org, yangguo@chromium.org

Bug: chromium:1080638
Change-Id: I1d55e0d70490a06a6bc1b0a3525236411da7f64b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2639954
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72203}
2021-01-20 17:02:43 +00:00

29 lines
784 B
JavaScript
Raw Blame History

// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const {Protocol} = InspectorTest.start('Recursive proxy prototype does not crash inspector crbug.com/1080638');
const reproductionCode = `
const t = { id: 1 }
const p = new Proxy(t, {
get(target, prop, receiver) {
console.log(receiver);
return Reflect.get(target, prop);
}
});
const q = Object.create(p);
console.log(q.id);
`;
(async function logPropertyWithProxyPrototype() {
await Protocol.Runtime.enable();
const response = await Protocol.Runtime.evaluate({
expression: reproductionCode,
replMode: true,
});
InspectorTest.logMessage(response);
InspectorTest.completeTest();
})();
Reference in New Issue View Git Blame Copy Permalink