Do not leak message object beyond try-catch.

src/compiler/ast-graph-builder.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/ast-graph-builder.h"
 
 #include "src/compiler.h"
 #include "src/compiler/ast-loop-assignment-analyzer.h"
 #include "src/compiler/control-builders.h"
 #include "src/compiler/js-type-feedback.h"
@@ skipping 1456 matching lines @@
   try_control.BeginTry();
   {
     ControlScopeForCatch scope(this, &try_control);
     STATIC_ASSERT(TryBlockConstant::kElementCount == 1);
     environment()->Push(current_context());
     Visit(stmt->try_block());
     environment()->Pop();
   }
   try_control.EndTry();
 
+  // Clear message object as we enter the catch block.
+  ExternalReference message_object =
+      ExternalReference::address_of_pending_message_obj(isolate());
+  Node* the_hole = jsgraph()->TheHoleConstant();
+  BuildStoreExternal(message_object, kMachAnyTagged, the_hole);
+
   // Create a catch scope that binds the exception.
   Node* exception = try_control.GetExceptionNode();
   Unique<String> name = MakeUnique(stmt->variable()->name());
   const Operator* op = javascript()->CreateCatchContext(name);
   Node* context = NewNode(op, exception, GetFunctionClosure());
   PrepareFrameState(context, BailoutId::None());
   {
     ContextScope scope(this, stmt->scope(), context);
     DCHECK(stmt->scope()->declarations()->is_empty());
     // Evaluate the catch-block.
@@ skipping 45 matching lines @@
   Node* result = try_control.GetResultValueNode();
   Node* token = try_control.GetDispatchTokenNode();
 
   // The result value, dispatch token and message is expected on the operand
   // stack (this is in sync with FullCodeGenerator::EnterFinallyBlock).
   Node* message = BuildLoadExternal(message_object, kMachAnyTagged);
   environment()->Push(token);  // TODO(mstarzinger): Cook token!
   environment()->Push(result);
   environment()->Push(message);
 
+  // Clear message object as we enter the finally block.
+  Node* the_hole = jsgraph()->TheHoleConstant();
+  BuildStoreExternal(message_object, kMachAnyTagged, the_hole);
+
   // Evaluate the finally-block.
   Visit(stmt->finally_block());
   try_control.EndFinally();
 
   // The result value, dispatch token and message is restored from the operand
   // stack (this is in sync with FullCodeGenerator::ExitFinallyBlock).
   message = environment()->Pop();
   result = environment()->Pop();
   token = environment()->Pop();  // TODO(mstarzinger): Uncook token!
   BuildStoreExternal(message_object, kMachAnyTagged, message);
@@ skipping 2215 matching lines @@
     // Phi does not exist yet, introduce one.
     value = NewPhi(inputs, value, control);
     value->ReplaceInput(inputs - 1, other);
   }
   return value;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8