[liveedit]: fail to patch if target is outside of async function on stack

src/debug/liveedit.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/debug/liveedit.h"
 
 #include "src/ast/scopeinfo.h"
 #include "src/ast/scopes.h"
 #include "src/code-stubs.h"
 #include "src/compilation-cache.h"
@@ skipping 1608 matching lines @@
                 Smi::FromInt(
                     LiveEdit::FUNCTION_BLOCKED_NO_NEW_TARGET_ON_RESTART),
                 isolate));
         return true;
       }
       return false;
     }
     return false;
   }
 
+  void set_status(LiveEdit::FunctionPatchabilityStatus status) {

[caitp (gmail), 2016/06/10 13:08:16]

this stuff might actually not be necessary, since the test turned out to just be
wrong (but I'm pretty sure the 3rd assertThrows() will still fail without this)

[Dan Ehrenberg, 2016/06/10 13:14:41]

What do you mean the test turned out to be wrong?

[caitp (gmail), 2016/06/10 13:18:45]

The assertion that the last promise value would be "'Koala'" is in fact
incorrect, since it (correctly) resolves the Promise with "'Capybara'" (the last
edited string in asyncfn)

I fixed that and added a new assertion to verify that fun_inside was patched as
expected

But that said, yeah, this crash can still happen, this change just makes the
test behave as expected.

+    Isolate* isolate = old_shared_array_->GetIsolate();
+    int len = GetArrayLength(old_shared_array_);
+    for (int i = 0; i < len; ++i) {
+      Handle<Object> old_element =
+          JSReceiver::GetElement(isolate, result_, i).ToHandleChecked();
+      if (!old_element->IsSmi() ||
+          Smi::cast(*old_element)->value() ==
+              LiveEdit::FUNCTION_AVAILABLE_FOR_PATCH) {
+        SetElementSloppy(result_, i,
+                         Handle<Smi>(Smi::FromInt(status), isolate));
+      }
+    }
+  }
+
  private:
   Handle<JSArray> old_shared_array_;
   Handle<JSArray> new_shared_array_;
   Handle<JSArray> result_;
 };
 
 
 // Drops all call frame matched by target and all frames above them.
 template <typename TARGET>
 static const char* DropActivationsInActiveThreadImpl(Isolate* isolate,
@@ skipping 57 matching lines @@
     // There is a C or generator frame on stack.  We can't drop C frames, and we
     // can't restart generators.  Check that there are no target frames below
     // them.
     for (; frame_index < frames.length(); frame_index++) {
       StackFrame* frame = frames[frame_index];
       if (frame->is_java_script()) {
         if (target.MatchActivation(frame, non_droppable_reason)) {
           // Fail.
           return NULL;
         }
+        if (non_droppable_reason ==
+                LiveEdit::FUNCTION_BLOCKED_UNDER_GENERATOR &&
+            !target_frame_found) {
+          // Fail.
+          target.set_status(non_droppable_reason);
+          return NULL;
+        }
       }
     }
   }
 
   // We cannot restart a frame that uses new.target.
   if (target.FrameUsesNewTarget(frames[bottom_js_frame_index])) return NULL;
 
   if (!do_drop) {
     // We are in check-only mode.
     return NULL;
@@ skipping 326 matching lines @@
     scope_info_length++;
 
     current_scope = current_scope->outer_scope();
   }
 
   return scope_info_list;
 }
 
 }  // namespace internal
 }  // namespace v8