Ross, can you please have a look?

This happens when DevTools gets pulled up on the given page. The PredictException function is called on the kPromiseResolveClosure, which doesn't have is_promise_rejection() or is_exception_caught() set and so falls through to code which assumes it is an interpreted function.

Sathya could you have a look please?

we could just wait for ignition to launch :)

Nvm my previous comment. The issue is that these CSA builtins catch exceptions, hence have a handler table. Since they do not have a corresponding bytecode version, we have to use bits on the shared function info to make exception predictions for the debugger.

There are a bunch of builtins that do not have exception predictions. I have an incomplete CL [0] that checks this, which also fixes for a few. But I think it's best for Sathya to take this over, since I'm not really that familiar with Promise builtins.

[0] https://codereview.chromium.org/2731273002/

Builtins that could trigger this issue:

AsyncFunctionAwaitCaught
AsyncFunctionAwaitUncaught
PromiseResolveClosure
ResolvePromise
PromiseResolve
PromiseThenFinally
PromiseCatchFinally
AsyncFromSyncIteratorPrototypeNext
AsyncFromSyncIteratorPrototypeThrow
AsyncFromSyncIteratorPrototypeReturn

My (incomplete) CL fixes the first 3, but it would take me quite some time to come up test cases and figure out the correct exception prediction.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5a36af3ceb57231a6f2eb3bc385686f0facd6762

commit 5a36af3ceb57231a6f2eb3bc385686f0facd6762
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Tue Mar 07 16:02:21 2017

[promises] Fix fast path in Promise.resolve

The receiver in the case of Promise.resolve is the promise
constructor, not an instance of Promise.

BUG= chromium:691875 

Change-Id: I43e914aac51077b28c7954c8023780b9174df825
Reviewed-on: https://chromium-review.googlesource.com/450884
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43648}
[modify] https://crrev.com/5a36af3ceb57231a6f2eb3bc385686f0facd6762/src/builtins/builtins-promise.cc

Cailtin, can please you look into the AsyncFromSyncIteratorPrototype* builtins?

I have a patch out for the rest of the builtins --
https://chromium-review.googlesource.com/c/450894/

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/36a22fe7759b47f45536142ea0955d3e1ff3f6c8

commit 36a22fe7759b47f45536142ea0955d3e1ff3f6c8
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Fri Mar 10 17:44:51 2017

[debug] Add exception predictions to builtins where missing.

This fixes the catch predictions for the following builtins --
AsyncFunctionAwaitCaught
AsyncFunctionAwaitUncaught
PromiseResolveClosure
ResolvePromise
PromiseResolve

Added tests for each.

Added whitelist for builtins behind a flag.

BUG= chromium:691875 

Change-Id: I816cafdb69f0c9f1eefc440a0a44c36713d0b7dc
Reviewed-on: https://chromium-review.googlesource.com/450894
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43725}
[modify] https://crrev.com/36a22fe7759b47f45536142ea0955d3e1ff3f6c8/src/bootstrapper.cc
[modify] https://crrev.com/36a22fe7759b47f45536142ea0955d3e1ff3f6c8/src/builtins/builtins-promise.cc
[modify] https://crrev.com/36a22fe7759b47f45536142ea0955d3e1ff3f6c8/src/isolate.cc
[modify] https://crrev.com/36a22fe7759b47f45536142ea0955d3e1ff3f6c8/test/cctest/test-debug.cc
[add] https://crrev.com/36a22fe7759b47f45536142ea0955d3e1ff3f6c8/test/debugger/debug/es8/async-debug-builtin-predictions.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/326d4f436d351826ce5f66d0ccd53ad55782f610

commit 326d4f436d351826ce5f66d0ccd53ad55782f610
Author: Caitlin Potter <caitp@igalia.com>
Date: Mon Mar 13 11:10:38 2017

[builtins] add exception predictions for AsyncFromSyncIterator methods

Add a mechanic to set these Builtin exception predictions per-Isolate
rather than per-Context in the Bootstrapper.

Also add Debugger tests which would fail without these prediction
modes set.

Does not yet test for AsyncFromSyncIteratorPrototypeReturn, as this
requires AsyncGenerators and `yield*` to be hit.

BUG= chromium:691875 
R=yangguo@chromium.org, jgruber@chromium.org, gsathya@chromium.org

Change-Id: Ic2d2aba3870cce2f7321080f4278875edf253c76
Reviewed-on: https://chromium-review.googlesource.com/451967
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#43742}
[modify] https://crrev.com/326d4f436d351826ce5f66d0ccd53ad55782f610/src/builtins/builtins.cc
[modify] https://crrev.com/326d4f436d351826ce5f66d0ccd53ad55782f610/src/builtins/builtins.h
[add] https://crrev.com/326d4f436d351826ce5f66d0ccd53ad55782f610/test/inspector/debugger/async-for-await-of-promise-stack-expected.txt
[add] https://crrev.com/326d4f436d351826ce5f66d0ccd53ad55782f610/test/inspector/debugger/async-for-await-of-promise-stack.js

ClusterFuzz has detected this issue as fixed in range 456349:456353.

Detailed report: https://clusterfuzz.com/testcase?key=4771841110704128

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  AbstractCode::INTERPRETED_FUNCTION == code->kind() in isolate.cc
  v8::internal::PredictException
  v8::internal::Isolate::PredictExceptionCatcher
  v8::internal::Debug::OnException
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=456349:456353

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv948j4Owmb_tEEhqV5IWpt9s7IJCCh-MF9JWanVjoQhuiuUiByec7QJa5_GHYoKVpCtn2CcVaOPsAfyu3dAHPpZq6YdrI-j0CiGBuYjfxxcXkQQIHexjzbag3liOcwUt9PAqBW4BckNDSeEdduPE5nkF-9S4WoRkryLQPwq7cgRF0v-ZW8FIaUL6uzYbHsdCaQdXyIvrhWOebBrD4GEC69mE3xznsbuey-XnouVZ8XT8J-Jhwy__QDufj6y1ffAcGk6spqkQl23-SK187079QnmcsgUxdw1eP3FVuB4LvA28LbfH4PkEn0ACT3E_Aq-4Vo3gi7rP5Zxxfka04_VISW_lzqx13JVJV_MU-WDK9eWd6S1F6w99egeJs2mbKLJCNsUepT7HoTcvRhBlrVWYycBjkUteTg?testcase_id=4771841110704128


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e08289d0edb3f36ec5abdef36984c080c51c30e6

commit e08289d0edb3f36ec5abdef36984c080c51c30e6
Author: caitp <caitp@igalia.com>
Date: Tue Mar 14 17:02:27 2017

[test] remove unnecessary whitelisted builtins from test-debug.cc

BUG= chromium:691875 
R=gsathya@chromium.org

Review-Url: https://codereview.chromium.org/2747733002
Cr-Commit-Position: refs/heads/master@{#43800}

[modify] https://crrev.com/e08289d0edb3f36ec5abdef36984c080c51c30e6/test/cctest/test-debug.cc