[builtins] abort FrameFunctionIterator::next if frame summary empty

Previously, FrameFunctionIterator::next() assumed that the frame summary
was non-empty. It's now possible for the list not to be empty, if the
JS microtask pump invokes a builtin function which uses
FrameFunctionIterator directly. While this is unlikely to show up in
real world code, it is necessary to handle it to prevent crashes.

BUG=chromium:794744
R=mstarzinger@chromium.org, cbruni@chromium.org, verwaest@chromium.org

Change-Id: Ie95c2228544f57730d1c6c1ff955b2c94ff1c06b
Reviewed-on: https://chromium-review.googlesource.com/833266
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50221}

src/accessors.cc

@@ -952,16 +952,17 @@ class FrameFunctionIterator {
  private:
   MaybeHandle<JSFunction> next() {
     while (true) {
-      inlined_frame_index_--;
-      if (inlined_frame_index_ == -1) {
+      if (inlined_frame_index_ <= 0) {
         if (!frame_iterator_.done()) {
           frame_iterator_.Advance();
           frames_.clear();
+          inlined_frame_index_ = -1;
           GetFrames();
         }
         if (inlined_frame_index_ == -1) return MaybeHandle<JSFunction>();
-        inlined_frame_index_--;
       }
+
+      --inlined_frame_index_;
       Handle<JSFunction> next_function =
           frames_[inlined_frame_index_].AsJavaScript().function();
       // Skip functions from other origins.

test/mjsunit/es8/regress/regress-794744.js

@@ -0,0 +1,8 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Object.getOwnPropertyDescriptors loads %FunctionPrototype%.caller, an
+// accessor property which inspects the current callstack. Verify that this
+// callstack iteration doesn't crash when there are no JS frames on the stack.
+Promise.resolve(function () {}).then(Object.getOwnPropertyDescriptors);