[turbofan] Fix types of Promise#catch() and Promise#finally().

We cannot assign a meaningful type to Promise#catch() or
Promise#finally(), since they both return whatever the invocation of
'then' on the receiver returns, and that is monkeypatchable by arbitrary
user JavaScript.

Bug: chromium:908309, v8:7253
Change-Id: Ib15f81c366938a1b1f10be6c6af85c1f3374b898
Reviewed-on: https://chromium-review.googlesource.com/c/1350789
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57828}
This commit is contained in:
Benedikt Meurer 2018-11-26 13:24:46 +01:00 committed by Commit Bot
parent 9dd8f4e7d8
commit 1bfb02471e
2 changed files with 27 additions and 4 deletions

View File

@ -1644,10 +1644,6 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
case BuiltinFunctionId::kPromiseAll:
return Type::Receiver();
case BuiltinFunctionId::kPromisePrototypeCatch:
return Type::Receiver();
case BuiltinFunctionId::kPromisePrototypeFinally:
return Type::Receiver();
case BuiltinFunctionId::kPromisePrototypeThen:
return Type::Receiver();
case BuiltinFunctionId::kPromiseRace:

View File

@ -0,0 +1,27 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const p = Object.defineProperty(Promise.resolve(), 'then', {
value() { return 0; }
});
(function() {
function foo() { return p.catch().catch(); }
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);
})();
(function() {
function foo() { return p.finally().finally(); }
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);
})();