Skip to content

Commit

Permalink
[Promise] Add smi check for species constructor
Browse files Browse the repository at this point in the history 
Bug: chromium:726636
Change-Id: Ied6af8c969ed05b7a334238b30930658af060e7d
Reviewed-on: https://chromium-review.googlesource.com/516734
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45537}
  • Loading branch information
Sathya Gunasekaran authored and Commit Bot committed May 26, 2017
1 parent 990bad7 commit 6b31174
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/builtins/builtins-promise-gen.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context,
debug_event = TrueConstant();
}

Label if_not_constructor(this, Label::kDeferred);
GotoIf(TaggedIsSmi(constructor), &if_not_constructor);
GotoIfNot(IsConstructorMap(LoadMap(constructor)), &if_not_constructor);

Node* native_context = LoadNativeContext(context);

Node* map = LoadRoot(Heap::kJSPromiseCapabilityMapRootIndex);
Expand Down Expand Up @@ -189,6 +193,13 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context,
Unreachable();
}

BIND(&if_not_constructor);
{
Node* const message_id = SmiConstant(MessageTemplate::kNotConstructor);
CallRuntime(Runtime::kThrowTypeError, context, message_id, constructor);
Unreachable();
}

BIND(&out);
return var_result.value();
}
Expand Down Expand Up @@ -312,6 +323,7 @@ Node* PromiseBuiltinsAssembler::SpeciesConstructor(Node* context, Node* object,

// 7. If IsConstructor(S) is true, return S.
Label throw_error(this);
GotoIf(TaggedIsSmi(species), &throw_error);
Node* species_bitfield = LoadMapBitField(LoadMap(species));
GotoIfNot(Word32Equal(Word32And(species_bitfield,
Int32Constant((1 << Map::kIsConstructor))),
Expand Down
14 changes: 14 additions & 0 deletions test/mjsunit/regress/regress-726636.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

Object.defineProperty(Promise, Symbol.species, { value: 0 });
var p = new Promise(function() {});
try {
p.then();
assertUnreachable();
} catch(e) {
assertTrue(e instanceof TypeError);
}

0 comments on commit 6b31174

Please sign in to comment.