[promises] Fix .arguments on builtin function.

Using .caller, one can get access to the internal function that invokes the handler passed to Promise.prototype.then. This internal function is a TF builtin that was set up as non-native and without an argument adaptor. As a consequence of this, when accessing .arguments on it, the frame-walking logic in the .arguments accessor thinks the number of arguments is -1 and we try to allocate an array of size -1. This CL marks the builtin function as native (making its .arguments be null), along with a few others that may have been incorrect in the same way. BUG=chromium:682349 Review-Url: https://codereview.chromium.org/2672453002 Cr-Commit-Position: refs/heads/master@{#42855}

[promises] Fix .arguments on builtin function.
Using .caller, one can get access to the internal function that invokes the handler passed to Promise.prototype.then. This internal function is a TF builtin that was set up as non-native and without an argument adaptor. As a consequence of this, when accessing .arguments on it, the frame-walking logic in the .arguments accessor thinks the number of arguments is -1 and we try to allocate an array of size -1. This CL marks the builtin function as native (making its .arguments be null), along with a few others that may have been incorrect in the same way. BUG=chromium:682349 Review-Url: https://codereview.chromium.org/2672453002 Cr-Commit-Position: refs/heads/master@{#42855}
5020db7f · neis · Commit bot · f555b073 · 5020db7f · 5020db7f
Commit 5020db7f authored Feb 01, 2017 by neis Committed by Commit bot Feb 01, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 8 deletions

bootstrapper.cc src/bootstrapper.cc +0 -8

regress-682349.js test/mjsunit/regress/regress-682349.js +13 -0

No files found.
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1862,7 +1862,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
    Handle<JSFunction> new_promise_capability =
        SimpleCreateFunction(isolate, factory->empty_string(),
                             Builtins::kNewPromiseCapability, 2, false);
-    new_promise_capability->shared()->set_native(false);
    InstallWithIntrinsicDefaultProto(isolate, new_promise_capability,
                                     Context::NEW_PROMISE_CAPABILITY_INDEX);
  }
@@ -1934,7 +1933,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
    {  // Internal: IsPromise
      Handle<JSFunction> function = SimpleCreateFunction(
          isolate, factory->empty_string(), Builtins::kIsPromise, 1, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(isolate, function,
                                       Context::IS_PROMISE_INDEX);
    }
@@ -1951,7 +1949,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
    {  // Internal: PromiseHandle
      Handle<JSFunction> function = SimpleCreateFunction(
          isolate, factory->empty_string(), Builtins::kPromiseHandle, 5, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(isolate, function,
                                       Context::PROMISE_HANDLE_INDEX);
      // Set up catch prediction
@@ -1963,7 +1960,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
      Handle<JSFunction> function =
          SimpleCreateFunction(isolate, factory->empty_string(),
                               Builtins::kPromiseHandleReject, 3, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(isolate, function,
                                       Context::PROMISE_HANDLE_REJECT_INDEX);
      // Set up catch prediction
@@ -3384,7 +3380,6 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,
      Handle<JSFunction> function =
          SimpleCreateFunction(isolate, factory->empty_string(),
                               Builtins::kAsyncFunctionAwaitCaught, 3, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(
          isolate, function, Context::ASYNC_FUNCTION_AWAIT_CAUGHT_INDEX);
    }
@@ -3393,7 +3388,6 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,
      Handle<JSFunction> function =
          SimpleCreateFunction(isolate, factory->empty_string(),
                               Builtins::kAsyncFunctionAwaitUncaught, 3, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(
          isolate, function, Context::ASYNC_FUNCTION_AWAIT_UNCAUGHT_INDEX);
    }
@@ -3422,7 +3416,6 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,
      Handle<JSFunction> function =
          SimpleCreateFunction(isolate, factory->empty_string(),
                               Builtins::kAsyncFunctionPromiseCreate, 0, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(
          isolate, function, Context::ASYNC_FUNCTION_PROMISE_CREATE_INDEX);
    }
@@ -3431,7 +3424,6 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,
      Handle<JSFunction> function = SimpleCreateFunction(
          isolate, factory->empty_string(),
          Builtins::kAsyncFunctionPromiseRelease, 1, false);
-      function->shared()->set_native(false);
      InstallWithIntrinsicDefaultProto(
          isolate, function, Context::ASYNC_FUNCTION_PROMISE_RELEASE_INDEX);
    }

--- a/test/mjsunit/regress/regress-682349.js
+++ b/test/mjsunit/regress/regress-682349.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let success = false;
+function f() {
+  success = (f.caller.arguments === null);
+}
+Promise.resolve().then(f);
+%RunMicrotasks();
+assertTrue(success);