[async-await] remove CSA_SLOW_ASSERT in AsyncGeneratorResolve

The assertion was intended to verify that the function is only called at appropriate times (at a point when it was called both by by other builtins, and by desugarings added in the parser and during bytecode generation) --- However, it didn't account for the case where the wrapper Promise is resolved with another JSPromise with a non-callable "then" method. (Step 12 of https://tc39.github.io/ecma262/#sec-promise-resolve-functions): "If IsCallable(thenAction) is false, then Return FulfillPromise(promise, resolution)." It would be observable to verify this behaviour by loading the "then" value and asserting that it's non-callable, so instead the CSA_ASSERT is just removed and replaced with a comment explaining the appropriate use of the function. BUG=chromium:897436, v8:5855 R=bmeurer@chromium.org Change-Id: Ib4b11abfe3339409b57ccfda9c3f75a34e0db532 Reviewed-on: https://chromium-review.googlesource.com/c/1296909 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#56916}

[async-await] remove CSA_SLOW_ASSERT in AsyncGeneratorResolve
The assertion was intended to verify that the function is only called at appropriate times (at a point when it was called both by by other builtins, and by desugarings added in the parser and during bytecode generation) --- However, it didn't account for the case where the wrapper Promise is resolved with another JSPromise with a non-callable "then" method. (Step 12 of https://tc39.github.io/ecma262/#sec-promise-resolve-functions): "If IsCallable(thenAction) is false, then Return FulfillPromise(promise, resolution)." It would be observable to verify this behaviour by loading the "then" value and asserting that it's non-callable, so instead the CSA_ASSERT is just removed and replaced with a comment explaining the appropriate use of the function. BUG=chromium:897436, v8:5855 R=bmeurer@chromium.org Change-Id: Ib4b11abfe3339409b57ccfda9c3f75a34e0db532 Reviewed-on: https://chromium-review.googlesource.com/c/1296909 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#56916}
9867aa3f · Caitlin Potter · Commit Bot · 7a975d11 · 9867aa3f · 9867aa3f
Commit 9867aa3f authored Oct 23, 2018 by Caitlin Potter Committed by Commit Bot Oct 24, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 3 deletions

builtins-async-generator-gen.cc src/builtins/builtins-async-generator-gen.cc +5 -3

regress-897436.js test/mjsunit/harmony/regress/regress-897436.js +12 -0

No files found.
--- a/src/builtins/builtins-async-generator-gen.cc
+++ b/src/builtins/builtins-async-generator-gen.cc
@@ -490,9 +490,11 @@ TF_BUILTIN(AsyncGeneratorResolve, AsyncGeneratorBuiltinsAssembler) {
  CSA_SLOW_ASSERT(this, TaggedIsAsyncGenerator(generator));
  CSA_ASSERT(this, Word32BinaryNot(IsGeneratorAwaiting(generator)));

-  // If this assertion fails, the `value` component was not Awaited as it should
-  // have been, per https://github.com/tc39/proposal-async-iteration/pull/102/.
-  CSA_SLOW_ASSERT(this, TaggedDoesntHaveInstanceType(value, JS_PROMISE_TYPE));
+  // This operation should be called only when the `value` parameter has been
+  // Await-ed. Typically, this means `value` is not a JSPromise value. However,
+  // it may be a JSPromise value whose "then" method has been overridden to a
+  // non-callable value. This can't be checked with assertions due to being
+  // observable, but keep it in mind.

  Node* const next = TakeFirstAsyncGeneratorRequestFromQueue(generator);
  Node* const promise = LoadPromiseFromAsyncGeneratorRequest(next);

--- a/test/mjsunit/harmony/regress/regress-897436.js
+++ b/test/mjsunit/harmony/regress/regress-897436.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+async function* gen() {
+  const alwaysPending = new Promise(() => {});
+  alwaysPending.then = "non-callable then";
+  yield alwaysPending;
+}
+gen().next();