[async] The Promise.all() fast-path must check @@species protector.

We cannot take the fast-path if the user messed with the Symbol.species property on the Promise.prototype, as that makes the internal promises observable. Bug: chromium:917076 Change-Id: I928e0bd17836ca78cf88591610526aa7bc1d293c Reviewed-on: https://chromium-review.googlesource.com/c/1396426 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#58563}

[async] The Promise.all() fast-path must check @@species protector.
We cannot take the fast-path if the user messed with the Symbol.species property on the Promise.prototype, as that makes the internal promises observable. Bug: chromium:917076 Change-Id: I928e0bd17836ca78cf88591610526aa7bc1d293c Reviewed-on: https://chromium-review.googlesource.com/c/1396426 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#58563}
b6bcf321 · Benedikt Meurer · Commit Bot · 61f4c225 · b6bcf321 · b6bcf321
Commit b6bcf321 authored Jan 07, 2019 by Benedikt Meurer Committed by Commit Bot Jan 07, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 2 deletions

builtins-promise-gen.cc src/builtins/builtins-promise-gen.cc +6 -2

regress-crbug-917076.js test/mjsunit/regress/regress-crbug-917076.js +20 -0

No files found.
--- a/src/builtins/builtins-promise-gen.cc
+++ b/src/builtins/builtins-promise-gen.cc
@@ -1958,9 +1958,12 @@ Node* PromiseBuiltinsAssembler::PerformPromiseAll(
    //   (a) The {constructor} is the intrinsic %Promise% function, and
    //       looking up "resolve" on {constructor} yields the initial
    //       Promise.resolve() builtin, and
-    //   (b) the {next_value} is a JSPromise whose [[Prototype]] field
+    //   (b) the promise @@species protector cell is valid, meaning that
+    //       no one messed with the Symbol.species property on any
+    //       intrinsic promise or on the Promise.prototype, and
+    //   (c) the {next_value} is a JSPromise whose [[Prototype]] field
    //       contains the intrinsic %PromisePrototype%, and
-    //   (c) we're not running with async_hooks or DevTools enabled.
+    //   (d) we're not running with async_hooks or DevTools enabled.
    //
    // In that case we also don't need to allocate a chained promise for
    // the PromiseReaction (aka we can pass undefined to PerformPromiseThen),
@@ -1970,6 +1973,7 @@ Node* PromiseBuiltinsAssembler::PerformPromiseAll(
                                             &if_slow);
    GotoIf(IsPromiseHookEnabledOrDebugIsActiveOrHasAsyncEventDelegate(),
           &if_slow);
+    GotoIf(IsPromiseSpeciesProtectorCellInvalid(), &if_slow);
    GotoIf(TaggedIsSmi(next_value), &if_slow);
    Node* const next_value_map = LoadMap(next_value);
    BranchIfPromiseThenLookupChainIntact(native_context, next_value_map,

--- a/test/mjsunit/regress/regress-crbug-917076.js
+++ b/test/mjsunit/regress/regress-crbug-917076.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let speciesCounter = 0;
+
+Object.defineProperty(Promise, Symbol.species, {
+  value: function(...args) {
+    speciesCounter++;
+    return new Promise(...args);
+  }
+});
+
+async function foo() { }
+
+assertPromiseResult(Promise.all([foo()]), () => {
+  assertEquals(3, speciesCounter);
+});