-
Benedikt Meurer authored
This adds a new isolate wide Promise#then protector, which guards the "then" lookup for all JSPromise instances whose [[Prototype]] is the initial %PromisePrototype%. Thus arbitrary mutations to the Promise.prototype (i.e. monkey-patching other methods or installing new functions) no longer sent you down the slow-path. Use this protector in Promise.prototype.catch and in Promise.resolve. Drive-by-fix: Restructure the resolve logic a bit and avoid the expensive and large SameValue check, which can be turned into a simple reference equal, as the promise in there is known to be a JSPromise anyways. Bug: v8:7253 Change-Id: If68b12c6bc6ca9c4d10552ae84854ebc3b5774f9 Reviewed-on: https://chromium-review.googlesource.com/899302 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by:
Benedikt Meurer <bmeurer@chromium.org> Reviewed-by:
Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#51085}
db0556b7
