Closed Bug 1722269 Opened 3 years ago Closed 3 years ago

JSOp::CheckReturn - Validate return type after the function has exited

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox92 --- fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(2 files)

Bug 1722269 - Part 1: Perform CheckReturn right before exiting the class constructor. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1722269 - Part 2: Use ThrowBadDerivedReturnOrUninitializedThis in baseline codegen. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review

CheckReturn validates the return type while the function is still active, which isn't spec compliant, because the validation should actually happen after leaving the function body. See 10.2.2 [[Construct]], step 12.

Test 1:

  • Expected: No error
  • Actual: Throws ReferenceError
  • Note: Same bug in V8, but works as expected in JSC.
new class extends class {} {
  constructor() {
    try {
      return;
    } finally {
      super();
    }
  }
}

Test 2:

  • Expected: Throws a TypeError
  • Actual: No error
  • Note: Same bug in JSC, but works as expected in V8.
new class extends class {} {
  constructor() {
    super();
    try {
      return 0;
    } catch {
      return;
    }
  }
}
Severity: -- → S4
Priority: -- → P3

In the specification, the equivalent steps for JSOp::CheckReturn are performed
after the function has exited. That means the error from JSOp::CheckReturn
mustn't trigger any catch blocks. It also means finally blocks must be executed
before running JSOp::CheckReturn.

We can't easily access the this-binding after the function has exited, contrary
to for example the this-argument. One way to implement CheckReturn in a spec-
compliant way, is to perform JSOp::Goto from the return statement to the
position of the implicit return and execute CheckReturn there.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

This aligns Baseline with Warp and produces fewer instructions.

Depends on D121380

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/e8aa11e608f0
Part 1: Perform CheckReturn right before exiting the class constructor. r=jandem
https://hg.mozilla.org/integration/autoland/rev/91f287cd0187
Part 2: Use ThrowBadDerivedReturnOrUninitializedThis in baseline codegen. r=jandem

https://hg.mozilla.org/mozilla-central/rev/e8aa11e608f0
https://hg.mozilla.org/mozilla-central/rev/91f287cd0187

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: