JSOp::CheckReturn - Validate return type after the function has exited
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox92 | --- | fixed |
People
(Reporter: anba, Assigned: anba)
Details
Attachments
(2 files)
CheckReturn validates the return type while the function is still active, which isn't spec compliant, because the validation should actually happen after leaving the function body. See 10.2.2 [[Construct]], step 12.
Test 1:
- Expected: No error
- Actual: Throws ReferenceError
- Note: Same bug in V8, but works as expected in JSC.
new class extends class {} {
constructor() {
try {
return;
} finally {
super();
}
}
}
Test 2:
- Expected: Throws a TypeError
- Actual: No error
- Note: Same bug in JSC, but works as expected in V8.
new class extends class {} {
constructor() {
super();
try {
return 0;
} catch {
return;
}
}
}
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 1•4 years ago
|
||
In the specification, the equivalent steps for JSOp::CheckReturn are performed
after the function has exited. That means the error from JSOp::CheckReturn
mustn't trigger any catch blocks. It also means finally blocks must be executed
before running JSOp::CheckReturn.
We can't easily access the this-binding after the function has exited, contrary
to for example the this-argument. One way to implement CheckReturn in a spec-
compliant way, is to perform JSOp::Goto from the return statement to the
position of the implicit return and execute CheckReturn there.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
This aligns Baseline with Warp and produces fewer instructions.
Depends on D121380
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/e8aa11e608f0
https://hg.mozilla.org/mozilla-central/rev/91f287cd0187
Description
•