Fix TypeError in parameter destructuring in async function should be a rejected promise

hyjorc1 · hyjorc1 · commit 29265f95211b · 2022-11-18T17:53:30.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=247785 rdar://102325201 Reviewed by Yusuke Suzuki. Rest parameter should be caught in async function. So, running this JavaScript program should print "caught". ``` async function f(...[[]]) { } f().catch(e => print("caught")); ``` V8 (used console.log) ``` $ node input.js caught ``` GraalJS ``` $ js input.js caught ``` https://tc39.es/ecma262/#sec-async-function-definitions ... AsyncFunctionDeclaration[Yield, Await, Default] : async [no LineTerminator here] function BindingIdentifier[?Yield, ?Await] ( FormalParameters[~Yield, +Await] ) { AsyncFunctionBody } [+Default] async [no LineTerminator here] function ( FormalParameters[~Yield, +Await] ) { AsyncFunctionBody } AsyncFunctionExpression : async [no LineTerminator here] function BindingIdentifier[~Yield, +Await]opt ( FormalParameters[~Yield, +Await] ) { AsyncFunctionBody } ... According to the spec, it indicates `FormalParameters` is used for Async Function, where `FormalParameters` can be converted to `FunctionRestParameter`. https://tc39.es/ecma262/#sec-parameter-lists ... FormalParameters[Yield, Await] : [empty] FunctionRestParameter[?Yield, ?Await] FormalParameterList[?Yield, ?Await] FormalParameterList[?Yield, ?Await] , FormalParameterList[?Yield, ?Await] , FunctionRestParameter[?Yield, ?Await] ... And based on RS: EvaluateAsyncFunctionBody, it will invoke the promise.reject callback function with abrupt value ([[value]] of non-normal completion record). https://tc39.es/ecma262/#sec-runtime-semantics-evaluateasyncfunctionbody ... 2. Let declResult be Completion(FunctionDeclarationInstantiation(functionObject, argumentsList)). 3. If declResult is an abrupt completion, then a. Perform ! Call(promiseCapability.[[Reject]], undefined, « declResult.[[Value]] »). ... In that case, any non-normal results of evaluating rest parameters should be caught and passed to the reject callback function. To resolve this problem, we should allow the emitted RestParameterNode be wrapped by the catch handler for promise. However, we should remove `m_restParameter` and emit rest parameter byte code in `initializeDefaultParameterValuesAndSetupFunctionScopeStack` if we can prove that change has no side effect. In that case, we can only use one exception handler. Current fix is to add another exception handler. And move the handler byte codes to the bottom of code block in order to make other byte codes as much compact as possible. Input: ``` async function f(arg0, ...[[]]) { } f(); ``` Dumped Byte Codes: ``` ... bb#2 Predecessors: [ #1 ] [ 20] mov dst:loc9, src:<JSValue()>(const0) ... bb#3 Predecessors: [ #2 ] [ 29] get_rest_length dst:loc11, numParametersToSkip:1 ... bb#12 Predecessors: [ #8 #9 #10 ] [ 138] new_func_exp dst:loc10, scope:loc4, functionDecl:0 ... bb#13 Predecessors: [ ] [ 170] catch exception:loc10, thrownValue:loc8 [ 174] jmp targetLabel:8(->182) Successors: [ #15 ] bb#14 Predecessors: [ #7 #11 ] [ 176] catch exception:loc10, thrownValue:loc8 [ 180] jmp targetLabel:2(->182) Successors: [ #15 ] bb#15 Predecessors: [ #13 #14 ] [ 182] mov dst:loc12, src:Undefined(const1) ... Exception Handlers: 1: { start: [ 20] end: [ 29] target: [ 170] } synthesized catch 2: { start: [ 29] end: [ 138] target: [ 176] } synthesized catch ``` * JSTests/stress/catch-rest-parameter.js: Added. (throwError): (shouldThrow): (async f): (throwError.async f): (throwError.async let): (async let): (x.async f): (x): (async shouldThrow): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h: Canonical link: https://commits.webkit.org/256864@main
diff --git a/JSTests/stress/catch-rest-parameter.js b/JSTests/stress/catch-rest-parameter.js
@@ -0,0 +1,188 @@
+function assert(b) {
+    if (!b)
+        throw "bad assert!";
+}
+
+function shouldThrow(func, errorMessage) {
+    var errorThrown = false;
+    var error = null;
+    try {
+        func();
+    } catch (e) {
+        errorThrown = true;
+        error = e;
+    }
+    if (!errorThrown)
+        throw new Error('not thrown');
+    if (String(error) !== errorMessage)
+        throw new Error(`
+            bad error:      ${String(error)}
+            expected error: ${errorMessage}
+        `);
+}
+
+let expected = "TypeError: undefined is not an object (evaluating '[[]]')";
+
+// AsyncFunction
+(() => {
+    async function f(...[[]]) { }
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    async function f([[]]) { }
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    async function f(a, ...[[]]) { }
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    var a = 1, b = 2, c = 3;
+    async function f(arg0, ...args) {
+        a = arg0;
+        b = args[0];
+        c = args[1];
+    }
+    let isExpected = true;
+    f(4, 5, 6).then(e => isExpected = true).catch(e => isExpected = false);
+    drainMicrotasks();
+    assert(isExpected && a === 4 && b === 5 && c === 6);
+})();
+
+
+// AsyncArrowFunction
+(() => {
+    let f = async (...[[]]) => { };
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    let f = async ([[]]) => { };
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    let f = async (a, ...[[]]) => { };
+    let isExpected = false;
+    f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    var a = 1, b = 2, c = 3;
+    let f = async (arg0, ...args) => {
+        a = arg0;
+        b = args[0];
+        c = args[1];
+    };
+    let isExpected = true;
+    f(4, 5, 6).then(e => isExpected = true).catch(e => isExpected = false);
+    drainMicrotasks();
+    assert(isExpected && a === 4 && b === 5 && c === 6);
+})();
+
+
+// AsyncMethod
+(() => {
+    class x { static async f(...[[]]) { } }
+    let isExpected = false;
+    x.f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    class x { static async f([[]]) { } }
+    let isExpected = false;
+    x.f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    class x { static async f(a, ...[[]]) { } }
+    let isExpected = false;
+    x.f().then(e => isExpected = false).catch(e => isExpected = e == expected);
+    drainMicrotasks();
+    assert(isExpected);
+})();
+
+(() => {
+    var a = 1, b = 2, c = 3;
+    class x {
+        static async f(arg0, ...args) {
+            a = arg0;
+            b = args[0];
+            c = args[1];
+        }
+    }
+    let isExpected = true;
+    x.f(4, 5, 6).then(e => isExpected = true).catch(e => isExpected = false);
+    drainMicrotasks();
+    assert(isExpected && a === 4 && b === 5 && c === 6);
+})();
+
+// AsyncGenerator
+shouldThrow(async function* f([[]]) { }, expected);
+shouldThrow(async function* f(...[[]]) { }, expected);
+shouldThrow(async function* f(a, ...[[]]) { }, expected);
+(() => {
+    var a = 1, b = 2, c = 3;
+    async function* f(arg0, ...args) {
+        a = arg0;
+        b = args[0];
+        c = args[1];
+    }
+    f(4, 5, 6);
+    drainMicrotasks();
+    assert(a === 1 && b === 2 && c === 3);
+})();
+
+// Generator
+shouldThrow(function* f([[]]) { }, expected);
+shouldThrow(function* f(...[[]]) { }, expected);
+shouldThrow(function* f(a, ...[[]]) { }, expected);
+(() => {
+    var a = 1, b = 2, c = 3;
+    function* f(arg0, ...args) {
+        a = arg0;
+        b = args[0];
+        c = args[1];
+    }
+    f(4, 5, 6);
+    assert(a === 1 && b === 2 && c === 3);
+})();
+
+// Function
+shouldThrow(function f([[]]) { }, expected);
+shouldThrow(function f(...[[]]) { }, expected);
+shouldThrow(function f(a, ...[[]]) { }, expected);
+(() => {
+    var a = 1, b = 2, c = 3;
+    function f(arg0, ...args) {
+        a = arg0;
+        b = args[0];
+        c = args[1];
+    }
+    f(4, 5, 6);
+    assert(a === 4 && b === 5 && c === 6);
+})();
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -148,6 +148,28 @@ FinallyContext::FinallyContext(BytecodeGenerator& generator, Label& finallyLabel
     generator.moveEmptyValue(completionValueRegister());
 }
 
+template<typename EmitBytecodeFunctor>
+void BytecodeGenerator::asyncFuncParametersTryCatchWrap(const EmitBytecodeFunctor& emitBytecode)
+{
+    TryData* tryData = nullptr;
+    if (m_asyncFuncParametersTryCatchInfo) {
+        AsyncFuncParametersTryCatchInfo& info = m_asyncFuncParametersTryCatchInfo.value();
+        ASSERT(info.catchStartLabel && info.thrownValue);
+        Ref<Label> tryStartLabel = newEmittedLabel();
+        tryData = pushTry(tryStartLabel.get(), *info.catchStartLabel.get(), HandlerType::SynthesizedCatch);
+    }
+
+    emitBytecode();
+
+    if (m_asyncFuncParametersTryCatchInfo) {
+        AsyncFuncParametersTryCatchInfo& info = m_asyncFuncParametersTryCatchInfo.value();
+        Ref<Label> tryEndLabel = newEmittedLabel();
+        popTry(tryData, tryEndLabel.get());
+
+        emitOutOfLineCatchHandler(info.thrownValue.get(), nullptr, tryData);
+    }
+}
+
 ParserError BytecodeGenerator::generate(unsigned& size)
 {
     if (UNLIKELY(m_outOfMemoryDuringConstruction))
@@ -174,8 +196,13 @@ ParserError BytecodeGenerator::generate(unsigned& size)
         if (m_needToInitializeArguments)
             initializeVariable(variable(propertyNames().arguments), m_argumentsRegister);
 
-        if (m_restParameter)
-            m_restParameter->emit(*this);
+        if (m_restParameter) {
+            // We should move moving m_restParameter->emit(*this) to initializeDefaultParameterValuesAndSetupFunctionScopeStack
+            // as an optimization if we can prove that change has no side effect.
+            asyncFuncParametersTryCatchWrap([&] {
+                m_restParameter->emit(*this);
+            });
+        }
 
         {
             RefPtr<RegisterID> temp = newTemporary();
@@ -244,6 +271,22 @@ ParserError BytecodeGenerator::generate(unsigned& size)
         tryData->target = WTFMove(realCatchTarget);
     }
 
+    if (m_asyncFuncParametersTryCatchInfo) {
+        AsyncFuncParametersTryCatchInfo& info = m_asyncFuncParametersTryCatchInfo.value();
+        ASSERT(info.catchStartLabel && info.thrownValue);
+        emitLabel(*info.catchStartLabel.get());
+        // @rejectPromiseWithFirstResolvingFunctionCallCheck(@promise, thrownValue);
+        // return @promise;
+        RefPtr<RegisterID> rejectPromise = moveLinkTimeConstant(nullptr, LinkTimeConstant::rejectPromiseWithFirstResolvingFunctionCallCheck);
+        CallArguments args(*this, nullptr, 2);
+        emitLoad(args.thisRegister(), jsUndefined());
+        move(args.argumentRegister(0), promiseRegister());
+        move(args.argumentRegister(1), info.thrownValue.get());
+        JSTextPosition divot(m_scopeNode->firstLine(), m_scopeNode->startOffset(), m_scopeNode->lineStartOffset());
+        emitCall(newTemporary(), rejectPromise.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
+        emitReturn(promiseRegister());
+    }
+
     m_staticPropertyAnalyzer.kill();
 
     for (auto& range : m_tryRanges) {
@@ -798,40 +841,14 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, FunctionNode* functionNode, Unlinke
         emitPutDerivedConstructorToArrowFunctionContextScope();
     }
 
-    Ref<Label> catchLabel = newLabel();
-    TryData* tryFormalParametersData = nullptr;
-    bool needTryCatch = isAsyncFunctionWrapperParseMode(parseMode) && !isSimpleParameterList;
-    if (needTryCatch) {
-        Ref<Label> tryFormalParametersStart = newEmittedLabel();
-        tryFormalParametersData = pushTry(tryFormalParametersStart.get(), catchLabel.get(), HandlerType::SynthesizedCatch);
-    }
-
-    // All "addVar()"s needs to happen before "initializeDefaultParameterValuesAndSetupFunctionScopeStack()" is called
-    // because a function's default parameter ExpressionNodes will use temporary registers.
-    initializeDefaultParameterValuesAndSetupFunctionScopeStack(parameters, isSimpleParameterList, functionNode, functionSymbolTable, symbolTableConstantIndex, captures, shouldCreateArgumentsVariableInParameterScope);
-
-    if (needTryCatch) {
-        Ref<Label> didNotThrow = newLabel();
-        emitJump(didNotThrow.get());
-        emitLabel(catchLabel.get());
-        popTry(tryFormalParametersData, catchLabel.get());
-
-        RefPtr<RegisterID> thrownValue = newTemporary();
-        emitOutOfLineCatchHandler(thrownValue.get(), nullptr, tryFormalParametersData);
-
-        // @rejectPromiseWithFirstResolvingFunctionCallCheck(@promise, thrownValue);
-        // return @promise;
-        RefPtr<RegisterID> rejectPromise = moveLinkTimeConstant(nullptr, LinkTimeConstant::rejectPromiseWithFirstResolvingFunctionCallCheck);
-        CallArguments args(*this, nullptr, 2);
-        emitLoad(args.thisRegister(), jsUndefined());
-        move(args.argumentRegister(0), promiseRegister());
-        move(args.argumentRegister(1), thrownValue.get());
-        JSTextPosition divot(functionNode->firstLine(), functionNode->startOffset(), functionNode->lineStartOffset());
-        emitCall(newTemporary(), rejectPromise.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
+    if (isAsyncFunctionWrapperParseMode(parseMode) && !isSimpleParameterList)
+        m_asyncFuncParametersTryCatchInfo = { newLabel(), newTemporary() };
 
-        emitReturn(promiseRegister());
-        emitLabel(didNotThrow.get());
-    }
+    asyncFuncParametersTryCatchWrap([&]() {
+        // All "addVar()"s needs to happen before "initializeDefaultParameterValuesAndSetupFunctionScopeStack()" is called
+        // because a function's default parameter ExpressionNodes will use temporary registers.
+        initializeDefaultParameterValuesAndSetupFunctionScopeStack(parameters, isSimpleParameterList, functionNode, functionSymbolTable, symbolTableConstantIndex, captures, shouldCreateArgumentsVariableInParameterScope);
+    });
 
     // If we don't have  default parameter expression, then loading |this| inside an arrow function must be done
     // after initializeDefaultParameterValuesAndSetupFunctionScopeStack() because that function sets up the
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
@@ -1290,7 +1290,16 @@ namespace JSC {
         Vector<std::pair<FunctionMetadataNode*, FunctionVariableType>> m_functionsToInitialize;
         bool m_needToInitializeArguments { false };
         RestParameterNode* m_restParameter { nullptr };
-        
+
+        struct AsyncFuncParametersTryCatchInfo {
+            RefPtr<Label> catchStartLabel { nullptr };
+            RefPtr<RegisterID> thrownValue { nullptr };
+        }; 
+        std::optional<AsyncFuncParametersTryCatchInfo> m_asyncFuncParametersTryCatchInfo;
+
+        template<typename EmitBytecodeFunctor>
+        void asyncFuncParametersTryCatchWrap(const EmitBytecodeFunctor&);
+
         Vector<TryRange> m_tryRanges;
         SegmentedVector<TryData, 8> m_tryData;
 
