Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0f5acb567be089fa9dab007127f06c7bd1fdd6e5
https://github.com/WebKit/WebKit/commit/0f5acb567be089fa9dab007127f06c7bd1fdd6e5
Author: Shu-yu Guo <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
A JSTests/stress/promise-resolve-subclass-not-identity.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Log Message:
-----------
[JSC] Promise.resolve should not folded to identity on Promise subclasses
https://bugs.webkit.org/show_bug.cgi?id=309612
rdar://172195606
Reviewed by Yijia Huang.
Per spec, Promise.resolve(x) acts as identity on x iff x.constructor is Promise
(more pedantically, if it is the same object as the `this` value that the
resolve function was called with, which, when called on the global Promise, is
Promise). DFG currently incorrectly folds all builtin Promise subclasses to
identity as well.
This PR fixes the constant folding and abstract interpreter by restricting the
folding to arguments that have the builtin promise structure, i.e. is not a
subclass.
Test: JSTests/stress/promise-resolve-subclass-not-identity.js
* JSTests/stress/promise-resolve-subclass-not-identity.js: Added.
(MyPromise):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Originally-landed-as: 305413.447@rapid/safari-7624.2.5.110-branch
(8fb39d0d2bd3). rdar://176065429
Canonical link: https://commits.webkit.org/314995@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
