1888638 - Assertion failure: UncheckedUnwrap(dependentPromise)->is<PromiseObject>()

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P3)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 28cc363411d2029aed04c969c8f98785cae110db the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

const o1 = { 
    "newCompartment": true,
};
newGlobal(true, true, newGlobal);
const v4 = newGlobal(o1);
const v5 = `\n  var obj = {};\n  var ref = new WeakRef(obj);\n  Promise.resolve().then(() => {\n    assertEq(ref.deref(), obj);\n  });\n`;
const v6 = v4.eval(v5);
const v8 = v6.catch().then(v6, v5);
function f9(a10) {
    return nukeAllCCWs();
}
([abortgc.abs]).forEach(f9);
const v18 = ignoreUnhandledRejections(v5, ignoreUnhandledRejections, o1);
function f19() {
    return v8; 
}
Promise.resolve = f19;
Promise.allSettled([v18]);

#0  AddDummyPromiseReactionForDebugger (cx=0x7ffff6039100, promise=..., 
    dependentPromise=dependentPromise@entry=...)
    at js/src/builtin/Promise.cpp:6222
#1  0x00005555577713fe in CommonPerformPromiseCombinator<PerformPromiseAllSettled(JSContext*, PromiseForOfIterator&, JS::Handle<JSObject*>, JS::Handle<PromiseCapability>, JS::Handle<JS::Value>, bool*)::$_0>(JSContext*, PromiseForOfIterator&, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*, bool, PerformPromiseAllSettled(JSContext*, PromiseForOfIterator&, JS::Handle<JSObject*>, JS::Handle<PromiseCapability>, JS::Handle<JS::Value>, bool*)::$_0) (cx=0x7ffff6039100, 
    iterator=..., C=..., resultPromise=..., promiseResolve=..., done=0x7fffffffcd4f, 
    resolveReturnsUndefined=true, getResolveAndReject=...)
    at js/src/builtin/Promise.cpp:3800
#2  PerformPromiseAllSettled (cx=cx@entry=0x7ffff6039100, iterator=..., C=C@entry=..., 
    resultCapability=resultCapability@entry=..., promiseResolve=promiseResolve@entry=..., 
    done=done@entry=0x7fffffffcd4f) at js/src/builtin/Promise.cpp:4263
#3  0x000055555776e383 in CommonPromiseCombinator (cx=cx@entry=0x7ffff6039100, args=..., 
    kind=kind@entry=CombinatorKind::AllSettled)
    at js/src/builtin/Promise.cpp:3085
#4  0x000055555776cf3d in Promise_static_allSettled (cx=cx@entry=0x7ffff6039100, argc=1, 
    vp=<optimized out>) at js/src/builtin/Promise.cpp:4180
#5  0x0000555557296117 in CallJSNative (cx=cx@entry=0x7ffff6039100, 
    native=native@entry=0x55555776ce90 <Promise_static_allSettled(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:479
#6  0x0000555557295332 in js::InternalCallOrConstruct (cx=0x7ffff6039100, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:573
#7  0x0000555557297086 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., 
    reason=1506847168) at js/src/vm/Interpreter.cpp:640
#8  0x00005555572ab311 in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., 
    reason=<optimized out>) at js/src/vm/Interpreter.cpp:645
#9  js::Interpret (cx=0x7ffff6039100, state=...)
    at js/src/vm/Interpreter.cpp:3060
#10 0x0000555557294887 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, 
    cx@entry=0x7ffff6039100, state=...) at js/src/vm/Interpreter.cpp:393
#11 0x000055555729457a in js::RunScript (cx=cx@entry=0x7ffff6039100, state=...)
    at js/src/vm/Interpreter.cpp:451
#12 0x0000555557299552 in js::ExecuteKernel (cx=cx@entry=0x7ffff6039100, script=script@entry=..., 
    envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=result@entry=...)
    at js/src/vm/Interpreter.cpp:838
#13 0x0000555557299d5d in js::Execute (cx=cx@entry=0x7ffff6039100, script=script@entry=..., 
    envChain=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:870
#14 0x00005555574e4efa in ExecuteScript (cx=cx@entry=0x7ffff6039100, envChain=..., script=..., 
    rval=rval@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:494
#15 0x00005555574e5178 in JS_ExecuteScript (cx=cx@entry=0x7ffff6039100, 
    scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#16 0x00005555571d1cc8 in RunFile (cx=0x7ffff6039100, filename=<optimized out>, 
    file=<optimized out>, compileMethod=CompileUtf8::DontInflate, compileOnly=false, 
    fullParse=<optimized out>) at js/src/shell/js.cpp:1196
#17 0x00005555571d118e in Process (cx=cx@entry=0x7ffff6039100, filename=0x0, 
    forceTTY=<optimized out>, kind=kind@entry=FileScript)
    at js/src/shell/js.cpp:1775
#18 0x000055555718d1c3 in ProcessArgs (cx=0x7ffff6039100, op=0x7fffffffdd08)
    at js/src/shell/js.cpp:11124
#19 Shell (cx=0x7ffff6039100, op=op@entry=0x7fffffffdd08) at js/src/shell/js.cpp:11383
#20 0x0000555557185879 in main (argc=<optimized out>, argv=0x7fffffffdf98) at js/src/shell/js.cpp:11891

Comment 1

[lukas.bernhard]

Bisecting failed to identify a recent regressor, commits from mid 2022 are affected already.

Comment 2

[Tooru Fujisawa [:arai]]

Attachment: Bug 1888638 - Handle dead wrapper in promise handling. r?jandem!

Comment 3

[Tooru Fujisawa [:arai]]

The dead wrapper can appear only in chrome->content reference, and malicious code couldn't utilize it,
also, on non-debug build, the dead wrapper is type-checked later and it doesn't result in invalid read.

This bug can be opened up.

Comment 4

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/8a988a5904b9
Handle dead wrapper in promise handling. r=jandem

Comment 5

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/8a988a5904b9