Bug 1406463 - Check for dead proxy objects in Promise.all ResolveElementFunction. r=till
authorAndré Bargull <andre.bargull@gmail.com>
Thu, 12 Oct 2017 11:59:04 -0700
changeset 387449 56a94fa75d3fbf7638277e0c0c4d2a020ebfb09a
parent 387448 647efba379ee997015ba4c4d5bf1f746cb99ed26
child 387450 990a35e2cd48a28ad9edbe58121e0b8e93c09109
push id32718
push userarchaeopteryx@coole-files.de
push dateFri, 20 Oct 2017 22:07:12 +0000
treeherdermozilla-central@a9131757dfdd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstill
bugs1406463
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1406463 - Check for dead proxy objects in Promise.all ResolveElementFunction. r=till
js/src/builtin/Promise.cpp
js/src/jit-test/tests/promise/bug1406463.js
--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@@ -2114,16 +2114,20 @@ PromiseAllResolveElementFunction(JSConte
     RootedValue valuesVal(cx, data->valuesArray());
     RootedObject valuesObj(cx, &valuesVal.toObject());
     bool valuesListIsWrapped = false;
     if (IsWrapper(valuesObj)) {
         valuesListIsWrapped = true;
         // See comment for PerformPromiseAll, step 3 for why we unwrap here.
         valuesObj = UncheckedUnwrap(valuesObj);
     }
+    if (JS_IsDeadWrapper(valuesObj)) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_DEAD_OBJECT);
+        return false;
+    }
     RootedNativeObject values(cx, &valuesObj->as<NativeObject>());
 
     // Step 6 (moved under step 10).
     // Step 7 (moved to step 9).
 
     // Step 8.
     // The index is guaranteed to be initialized to `undefined`.
     if (valuesListIsWrapped) {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/promise/bug1406463.js
@@ -0,0 +1,16 @@
+// |jit-test| error:dead object
+
+var P = newGlobal().eval(`
+(class extends Promise {
+    static resolve(o) {
+        return o;
+    }
+});
+`);
+
+Promise.all.call(P, [{
+    then(r) {
+        nukeAllCCWs();
+        r();
+    }
+}]);