New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 805729: Security: V8: AwaitedPromise update bug

Reported by, Jan 25 2018 Project Member

Issue description

Here's a snippet of AsyncGeneratorReturn. (

  Node* const context = Parameter(Descriptor::kContext);
  Node* const outer_promise = LoadPromiseFromAsyncGeneratorRequest(req);
  Node* const promise =
      Await(context, generator, value, outer_promise, AwaitContext::kLength,
            init_closure_context, var_on_resolve.value(), var_on_reject.value(),

  CSA_SLOW_ASSERT(this, IsGeneratorNotSuspendedForAwait(generator));
  StoreObjectField(generator, JSAsyncGeneratorObject::kAwaitedPromiseOffset,

The Await methods calls ResolveNativePromise which calls InternalResolvePromise which can invoke a user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.

async function* asyncGenerator() {

let gen = asyncGenerator();
    get then() {
        delete this.then;;

Log in debug mode:
abort: CSA_ASSERT failed: IsNotUndefined(request) [../../src/builtins/]

==== JS stack trace =========================================

Security context: 0x2b29083a3a71 <JSObject>#0#
    2: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#)

==== Details ================================================

[2]: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#) {
// optimized frame
--------- s o u r c e   c o d e ---------
<No Source>
==== Key         ============================================

 #0# 0x2b29083a3a71: 0x2b29083a3a71 <JSObject>
 #1# 0x19b7b0603721: 0x19b7b0603721 <JSGlobal Object>
 #2# 0x19b7b060d139: 0x19b7b060d139 <Object map = 0x189055388c91>

Received signal 4 ILL_ILLOPN 7fb143ae2781

==== C stack trace ===============================

[end of stack trace]
Illegal instruction

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Comment 1 by ClusterFuzz, Jan 25 2018

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at

Comment 2 by, Jan 25 2018

Status: Assigned (was: Unconfirmed)
I'm guessing the iOS-only label was accidental? 

neis: Can you please take a look?

Comment 3 by, Jan 25 2018

Labels: -OS-iOS

Comment 4 by, Jan 25 2018


Comment 5 by, Jan 25 2018


Comment 6 by, Jan 25 2018


Comment 7 by, Jan 25 2018


Comment 8 by, Jan 25 2018


Comment 9 by, Jan 26 2018

Caitlin, please have a look.

It seems that not having an explicit "awaiting-return" state is problematic. From what I can tell, the write to kAwaitedPromiseOffset in AsyncGeneratorReturn happens too late, because the Await can trigger a reentrance of this code.

Comment 10 by, Jan 26 2018


Comment 11 by, Jan 26 2018

If you have cycles to take this, you should. I can assist in small ways, but won’t be back to my normal v8 schedule for some time.

Comment 12 by, Jan 29 2018

Status: Started (was: Assigned)

Comment 13 by, Jan 29 2018

neis: Can you please help assign a Security_Impact label? Does this affect stable channel?

Comment 14 by, Jan 30 2018

Labels: Security_Impact-Stable

Comment 15 by, Jan 30 2018

Project Member
Labels: M-64

Comment 16 by, Jan 31 2018

Project Member
The following revision refers to this bug:

commit 9c4c717b5d1765ff31f773df416115d3dd08de60
Author: Georg Neis <>
Date: Wed Jan 31 07:43:28 2018

Fix bug in async generators.

Async generators didn't correctly handle the situation where one calls
.return on a suspended-at-start async generator and passes a
promise-like object whose awaiting causes a new request to the

Bug:  chromium:805729 
Change-Id: I4da13ab5bd97f8c2a2c5373242a2d5e2ab0f7f10
Reviewed-by: Caitlin Potter <>
Reviewed-by: Jaroslav Sevcik <>
Commit-Queue: Georg Neis <>
Cr-Commit-Position: refs/heads/master@{#50974}

Comment 17 by, Feb 5 2018

Status: Fixed (was: Started)

Comment 18 by, Feb 8 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by, Mar 6 2018

Labels: -M-64 M-66

Comment 20 by, Mar 12 2018

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows

Comment 21 by, Apr 17 2018

Labels: Release-0-M66

Comment 22 by, Apr 25 2018

Labels: CVE-2018-6106

Comment 23 by, Apr 25 2018

Labels: CVE_description-missing

Comment 24 by, May 14 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 25 by, Jun 20 2018

Labels: Hotlist-Torque

Comment 26 by, Jun 26 2018


Comment 27 by, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment