tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit bf5a18aabafd412ab87e48b99b0e2594dbffa713
parent f5d6b399d3923b20758d0eff198984ca21adbb58
Author: Tooru Fujisawa <arai_a@mac.com>
Date:   Wed, 19 Nov 2025 10:53:32 +0000

Bug 2000587 - Part 3: Check dead wrapper in JS::MaybeGet*JSMicroTask. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D272982

Diffstat:

Mjs/src/builtin/Promise.cpp | 27+++++++++++++++++++--------


1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/js/src/builtin/Promise.cpp b/js/src/builtin/Promise.cpp
@@ -7698,11 +7698,13 @@ inline bool JSObject::is<MicroTaskEntry>() const {
 
 JS_PUBLIC_API JSObject* JS::MaybeGetHostDefinedDataFromJSMicroTask(
     JS::JSMicroTask* entry) {
-  MOZ_ASSERT(!JS_IsDeadWrapper(entry));
   JSObject* task = CheckedUnwrapStatic(entry);
   if (!task) {
     return nullptr;
   }
+  if (JS_IsDeadWrapper(task)) {
+    return nullptr;
+  }
 
   MOZ_ASSERT(task->is<MicroTaskEntry>());
   JSObject* maybeHostDefined =
@@ -7712,14 +7714,15 @@ JS_PUBLIC_API JSObject* JS::MaybeGetHostDefinedDataFromJSMicroTask(
     return nullptr;
   }
 
-  MOZ_ASSERT(!JS_IsDeadWrapper(maybeHostDefined));
+  if (JS_IsDeadWrapper(maybeHostDefined)) {
+    return nullptr;
+  }
   return CheckedUnwrapStatic(maybeHostDefined);
 }
 
 JS_PUBLIC_API JSObject* JS::MaybeGetAllocationSiteFromJSMicroTask(
     JS::JSMicroTask* entry) {
   JSObject* task = UncheckedUnwrap(entry);
-  MOZ_ASSERT(task);
   if (JS_IsDeadWrapper(task)) {
     return nullptr;
   };
@@ -7741,14 +7744,22 @@ JS_PUBLIC_API JSObject* JS::MaybeGetAllocationSiteFromJSMicroTask(
 JS_PUBLIC_API JSObject* JS::MaybeGetHostDefinedGlobalFromJSMicroTask(
     JSMicroTask* entry) {
   JSObject* task = UncheckedUnwrap(entry);
+  if (JS_IsDeadWrapper(task)) {
+    return nullptr;
+  }
+
   MOZ_ASSERT(task->is<MicroTaskEntry>());
 
   JSObject* maybeWrappedHostDefinedRepresentative =
       task->as<MicroTaskEntry>().hostDefinedGlobalRepresentative();
 
   if (maybeWrappedHostDefinedRepresentative) {
-    return &UncheckedUnwrap(maybeWrappedHostDefinedRepresentative)
-                ->nonCCWGlobal();
+    JSObject* unwrapped =
+        UncheckedUnwrap(maybeWrappedHostDefinedRepresentative);
+    if (JS_IsDeadWrapper(unwrapped)) {
+      return nullptr;
+    }
+    return &unwrapped->nonCCWGlobal();
   }
 
   return nullptr;
@@ -7787,9 +7798,9 @@ JS_PUBLIC_API JSObject* JS::GetExecutionGlobalFromJSMicroTask(
 JS_PUBLIC_API JSObject* JS::MaybeGetPromiseFromJSMicroTask(
     JS::JSMicroTask* entry) {
   JSObject* unwrapped = UncheckedUnwrap(entry);
-
-  // We don't expect to ever lose the record a job points to.
-  MOZ_RELEASE_ASSERT(!JS_IsDeadWrapper(unwrapped));
+  if (JS_IsDeadWrapper(unwrapped)) {
+    return nullptr;
+  }
 
   if (unwrapped->is<MicroTaskEntry>()) {
     return unwrapped->as<MicroTaskEntry>().promise();