From c005732bdcfcfc46bab32a1bd83baf6d5b4a8407 Mon Sep 17 00:00:00 2001 From: zhangxin11112342 Date: Fri, 22 Dec 2023 02:09:01 -0500 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-6702?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhangxin11112342 --- src/execution/isolate.cc | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc index 6d9d53bf8..a4bec1939 100644 --- a/src/execution/isolate.cc +++ b/src/execution/isolate.cc @@ -975,7 +975,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle promise, isolate); builder->AppendPromiseCombinatorFrame(function, combinator); - // Now peak into the Promise.all() resolve element context to + if (context->IsNativeContext()) { + // NativeContext is used as a marker that the closure was already + // called. We can't access the reject element context any more. + return; + } + + // Now peek into the Promise.all() resolve element context to // find the promise capability that's being resolved when all // the concurrent promises resolve. int const index = @@ -993,7 +999,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle promise, isolate); builder->AppendPromiseCombinatorFrame(function, combinator); - // Now peak into the Promise.any() reject element context to + if (context->IsNativeContext()) { + // NativeContext is used as a marker that the closure was already + // called. We can't access the reject element context any more. + return; + } + + // Now peek into the Promise.any() reject element context to // find the promise capability that's being resolved when any of // the concurrent promises resolve. int const index = PromiseBuiltins::kPromiseAnyRejectElementCapabilitySlot; -- Gitee