Bug 1494518 - Do not pass non-PromiseObject to JSRuntime::enqueuePromiseJob. r=till

js/src/builtin/Promise.cpp

@@ -1018,9 +1018,23 @@ EnqueuePromiseReactionJob(JSContext* cx, HandleObject reactionObj,
     // handler's compartment above, because we should pass objects from a
     // single compartment to the enqueuePromiseJob callback.
     RootedObject promise(cx, reaction->promise());
-    if (promise && promise->is<PromiseObject>()) {
-        if (!cx->compartment()->wrap(cx, &promise)) {
-            return false;
+    if (promise) {
+        if (promise->is<PromiseObject>()) {
+            if (!cx->compartment()->wrap(cx, &promise)) {
+                return false;
+            }
+        } else if (IsWrapper(promise)) {
+            // `promise` can be already-wrapped promise object at this point.
+            JSObject* unwrappedPromise = UncheckedUnwrap(promise);
+            if (unwrappedPromise->is<PromiseObject>()) {
+                if (!cx->compartment()->wrap(cx, &promise)) {
+                    return false;
+                }
+            } else {
+                promise = nullptr;
+            }
+        } else {
+            promise = nullptr;
         }
     }
 

js/src/vm/Runtime.cpp

@@ -648,6 +648,10 @@ JSRuntime::enqueuePromiseJob(JSContext* cx, HandleFunction job, HandleObject pro
     void* data = cx->enqueuePromiseJobCallbackData;
     RootedObject allocationSite(cx);
     if (promise) {
+#ifdef DEBUG
+        AssertSameCompartment(job, promise);
+#endif
+
         RootedObject unwrappedPromise(cx, promise);
         // While the job object is guaranteed to be unwrapped, the promise
         // might be wrapped. See the comments in EnqueuePromiseReactionJob in