Bug 1347984 - Check for dead object proxies in TriggerPromiseReactions. r=till

js/src/builtin/Promise.cpp

@@ -1052,8 +1052,12 @@ TriggerPromiseReactions(JSContext* cx, HandleValue reactionsVal, JS::PromiseStat
     RootedObject reactions(cx, &reactionsVal.toObject());
     RootedObject reaction(cx);
 
-    if (reactions->is<PromiseReactionRecord>() || IsWrapper(reactions))
+    if (reactions->is<PromiseReactionRecord>() ||
+        IsWrapper(reactions) ||
+        JS_IsDeadWrapper(reactions))
+    {
         return EnqueuePromiseReactionJob(cx, reactions, valueOrReason, state);
+    }
 
     RootedNativeObject reactionsList(cx, &reactions->as<NativeObject>());
     size_t reactionsCount = reactionsList->getDenseInitializedLength();

js/src/jit-test/tests/basic/bug908915.js

@@ -11,6 +11,7 @@ var blacklist = {
     'readline': true,
     'terminate': true,
     'nestedShell': true,
+    'nukeAllCCWs': true,
 };
 
 function f(y) {}

js/src/jit-test/tests/promise/bug1347984.js

@@ -0,0 +1,6 @@
+// |jit-test| error:dead object
+var g = newGlobal();
+var p = new Promise(() => {});
+g.Promise.prototype.then.call(p, () => void 0);
+g.eval("nukeAllCCWs()");
+resolvePromise(p, 9);

js/src/shell/js.cpp

@@ -5071,6 +5071,23 @@ NukeCCW(JSContext* cx, unsigned argc, Value* vp)
     return true;
 }
 
+static bool
+NukeAllCCWs(JSContext* cx, unsigned argc, Value* vp)
+{
+    CallArgs args = CallArgsFromVp(argc, vp);
+
+    if (args.length() != 0) {
+        JS_ReportErrorNumberASCII(cx, my_GetErrorMessage, nullptr, JSSMSG_INVALID_ARGS,
+                                  "nukeAllCCWs");
+        return false;
+    }
+
+    NukeCrossCompartmentWrappers(cx, AllCompartments(), cx->compartment(),
+                                 NukeWindowReferences, NukeAllReferences);
+    args.rval().setUndefined();
+    return true;
+}
+
 static bool
 GetMaxArgs(JSContext* cx, unsigned argc, Value* vp)
 {
@@ -6578,6 +6595,10 @@ static const JSFunctionSpecWithHelp shell_functions[] = {
 "nukeCCW(wrapper)",
 "  Nuke a CrossCompartmentWrapper, which turns it into a DeadProxyObject."),
 
+    JS_FN_HELP("nukeAllCCWs", NukeAllCCWs, 0, 0,
+"nukeAllCCWs()",
+"  Like nukeCCW, but for all CrossCompartmentWrappers targeting the current compartment."),
+
     JS_FN_HELP("createMappedArrayBuffer", CreateMappedArrayBuffer, 1, 0,
 "createMappedArrayBuffer(filename, [offset, [size]])",
 "  Create an array buffer that mmaps the given file."),