[Flight] Patch Promise cycles and toString on Server Functions (#35345)

Server Functions can be stringified (sometimes implicitly) when passed
as data. This adds an override to hide the source code in that case -
just in case someone puts sensitive information in there.

Note that this still preserves the `name` field but this is also
available on the export but in practice is likely minified anyway.
There's nothing else on these referenes we'd consider unsafe unless you
explicitly expose expandos which are part of the `"use server"` export.

This adds a safety check to ensure you don't encode cyclic Promises.
This isn't a parser bug per se. Promises do have a safety mechanism that
avoids them infinite looping. However, since we use custom Thenables,
what can happen is that every time a native Promise awaits it, another
Promise wrapper is created around the Thenable which foils the
ECMAScript Promise cycle detection which can lead to an infinite loop.

This also ensures that embedded `ReadableStream` and `AsyncIterable`
streams are properly closed if the source stream closes early both on
the Server and Client. This doesn't cause an infinite loop but just to
make sure resource clean up can proceed properly.

We're also adding some more explicit clear errors for invalid payloads
since we no longer need to obfuscate the original issue.

Author: sebmarkbage

packages/react-client/src/ReactFlightClient.js

@@ -894,6 +894,7 @@ function resolveModuleChunk<T>(
   const resolvedChunk: ResolvedModuleChunk<T> = (chunk: any);
   resolvedChunk.status = RESOLVED_MODULE;
   resolvedChunk.value = value;
+  resolvedChunk.reason = null;
   if (__DEV__) {
     const debugInfo = getModuleDebugInfo(value);
     if (debugInfo !== null) {
@@ -1114,6 +1115,8 @@ export function reportGlobalError(
     // because we won't be getting any new data to resolve it.
     if (chunk.status === PENDING) {
       triggerErrorOnChunk(response, chunk, error);
+    } else if (chunk.status === INITIALIZED && chunk.reason !== null) {
+      chunk.reason.error(error);
     }
   });
   if (__DEV__) {
@@ -1462,15 +1465,95 @@ function fulfillReference(
 ): void {
   const {handler, parentObject, key, map, path} = reference;
 
-  for (let i = 1; i < path.length; i++) {
+  try {
+    for (let i = 1; i < path.length; i++) {
+      while (
+        typeof value === 'object' &&
+        value !== null &&
+        value.$$typeof === REACT_LAZY_TYPE
+      ) {
+        // We never expect to see a Lazy node on this path because we encode those as
+        // separate models. This must mean that we have inserted an extra lazy node
+        // e.g. to replace a blocked element. We must instead look for it inside.
+        const referencedChunk: SomeChunk<any> = value._payload;
+        if (referencedChunk === handler.chunk) {
+          // This is a reference to the thing we're currently blocking. We can peak
+          // inside of it to get the value.
+          value = handler.value;
+          continue;
+        } else {
+          switch (referencedChunk.status) {
+            case RESOLVED_MODEL:
+              initializeModelChunk(referencedChunk);
+              break;
+            case RESOLVED_MODULE:
+              initializeModuleChunk(referencedChunk);
+              break;
+          }
+          switch (referencedChunk.status) {
+            case INITIALIZED: {
+              value = referencedChunk.value;
+              continue;
+            }
+            case BLOCKED: {
+              // It is possible that we're blocked on our own chunk if it's a cycle.
+              // Before adding the listener to the inner chunk, let's check if it would
+              // result in a cycle.
+              const cyclicHandler = resolveBlockedCycle(
+                referencedChunk,
+                reference,
+              );
+              if (cyclicHandler !== null) {
+                // This reference points back to this chunk. We can resolve the cycle by
+                // using the value from that handler.
+                value = cyclicHandler.value;
+                continue;
+              }
+              // Fallthrough
+            }
+            case PENDING: {
+              // If we're not yet initialized we need to skip what we've already drilled
+              // through and then wait for the next value to become available.
+              path.splice(0, i - 1);
+              // Add "listener" to our new chunk dependency.
+              if (referencedChunk.value === null) {
+                referencedChunk.value = [reference];
+              } else {
+                referencedChunk.value.push(reference);
+              }
+              if (referencedChunk.reason === null) {
+                referencedChunk.reason = [reference];
+              } else {
+                referencedChunk.reason.push(reference);
+              }
+              return;
+            }
+            case HALTED: {
+              // Do nothing. We couldn't fulfill.
+              // TODO: Mark downstreams as halted too.
+              return;
+            }
+            default: {
+              rejectReference(
+                response,
+                reference.handler,
+                referencedChunk.reason,
+              );
+              return;
+            }
+          }
+        }
+      }
+      value = value[path[i]];
+    }
+
     while (
       typeof value === 'object' &&
       value !== null &&
       value.$$typeof === REACT_LAZY_TYPE
     ) {
-      // We never expect to see a Lazy node on this path because we encode those as
-      // separate models. This must mean that we have inserted an extra lazy node
-      // e.g. to replace a blocked element. We must instead look for it inside.
+      // If what we're referencing is a Lazy it must be because we inserted one as a virtual node
+      // while it was blocked by other data. If it's no longer blocked, we can unwrap it.
       const referencedChunk: SomeChunk<any> = value._payload;
       if (referencedChunk === handler.chunk) {
         // This is a reference to the thing we're currently blocking. We can peak
@@ -1491,132 +1574,57 @@ function fulfillReference(
             value = referencedChunk.value;
             continue;
           }
-          case BLOCKED: {
-            // It is possible that we're blocked on our own chunk if it's a cycle.
-            // Before adding the listener to the inner chunk, let's check if it would
-            // result in a cycle.
-            const cyclicHandler = resolveBlockedCycle(
-              referencedChunk,
-              reference,
-            );
-            if (cyclicHandler !== null) {
-              // This reference points back to this chunk. We can resolve the cycle by
-              // using the value from that handler.
-              value = cyclicHandler.value;
-              continue;
-            }
-            // Fallthrough
-          }
-          case PENDING: {
-            // If we're not yet initialized we need to skip what we've already drilled
-            // through and then wait for the next value to become available.
-            path.splice(0, i - 1);
-            // Add "listener" to our new chunk dependency.
-            if (referencedChunk.value === null) {
-              referencedChunk.value = [reference];
-            } else {
-              referencedChunk.value.push(reference);
-            }
-            if (referencedChunk.reason === null) {
-              referencedChunk.reason = [reference];
-            } else {
-              referencedChunk.reason.push(reference);
-            }
-            return;
-          }
-          case HALTED: {
-            // Do nothing. We couldn't fulfill.
-            // TODO: Mark downstreams as halted too.
-            return;
-          }
-          default: {
-            rejectReference(
-              response,
-              reference.handler,
-              referencedChunk.reason,
-            );
-            return;
-          }
         }
       }
+      break;
     }
-    value = value[path[i]];
-  }
 
-  while (
-    typeof value === 'object' &&
-    value !== null &&
-    value.$$typeof === REACT_LAZY_TYPE
-  ) {
-    // If what we're referencing is a Lazy it must be because we inserted one as a virtual node
-    // while it was blocked by other data. If it's no longer blocked, we can unwrap it.
-    const referencedChunk: SomeChunk<any> = value._payload;
-    if (referencedChunk === handler.chunk) {
-      // This is a reference to the thing we're currently blocking. We can peak
-      // inside of it to get the value.
-      value = handler.value;
-      continue;
-    } else {
-      switch (referencedChunk.status) {
-        case RESOLVED_MODEL:
-          initializeModelChunk(referencedChunk);
+    const mappedValue = map(response, value, parentObject, key);
+    parentObject[key] = mappedValue;
+
+    // If this is the root object for a model reference, where `handler.value`
+    // is a stale `null`, the resolved value can be used directly.
+    if (key === '' && handler.value === null) {
+      handler.value = mappedValue;
+    }
+
+    // If the parent object is an unparsed React element tuple, we also need to
+    // update the props and owner of the parsed element object (i.e.
+    // handler.value).
+    if (
+      parentObject[0] === REACT_ELEMENT_TYPE &&
+      typeof handler.value === 'object' &&
+      handler.value !== null &&
+      handler.value.$$typeof === REACT_ELEMENT_TYPE
+    ) {
+      const element: any = handler.value;
+      switch (key) {
+        case '3':
+          transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
+          element.props = mappedValue;
+          break;
+        case '4':
+          // This path doesn't call transferReferencedDebugInfo because this reference is to a debug chunk.
+          if (__DEV__) {
+            element._owner = mappedValue;
+          }
           break;
-        case RESOLVED_MODULE:
-          initializeModuleChunk(referencedChunk);
+        case '5':
+          // This path doesn't call transferReferencedDebugInfo because this reference is to a debug chunk.
+          if (__DEV__) {
+            element._debugStack = mappedValue;
+          }
+          break;
+        default:
+          transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
           break;
       }
-      switch (referencedChunk.status) {
-        case INITIALIZED: {
-          value = referencedChunk.value;
-          continue;
-        }
-      }
-    }
-    break;
-  }
-
-  const mappedValue = map(response, value, parentObject, key);
-  parentObject[key] = mappedValue;
-
-  // If this is the root object for a model reference, where `handler.value`
-  // is a stale `null`, the resolved value can be used directly.
-  if (key === '' && handler.value === null) {
-    handler.value = mappedValue;
-  }
-
-  // If the parent object is an unparsed React element tuple, we also need to
-  // update the props and owner of the parsed element object (i.e.
-  // handler.value).
-  if (
-    parentObject[0] === REACT_ELEMENT_TYPE &&
-    typeof handler.value === 'object' &&
-    handler.value !== null &&
-    handler.value.$$typeof === REACT_ELEMENT_TYPE
-  ) {
-    const element: any = handler.value;
-    switch (key) {
-      case '3':
-        transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
-        element.props = mappedValue;
-        break;
-      case '4':
-        // This path doesn't call transferReferencedDebugInfo because this reference is to a debug chunk.
-        if (__DEV__) {
-          element._owner = mappedValue;
-        }
-        break;
-      case '5':
-        // This path doesn't call transferReferencedDebugInfo because this reference is to a debug chunk.
-        if (__DEV__) {
-          element._debugStack = mappedValue;
-        }
-        break;
-      default:
-        transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
-        break;
+    } else if (__DEV__ && !reference.isDebug) {
+      transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
     }
-  } else if (__DEV__ && !reference.isDebug) {
-    transferReferencedDebugInfo(handler.chunk, fulfilledChunk);
+  } catch (error) {
+    rejectReference(response, reference.handler, error);
+    return;
   }
 
   handler.deps--;
@@ -1882,6 +1890,7 @@ function loadServerReference<A: Iterable<any>, T>(
       const initializedChunk: InitializedChunk<T> = (chunk: any);
       initializedChunk.status = INITIALIZED;
       initializedChunk.value = handler.value;
+      initializedChunk.reason = null;
       if (resolveListeners !== null) {
         wakeChunk(response, resolveListeners, handler.value, initializedChunk);
       } else {
@@ -2359,7 +2368,7 @@ function parseModelString(
         // Symbol
         return Symbol.for(value.slice(2));
       }
-      case 'F': {
+      case 'h': {
         // Server Reference
         const ref = value.slice(2);
         return getOutlinedModel(
@@ -3138,6 +3147,7 @@ function startReadableStream<T>(
   streamState: StreamState,
 ): void {
   let controller: ReadableStreamController = (null: any);
+  let closed = false;
   const stream = new ReadableStream({
     type: type,
     start(c) {
@@ -3195,6 +3205,10 @@ function startReadableStream<T>(
       }
     },
     close(json: UninitializedModel): void {
+      if (closed) {
+        return;
+      }
+      closed = true;
       if (previousBlockedChunk === null) {
         controller.close();
       } else {
@@ -3205,6 +3219,10 @@ function startReadableStream<T>(
       }
     },
     error(error: mixed): void {
+      if (closed) {
+        return;
+      }
+      closed = true;
       if (previousBlockedChunk === null) {
         // $FlowFixMe[incompatible-call]
         controller.error(error);
@@ -3265,6 +3283,7 @@ function startAsyncIterable<T>(
           (chunk: any);
         initializedChunk.status = INITIALIZED;
         initializedChunk.value = {done: false, value: value};
+        initializedChunk.reason = null;
         if (resolveListeners !== null) {
           wakeChunkIfInitialized(
             response,
@@ -3294,6 +3313,9 @@ function startAsyncIterable<T>(
       nextWriteIndex++;
     },
     close(value: UninitializedModel): void {
+      if (closed) {
+        return;
+      }
       closed = true;
       if (nextWriteIndex === buffer.length) {
         buffer[nextWriteIndex] = createResolvedIteratorResultChunk(
@@ -3321,6 +3343,9 @@ function startAsyncIterable<T>(
       }
     },
     error(error: Error): void {
+      if (closed) {
+        return;
+      }
       closed = true;
       if (nextWriteIndex === buffer.length) {
         buffer[nextWriteIndex] =