mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-24 10:45:42 +00:00
Fix generator stack farbling (350793, r=mrbkap).
This commit is contained in:
parent
7bd45c49a1
commit
199957366a
@ -1283,6 +1283,7 @@ have_fun:
|
||||
/* All arguments must be contiguous, so we may have to copy actuals. */
|
||||
nalloc = nslots;
|
||||
limit = (jsval *) cx->stackPool.current->limit;
|
||||
JS_ASSERT((jsval *) cx->stackPool.current->base <= sp && sp <= limit);
|
||||
if (sp + nslots > limit) {
|
||||
/* Hit end of arena: we have to copy argv[-2..(argc+nslots-1)]. */
|
||||
nalloc += 2 + argc;
|
||||
|
@ -756,14 +756,27 @@ SendToGenerator(JSContext *cx, JSGeneratorOp op, JSObject *obj,
|
||||
break;
|
||||
}
|
||||
|
||||
fp = cx->fp;
|
||||
/* Extend the current stack pool with gen->arena. */
|
||||
arena = cx->stackPool.current;
|
||||
cx->stackPool.current = &gen->arena;
|
||||
JS_ASSERT(!arena->next);
|
||||
JS_ASSERT(!gen->arena.next);
|
||||
JS_ASSERT(cx->stackPool.current != &gen->arena);
|
||||
cx->stackPool.current = arena->next = &gen->arena;
|
||||
|
||||
/* Push gen->frame around the interpreter activation. */
|
||||
fp = cx->fp;
|
||||
cx->fp = &gen->frame;
|
||||
gen->frame.down = fp;
|
||||
ok = js_Interpret(cx, gen->frame.pc, &junk);
|
||||
cx->fp = fp;
|
||||
gen->frame.down = NULL;
|
||||
|
||||
/* Retract the stack pool and sanitize gen->arena. */
|
||||
JS_ASSERT(!gen->arena.next);
|
||||
JS_ASSERT(arena->next == &gen->arena);
|
||||
JS_ASSERT(cx->stackPool.current == &gen->arena);
|
||||
cx->stackPool.current = arena;
|
||||
arena->next = NULL;
|
||||
|
||||
if (gen->frame.flags & JSFRAME_YIELDING) {
|
||||
/* Yield cannot fail, throw or be called on closing. */
|
||||
|
Loading…
Reference in New Issue
Block a user