From 199957366afc1a142627ede8c2d19d3c3945fd37 Mon Sep 17 00:00:00 2001 From: "brendan%mozilla.org" Date: Wed, 13 Sep 2006 06:56:26 +0000 Subject: [PATCH] Fix generator stack farbling (350793, r=mrbkap). --- js/src/jsinterp.c | 1 + js/src/jsiter.c | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/js/src/jsinterp.c b/js/src/jsinterp.c index d5ecca2bf13c..e8ac8a4254ca 100644 --- a/js/src/jsinterp.c +++ b/js/src/jsinterp.c @@ -1283,6 +1283,7 @@ have_fun: /* All arguments must be contiguous, so we may have to copy actuals. */ nalloc = nslots; limit = (jsval *) cx->stackPool.current->limit; + JS_ASSERT((jsval *) cx->stackPool.current->base <= sp && sp <= limit); if (sp + nslots > limit) { /* Hit end of arena: we have to copy argv[-2..(argc+nslots-1)]. */ nalloc += 2 + argc; diff --git a/js/src/jsiter.c b/js/src/jsiter.c index ff3cb2cc4757..5f9cb87155ac 100644 --- a/js/src/jsiter.c +++ b/js/src/jsiter.c @@ -756,14 +756,27 @@ SendToGenerator(JSContext *cx, JSGeneratorOp op, JSObject *obj, break; } - fp = cx->fp; + /* Extend the current stack pool with gen->arena. */ arena = cx->stackPool.current; - cx->stackPool.current = &gen->arena; + JS_ASSERT(!arena->next); + JS_ASSERT(!gen->arena.next); + JS_ASSERT(cx->stackPool.current != &gen->arena); + cx->stackPool.current = arena->next = &gen->arena; + + /* Push gen->frame around the interpreter activation. */ + fp = cx->fp; cx->fp = &gen->frame; gen->frame.down = fp; ok = js_Interpret(cx, gen->frame.pc, &junk); cx->fp = fp; + gen->frame.down = NULL; + + /* Retract the stack pool and sanitize gen->arena. */ + JS_ASSERT(!gen->arena.next); + JS_ASSERT(arena->next == &gen->arena); + JS_ASSERT(cx->stackPool.current == &gen->arena); cx->stackPool.current = arena; + arena->next = NULL; if (gen->frame.flags & JSFRAME_YIELDING) { /* Yield cannot fail, throw or be called on closing. */