mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-24 10:45:42 +00:00
Fix generator stack farbling (350793, r=mrbkap).
This commit is contained in:
parent
7bd45c49a1
commit
199957366a
@ -1283,6 +1283,7 @@ have_fun:
|
|||||||
/* All arguments must be contiguous, so we may have to copy actuals. */
|
/* All arguments must be contiguous, so we may have to copy actuals. */
|
||||||
nalloc = nslots;
|
nalloc = nslots;
|
||||||
limit = (jsval *) cx->stackPool.current->limit;
|
limit = (jsval *) cx->stackPool.current->limit;
|
||||||
|
JS_ASSERT((jsval *) cx->stackPool.current->base <= sp && sp <= limit);
|
||||||
if (sp + nslots > limit) {
|
if (sp + nslots > limit) {
|
||||||
/* Hit end of arena: we have to copy argv[-2..(argc+nslots-1)]. */
|
/* Hit end of arena: we have to copy argv[-2..(argc+nslots-1)]. */
|
||||||
nalloc += 2 + argc;
|
nalloc += 2 + argc;
|
||||||
|
@ -756,14 +756,27 @@ SendToGenerator(JSContext *cx, JSGeneratorOp op, JSObject *obj,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
fp = cx->fp;
|
/* Extend the current stack pool with gen->arena. */
|
||||||
arena = cx->stackPool.current;
|
arena = cx->stackPool.current;
|
||||||
cx->stackPool.current = &gen->arena;
|
JS_ASSERT(!arena->next);
|
||||||
|
JS_ASSERT(!gen->arena.next);
|
||||||
|
JS_ASSERT(cx->stackPool.current != &gen->arena);
|
||||||
|
cx->stackPool.current = arena->next = &gen->arena;
|
||||||
|
|
||||||
|
/* Push gen->frame around the interpreter activation. */
|
||||||
|
fp = cx->fp;
|
||||||
cx->fp = &gen->frame;
|
cx->fp = &gen->frame;
|
||||||
gen->frame.down = fp;
|
gen->frame.down = fp;
|
||||||
ok = js_Interpret(cx, gen->frame.pc, &junk);
|
ok = js_Interpret(cx, gen->frame.pc, &junk);
|
||||||
cx->fp = fp;
|
cx->fp = fp;
|
||||||
|
gen->frame.down = NULL;
|
||||||
|
|
||||||
|
/* Retract the stack pool and sanitize gen->arena. */
|
||||||
|
JS_ASSERT(!gen->arena.next);
|
||||||
|
JS_ASSERT(arena->next == &gen->arena);
|
||||||
|
JS_ASSERT(cx->stackPool.current == &gen->arena);
|
||||||
cx->stackPool.current = arena;
|
cx->stackPool.current = arena;
|
||||||
|
arena->next = NULL;
|
||||||
|
|
||||||
if (gen->frame.flags & JSFRAME_YIELDING) {
|
if (gen->frame.flags & JSFRAME_YIELDING) {
|
||||||
/* Yield cannot fail, throw or be called on closing. */
|
/* Yield cannot fail, throw or be called on closing. */
|
||||||
|
Loading…
Reference in New Issue
Block a user