Fix generator stack farbling (350793, r=mrbkap).

2024-10-24 10:45:42 +00:00 · 2006-09-13 06:56:26 +00:00 · 2006-09-13 06:56:26 +00:00 · 199957366a
commit 199957366a
parent 7bd45c49a1
2 changed files with 16 additions and 2 deletions
--- a/js/src/jsinterp.c
+++ b/js/src/jsinterp.c
@ -1283,6 +1283,7 @@ have_fun:
        /* All arguments must be contiguous, so we may have to copy actuals. */
        nalloc = nslots;
        limit = (jsval *) cx->stackPool.current->limit;
+        JS_ASSERT((jsval *) cx->stackPool.current->base <= sp && sp <= limit);
        if (sp + nslots > limit) {
            /* Hit end of arena: we have to copy argv[-2..(argc+nslots-1)]. */
            nalloc += 2 + argc;
--- a/js/src/jsiter.c
+++ b/js/src/jsiter.c
@ -756,14 +756,27 @@ SendToGenerator(JSContext *cx, JSGeneratorOp op, JSObject *obj,
        break;
    }

-    fp = cx->fp;
+    /* Extend the current stack pool with gen->arena. */
    arena = cx->stackPool.current;
-    cx->stackPool.current = &gen->arena;
+    JS_ASSERT(!arena->next);
+    JS_ASSERT(!gen->arena.next);
+    JS_ASSERT(cx->stackPool.current != &gen->arena);
+    cx->stackPool.current = arena->next = &gen->arena;
+
+    /* Push gen->frame around the interpreter activation. */
+    fp = cx->fp;
    cx->fp = &gen->frame;
    gen->frame.down = fp;
    ok = js_Interpret(cx, gen->frame.pc, &junk);
    cx->fp = fp;
+    gen->frame.down = NULL;
+
+    /* Retract the stack pool and sanitize gen->arena. */
+    JS_ASSERT(!gen->arena.next);
+    JS_ASSERT(arena->next == &gen->arena);
+    JS_ASSERT(cx->stackPool.current == &gen->arena);
    cx->stackPool.current = arena;
+    arena->next = NULL;

    if (gen->frame.flags & JSFRAME_YIELDING) {
        /* Yield cannot fail, throw or be called on closing. */