From 2f3ebce7c8a883fadbc332baa09ae4766401ffe2 Mon Sep 17 00:00:00 2001
From: Luke Wilde <lukew@serenityos.org>
Date: Sun, 11 Dec 2022 18:28:19 +0000
Subject: [PATCH] LibJS: Keep GeneratorObject's stored execution context's
 internals alive

This would previously crash with a heap UAF when storing the result of
`yield 1` into `e` on the second `next` call:
```js
function* a() { const e = yield 1; }
b = a();
b.next();
gc();
b.next();
```
---
 Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp b/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
index 1136e9aa9b..b1dacaf2d0 100644
--- a/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
@@ -50,6 +50,7 @@ void GeneratorObject::visit_edges(Cell::Visitor& visitor)
     Base::visit_edges(visitor);
     visitor.visit(m_generating_function);
     visitor.visit(m_previous_value);
+    m_execution_context.visit_edges(visitor);
 }
 
 // 27.5.3.2 GeneratorValidate ( generator, generatorBrand ), https://tc39.es/ecma262/#sec-generatorvalidate