RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 04:17:35 +00:00
Code Issues Activity Actions

LibJS: Keep GeneratorObject's stored execution context's internals alive

Browse source 
This would previously crash with a heap UAF when storing the result of
`yield 1` into `e` on the second `next` call:
```js
function* a() { const e = yield 1; }
b = a();
b.next();
gc();
b.next();
```
This commit is contained in:
Luke Wilde 2022-12-11 18:28:19 +00:00 committed by Linus Groh
parent 6431dd7904
commit 2f3ebce7c8
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
View file

@ -50,6 +50,7 @@ void GeneratorObject::visit_edges(Cell::Visitor& visitor)
Base::visit_edges(visitor);
visitor.visit(m_generating_function);
visitor.visit(m_previous_value);
m_execution_context.visit_edges(visitor);
}
// 27.5.3.2 GeneratorValidate ( generator, generatorBrand ), https://tc39.es/ecma262/#sec-generatorvalidate