LibJS: Keep GeneratorObject's stored execution context's internals alive

This would previously crash with a heap UAF when storing the result of `yield 1` into `e` on the second `next` call: ```js function* a() { const e = yield 1; } b = a(); b.next(); gc(); b.next(); ```
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/2f3ebce7c8 Pull-request: https://github.com/SerenityOS/serenity/pull/16428 Reviewed-by: https://github.com/linusg Reviewed-by: https://github.com/trflynn89 ✅
2026-04-28 10:37:17 +02:00 · 2022-12-11 18:28:19 +00:00 · 2024-07-17 22:41:14 +09:00
parent 6431dd7904
commit 2f3ebce7c8
1 changed files with 1 additions and 0 deletions
--- a/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GeneratorObject.cpp
@@ -50,6 +50,7 @@ void GeneratorObject::visit_edges(Cell::Visitor& visitor)
    Base::visit_edges(visitor);
    visitor.visit(m_generating_function);
    visitor.visit(m_previous_value);
+    m_execution_context.visit_edges(visitor);
 }

 // 27.5.3.2 GeneratorValidate ( generator, generatorBrand ), https://tc39.es/ecma262/#sec-generatorvalidate