git.kaiwu.me - njs.git/commit

]> git.kaiwu.me - njs.git/commit

projects / njs.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: e673ae4) | patch

author	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 21 Feb 2022 16:52:59 +0000 (16:52 +0000)
committer	Dmitry Volyntsev <xeioex@nginx.com>
	Mon, 21 Feb 2022 16:52:59 +0000 (16:52 +0000)
commit	ad48705bf1f04b4221a5f5b07715ac48b3160d53
tree	33ff2dfac19e090037888601c451ff373903d884	tree \| snapshot
parent	e673ae41a998d1391bd562edb2ed6d49db7cc716	commit \| diff

Fixed frame allocation from an awaited frame.

njs_function_frame_save() is used to save the awaited frame when "await"
instruction is encountered. The saving was done as a memcpy() of
existing runtime frame.

njs_function_frame_alloc() is used to alloc a new function frame, this
function tries to use a spare preallocated memory from the previous
frame first. Previously, this function might result in "use-after-free"
when invoked from a restored frame saved with njs_function_frame_save().
Because njs_function_frame_save() left pointers to the spare memory of
the original frame which may be already free when saved frame is
restored.

The fix is to erase fields for the spare memory from the saved frame.

This closes #469 issue on Github.

src/njs_function.c		diff \| blob \| history
test/js/async_recursive_large.t.js	[new file with mode: 0644]	blob
test/js/async_recursive_mid.t.js		diff \| blob \| history

njs upstream