From 56d1fa5db63d664a533ed25dbd929da7aa7d59db Mon Sep 17 00:00:00 2001 From: Haled Odat <8566042+HalidOdat@users.noreply.github.com> Date: Sun, 1 Oct 2023 12:38:44 +0200 Subject: [PATCH 1/2] Truncate environment stack on non-caught native error --- boa_engine/src/vm/code_block.rs | 14 ++------------ boa_engine/src/vm/mod.rs | 10 ++++++++++ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/boa_engine/src/vm/code_block.rs b/boa_engine/src/vm/code_block.rs index 005a8d19985..16bf16f22d8 100644 --- a/boa_engine/src/vm/code_block.rs +++ b/boa_engine/src/vm/code_block.rs @@ -1347,6 +1347,8 @@ impl JsObject { ), ); + let environment = context.vm.environments.current(); + if code.has_parameters_env_bindings() { last_env -= 1; context @@ -1391,8 +1393,6 @@ impl JsObject { let argument_count = args.len(); let parameters_count = code.params.as_ref().len(); - let has_binding_identifier = code.has_binding_identifier(); - context.vm.push_frame( CallFrame::new(code, script_or_module, Some(self.clone())) .with_argument_count(argument_count as u32) @@ -1411,16 +1411,6 @@ impl JsObject { std::mem::swap(&mut environments, &mut context.vm.environments); - let environment = if has_binding_identifier { - environments.truncate(environments_len + 2); - let environment = environments.pop(); - environments.pop(); - environment - } else { - environments.truncate(environments_len + 1); - environments.pop() - }; - let result = record .consume() .map_err(|err| err.inject_realm(context.realm().clone()))?; diff --git a/boa_engine/src/vm/mod.rs b/boa_engine/src/vm/mod.rs index ee3b2e8f7c1..61e4ae9fe40 100644 --- a/boa_engine/src/vm/mod.rs +++ b/boa_engine/src/vm/mod.rs @@ -377,9 +377,16 @@ impl Context<'_> { match native_error.kind { #[cfg(feature = "fuzz")] JsNativeErrorKind::NoInstructionsRemain => { + self.vm + .environments + .truncate(self.vm.frame().env_fp as usize); + self.vm.stack.truncate(self.vm.frame().fp as usize); return CompletionRecord::Throw(err); } JsNativeErrorKind::RuntimeLimit => { + self.vm + .environments + .truncate(self.vm.frame().env_fp as usize); self.vm.stack.truncate(self.vm.frame().fp as usize); return CompletionRecord::Throw(err); } @@ -394,6 +401,9 @@ impl Context<'_> { continue; } + self.vm + .environments + .truncate(self.vm.frame().env_fp as usize); self.vm.stack.truncate(self.vm.frame().fp as usize); return CompletionRecord::Throw(err); } From 25ec2dcfaa0e419c2e04a345c8167d1c84fc2309 Mon Sep 17 00:00:00 2001 From: Haled Odat <8566042+HalidOdat@users.noreply.github.com> Date: Sun, 1 Oct 2023 14:56:02 +0200 Subject: [PATCH 2/2] Add test --- boa_engine/src/vm/tests.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/boa_engine/src/vm/tests.rs b/boa_engine/src/vm/tests.rs index f4c70a44e8f..8d8f43a5a7b 100644 --- a/boa_engine/src/vm/tests.rs +++ b/boa_engine/src/vm/tests.rs @@ -357,3 +357,12 @@ fn empty_return_values() { "#}), ]); } + +#[test] +fn truncate_environments_on_non_caught_native_error() { + let source = "with (new Proxy({}, {has: p => false})) {a}"; + run_test_actions([ + TestAction::assert_native_error(source, JsNativeErrorKind::Reference, "a is not defined"), + TestAction::assert_native_error(source, JsNativeErrorKind::Reference, "a is not defined"), + ]); +}