From e9f08a78799fecbbe823377fe053133cd8acc3d5 Mon Sep 17 00:00:00 2001
From: Gergo Csizi <gergocs@inf.u-szeged.hu>
Date: Tue, 19 Nov 2024 14:52:33 +0100
Subject: [PATCH] =?UTF-8?q?Put=20reference=20on=20executable=20object's=20?=
 =?UTF-8?q?this=5Fbinding=20to=20avoid=20unwanted=20f=E2=80=A6=20(#5169)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

…rees before exiting execution

This patch fixes #4870.

The implementation is based on PR #4966, only resolved the conflicts
and applied requested changes.

Co-authored-by: Martin Negyokru negyokru@inf.u-szeged.hu
JerryScript-DCO-1.0-Signed-off-by: Gergo Csizi gergocs@inf.u-szeged.hu
---
 .github/workflows/gh-actions.yml              |  4 +-
 jerry-core/vm/opcodes.c                       |  3 +
 .../es.next/regression-test-issue-4870.js     | 87 +++++++++++++++++++
 3 files changed, 92 insertions(+), 2 deletions(-)
 create mode 100644 tests/jerry/es.next/regression-test-issue-4870.js

diff --git a/.github/workflows/gh-actions.yml b/.github/workflows/gh-actions.yml
index 023d7e482..d8db66135 100644
--- a/.github/workflows/gh-actions.yml
+++ b/.github/workflows/gh-actions.yml
@@ -171,7 +171,7 @@ jobs:
       - run: >-
           $RUNNER -q --jerry-tests
           --buildoptions=--stack-limit=0,--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold
-          --skip-list=parser-oom.js,parser-oom2.js,stack-limit.js,regression-test-issue-4901.js,regression-test-issue-4848.js,regression-test-issue-4890.js,regression-test-issue-2190.js,regression-test-issue-2258-2963.js,regression-test-issue-2448.js,regression-test-issue-2905.js,regression-test-issue-3785.js,proxy-evil-recursion.js,regression-test-issue-5101.js
+          --skip-list=parser-oom.js,parser-oom2.js,stack-limit.js,regression-test-issue-4870.js,regression-test-issue-4901.js,regression-test-issue-4848.js,regression-test-issue-4890.js,regression-test-issue-2190.js,regression-test-issue-2258-2963.js,regression-test-issue-2448.js,regression-test-issue-2905.js,regression-test-issue-3785.js,proxy-evil-recursion.js,regression-test-issue-5101.js
 
   ASAN_Tests_Debug:
     runs-on: ubuntu-latest
@@ -187,7 +187,7 @@ jobs:
       - run: >-
           $RUNNER -q --jerry-tests --build-debug
           --buildoptions=--stack-limit=0,--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold
-          --skip-list=parser-oom.js,parser-oom2.js,stack-limit.js,regression-test-issue-4901.js,regression-test-issue-4848.js,regression-test-issue-4890.js,regression-test-issue-2190.js,regression-test-issue-2258-2963.js,regression-test-issue-2448.js,regression-test-issue-2905.js,regression-test-issue-3785.js,proxy-evil-recursion.js,regression-test-issue-5101.js
+          --skip-list=parser-oom.js,parser-oom2.js,stack-limit.js,regression-test-issue-4870.js,regression-test-issue-4901.js,regression-test-issue-4848.js,regression-test-issue-4890.js,regression-test-issue-2190.js,regression-test-issue-2258-2963.js,regression-test-issue-2448.js,regression-test-issue-2905.js,regression-test-issue-3785.js,proxy-evil-recursion.js,regression-test-issue-5101.js
 
   UBSAN_Tests:
     runs-on: ubuntu-latest
diff --git a/jerry-core/vm/opcodes.c b/jerry-core/vm/opcodes.c
index e80d93fbb..eaf1050aa 100644
--- a/jerry-core/vm/opcodes.c
+++ b/jerry-core/vm/opcodes.c
@@ -737,6 +737,7 @@ opfunc_resume_executable_object (vm_executable_object_t *executable_object_p, /*
     ecma_ref_if_object (*register_p++);
   }
 
+  ecma_ref_if_object (executable_object_p->frame_ctx.this_binding);
   ecma_ref_if_object (executable_object_p->iterator);
 
   JERRY_ASSERT (ECMA_EXECUTABLE_OBJECT_IS_SUSPENDED (executable_object_p));
@@ -770,6 +771,7 @@ opfunc_resume_executable_object (vm_executable_object_t *executable_object_p, /*
 
     /* All resources are released. */
     executable_object_p->extended_object.u.cls.u2.executable_obj_flags |= ECMA_EXECUTABLE_OBJECT_COMPLETED;
+    ecma_deref_if_object (executable_object_p->frame_ctx.this_binding);
     return result;
   }
 
@@ -798,6 +800,7 @@ opfunc_resume_executable_object (vm_executable_object_t *executable_object_p, /*
     ecma_deref_if_object (*register_p++);
   }
 
+  ecma_deref_if_object (executable_object_p->frame_ctx.this_binding);
   ecma_deref_if_object (executable_object_p->iterator);
 
   return result;
diff --git a/tests/jerry/es.next/regression-test-issue-4870.js b/tests/jerry/es.next/regression-test-issue-4870.js
new file mode 100644
index 000000000..579e53930
--- /dev/null
+++ b/tests/jerry/es.next/regression-test-issue-4870.js
@@ -0,0 +1,87 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+async function f() {
+    let arr = [0.000000];
+    let fuzz_v152 = arr;
+    let fuzz_v159 = fuzz_v152.__proto__;
+    fuzz_v152.valueOf = function* (fuzz_v166, fuzz_v167) {
+        while (arr) {
+        }
+        var fuzz_v172 = ~f;
+        arr >>= [1.100000];
+        return fuzz_v167;
+    };
+    arr.includes(arr, [340282346638528859811704183484516925440.000000], arr);
+    delete [10];
+    let fuzz_v253 = f.__proto__;
+    let fuzz_v256 = {
+        "D5FP8": f
+    };
+    arr["map"](f, new Object(true));
+    arr.flat();
+    let fuzz_v69 = false;
+    await this;
+    await f;
+    var fuzz_v43 = arr -= new Date(new String({
+        "findIndex": arr
+    }));
+    await this;
+    let fuzz_v286 = Symbol.reject();
+    await f;
+    await new Promise(f);
+    await new Promise(async function* (fuzz_v80) {
+        var fuzz_v82 = new Uint32Array(fuzz_v80, arr, [1.100000], fuzz_v80, fuzz_v80);
+        let fuzz_v96 = fuzz_v82.__proto__;
+        this.length = 4;
+    });
+    await new Promise(async function* (fuzz_v138, fuzz_v139) {
+        fuzz_v138.__proto__ = fuzz_v139;
+        let fuzz_v147 = function* (fuzz_v149, fuzz_v150, fuzz_v151, fuzz_v152) {
+            let fuzz_v165 = Reflect.apply(fuzz_v152, {
+                "findIndex": fuzz_v150
+            }, [{}]);
+            switch ({
+                includes: fuzz_v138,
+                set valueOf(fuzz_v175) {
+                    fuzz_v150.valueOf = fuzz_v175;
+                    return;
+                }
+            }) {
+                case [1.100000]:
+                    throw arr;
+                    break;
+                case 5643033980980220.000000:
+                    let fuzz_v203 = String.prototype.trim.call(new String());
+                    break;
+                default:
+                    fuzz_v43.valueOf = fuzz_v150;
+            }
+            let fuzz_v214 = fuzz_v69;
+            let fuzz_v223 = Number.isInteger(2147483648);
+        };
+        var fuzz_v228 = f;
+        delete f.__proto__;
+        let fuzz_v237 = {};
+    });
+    await new Promise(f);
+    await new Promise(async function* (fuzz_v269, fuzz_v270, fuzz_v271) {
+        class fuzz_class273 extends f {
+
+        }
+        return arr;
+    });
+    await new Promise(fuzz_v286);
+}
+f(f, f);