From db0256a97b794167c823a407058224e01c667f8c Mon Sep 17 00:00:00 2001
From: Artem Udovichenko <artem.udovichenko@huawei.com>
Date: Fri, 29 Jul 2022 14:02:24 +0300
Subject: [PATCH] Fix a bug with using raw pointer to object after GC

Change-Id: I17dcf15df44549244c1a3e385545ed4bf3dacba9
Signed-off-by: Artem Udovichenko <artem.udovichenko@huawei.com>
---
 runtime/intrinsics-inl.h | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/runtime/intrinsics-inl.h b/runtime/intrinsics-inl.h
index c07a47fec..c1f179462 100644
--- a/runtime/intrinsics-inl.h
+++ b/runtime/intrinsics-inl.h
@@ -1377,18 +1377,19 @@ INLINE_ECMA_INTRINSICS uint64_t DefineAsyncFunc(JSThread *thread, uint32_t metho
 // NOLINTNEXTLINE(misc-definitions-in-headers)
 INLINE_ECMA_INTRINSICS uint64_t DefineAsyncGeneratorFunc(JSThread *thread, uint32_t method_id, uint64_t env)
 {
-    auto *result = JSFunction::Cast(GetConstantPool(thread)->GetObjectFromCache(method_id).GetHeapObject());
-    ASSERT(result != nullptr);
+    JSMutableHandle<JSFunction> result(thread, GetConstantPool(thread)->GetObjectFromCache(method_id));
+    JSHandle<JSTaggedValue> lex_env(thread, JSTaggedValue(env));
+    ASSERT(!result.IsEmpty());
     if (!result->GetLexicalEnv().IsUndefined()) {
         auto res = SlowRuntimeStub::DefineAsyncGeneratorFunc(thread, result->GetCallTarget());
         if (res.IsException()) {
             return res.GetRawData();
         }
-        result = JSFunction::Cast(res.GetHeapObject());
+        result.Update(res);
         result->SetConstantPool(thread, JSTaggedValue(GetConstantPool(thread)));
     }
-    result->SetLexicalEnv(thread, JSTaggedValue(env));
-    return JSTaggedValue(result).GetRawData();
+    result->SetLexicalEnv(thread, lex_env.GetTaggedValue());
+    return result.GetTaggedValue().GetRawData();
 }
 
 // NOLINTNEXTLINE(misc-definitions-in-headers)
@@ -1693,6 +1694,7 @@ INLINE_ECMA_INTRINSICS uint64_t DefineClassWithBuffer(JSThread *thread, uint32_t
                                                       uint64_t lexenv, uint64_t proto)
 {
     auto *constpool = GetConstantPool(thread);
+    JSHandle<JSTaggedValue> lex_env(thread, JSTaggedValue(lexenv));
     JSFunction *classTemplate = JSFunction::Cast(constpool->GetObjectFromCache(method_id).GetTaggedObject());
     ASSERT(classTemplate != nullptr);
 
@@ -1712,7 +1714,7 @@ INLINE_ECMA_INTRINSICS uint64_t DefineClassWithBuffer(JSThread *thread, uint32_t
 
     ASSERT(res.IsClassConstructor());
     JSFunction *cls = JSFunction::Cast(res.GetTaggedObject());
-    cls->SetLexicalEnv(thread, JSTaggedValue(lexenv));
+    cls->SetLexicalEnv(thread, lex_env.GetTaggedValue());
     SlowRuntimeStub::SetClassConstructorLength(thread, res, cls->GetMethod()->GetLength());
     return res.GetRawData();
 }
-- 
Gitee