Fix adding entries to the internal buffer of a Map object (#3805)

When appending the key/value pair separately, garbage collection could be triggered before the value is added, which could cause problems during marking. This patch changes insertion to add both values at the same time, which prevents partial entries from being present in the internal buffer. Fixes #3804. JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai [email protected]
jerryscript-project · May 28, 2020 · c2b6621 · c2b6621
1 parent 7a20150
commit c2b6621
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/jerry-core/ecma/operations/ecma-container-object.c b/jerry-core/ecma/operations/ecma-container-object.c
@@ -64,11 +64,14 @@ ecma_op_internal_buffer_append (ecma_collection_t *container_p, /**< internal co
 {
   JERRY_ASSERT (container_p != NULL);
 
-  ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (key_arg));
-
   if (lit_id == LIT_MAGIC_STRING_WEAKMAP_UL || lit_id == LIT_MAGIC_STRING_MAP_UL)
   {
-    ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (value_arg));
+    ecma_value_t values[] = { ecma_copy_value_if_not_object (key_arg), ecma_copy_value_if_not_object (value_arg) };
+    ecma_collection_append (container_p, values, 2);
+  }
+  else
+  {
+    ecma_collection_push_back (container_p, ecma_copy_value_if_not_object (key_arg));
   }
 
   ECMA_CONTAINER_SET_SIZE (container_p, ECMA_CONTAINER_GET_SIZE (container_p) + 1);