fix two gc bugs

2026-02-09 18:32:41 -06:00
parent 7f691fd52b
commit c0b4e70eb2
3 changed files with 343 additions and 218 deletions
--- a/source/mach.c
+++ b/source/mach.c
@@ -2289,6 +2289,7 @@ JSValue JS_CallRegisterVM(JSContext *ctx, JSCodeRegister *code,
    int b = MACH_GET_B(instr);
    int c = MACH_GET_C(instr);

+
    switch (op) {
    case MACH_NOP:
      break;
--- a/source/runtime.c
+++ b/source/runtime.c
@@ -2515,8 +2515,16 @@ static int js_intrinsic_array_push (JSContext *ctx, JSValue *arr_ptr, JSValue va
  }

  if (arr->len >= js_array_cap (arr)) {
-    if (js_array_grow (ctx, arr_ptr, arr->len + 1) < 0)
+    /* Root val across js_array_grow which can trigger GC */
+    JSGCRef val_ref;
+    JS_PushGCRef (ctx, &val_ref);
+    val_ref.val = val;
+    if (js_array_grow (ctx, arr_ptr, arr->len + 1) < 0) {
+      JS_PopGCRef (ctx, &val_ref);
      return -1;
+    }
+    val = val_ref.val;
+    JS_PopGCRef (ctx, &val_ref);
    arr = JS_VALUE_GET_ARRAY (*arr_ptr);  /* re-chase after grow */
  }