Fix double literal free. (#2535)

Fixes #2531. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
2018-10-18 01:17:53 +02:00
parent 3afc4b0b85
commit 5060579b90
3 changed files with 43 additions and 2 deletions
@@ -75,7 +75,7 @@ matrix:

    - env:
        - JOBNAME="ASAN Tests"
-        - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js --buildoptions=--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold"
+        - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js,parser-oom2.js --buildoptions=--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold"
        - ASAN_OPTIONS=detect_stack_use_after_return=1:check_initialization_order=true:strict_init_order=true
        - TIMEOUT=600
      compiler: gcc-5
@@ -86,7 +86,7 @@ matrix:

    - env:
        - JOBNAME="UBSAN Tests"
-        - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js --buildoptions=--compile-flag=-fsanitize=undefined,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold"
+        - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js,parser-oom2.js --buildoptions=--compile-flag=-fsanitize=undefined,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold"
        - UBSAN_OPTIONS=print_stacktrace=1
        - TIMEOUT=600
      compiler: gcc-5
@@ -204,6 +204,8 @@ parser_compute_indicies (parser_context_t *context_p, /**< context */
        if (!(literal_p->status_flags & LEXER_FLAG_SOURCE_PTR))
        {
          jmem_heap_free_block ((void *) char_p, literal_p->prop.length);
+          /* This literal should not be freed even if an error is encountered later. */
+          literal_p->status_flags |= LEXER_FLAG_SOURCE_PTR;
        }
      }
    }
@@ -0,0 +1,39 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/* String which is 32 bytes long. */
+var str = "'\\t' +'\\t' +'\\t'+'\\t'+'\\t'+'\\t'+";
+
+for (var i = 0; i < 10; i++) {
+  str = str + str;
+}
+
+str = "(function() { return " + str + "1 })";
+
+/* Eat memory. */
+var array = [];
+
+try
+{
+  for (var i = 0; i < 90; i++)
+  {
+    array[i] = eval(str);
+  }
+  assert (false);
+}
+catch (err)
+{
+  array = null;
+  assert (err === null);
+}