From 5060579b909fa055bf8149219430308235a8d19a Mon Sep 17 00:00:00 2001 From: Zoltan Herczeg Date: Thu, 18 Oct 2018 01:17:53 +0200 Subject: [PATCH] Fix double literal free. (#2535) Fixes #2531. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com --- .travis.yml | 4 ++-- jerry-core/parser/js/js-parser.c | 2 ++ tests/jerry/parser-oom2.js | 39 ++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 tests/jerry/parser-oom2.js diff --git a/.travis.yml b/.travis.yml index 8ce9861ff..7d7ad257e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -75,7 +75,7 @@ matrix: - env: - JOBNAME="ASAN Tests" - - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js --buildoptions=--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold" + - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js,parser-oom2.js --buildoptions=--compile-flag=-fsanitize=address,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--compile-flag=-O2,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold" - ASAN_OPTIONS=detect_stack_use_after_return=1:check_initialization_order=true:strict_init_order=true - TIMEOUT=600 compiler: gcc-5 @@ -86,7 +86,7 @@ matrix: - env: - JOBNAME="UBSAN Tests" - - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js --buildoptions=--compile-flag=-fsanitize=undefined,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold" + - OPTS="--quiet --jerry-tests --jerry-test-suite --skip-list=parser-oom.js,parser-oom2.js --buildoptions=--compile-flag=-fsanitize=undefined,--compile-flag=-m32,--compile-flag=-fno-omit-frame-pointer,--compile-flag=-fno-common,--debug,--system-allocator=on,--linker-flag=-fuse-ld=gold" - UBSAN_OPTIONS=print_stacktrace=1 - TIMEOUT=600 compiler: gcc-5 diff --git a/jerry-core/parser/js/js-parser.c b/jerry-core/parser/js/js-parser.c index ec2198f4d..9fdde53d8 100644 --- a/jerry-core/parser/js/js-parser.c +++ b/jerry-core/parser/js/js-parser.c @@ -204,6 +204,8 @@ parser_compute_indicies (parser_context_t *context_p, /**< context */ if (!(literal_p->status_flags & LEXER_FLAG_SOURCE_PTR)) { jmem_heap_free_block ((void *) char_p, literal_p->prop.length); + /* This literal should not be freed even if an error is encountered later. */ + literal_p->status_flags |= LEXER_FLAG_SOURCE_PTR; } } } diff --git a/tests/jerry/parser-oom2.js b/tests/jerry/parser-oom2.js new file mode 100644 index 000000000..7886cb49d --- /dev/null +++ b/tests/jerry/parser-oom2.js @@ -0,0 +1,39 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/* String which is 32 bytes long. */ +var str = "'\\t' +'\\t' +'\\t'+'\\t'+'\\t'+'\\t'+"; + +for (var i = 0; i < 10; i++) { + str = str + str; +} + +str = "(function() { return " + str + "1 })"; + +/* Eat memory. */ +var array = []; + +try +{ + for (var i = 0; i < 90; i++) + { + array[i] = eval(str); + } + assert (false); +} +catch (err) +{ + array = null; + assert (err === null); +}