YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed memory leak in %TypedArray%.prototype object's 'sort' routine. (#3981)

Browse Source 
The buffer of values were not freed properly when an exception was
thrown in the compare function.

Fixes #3975

JerryScript-DCO-1.0-Signed-off-by: László Langó lango@inf.u-szeged.hu
This commit is contained in:
László Langó
2020-07-06 13:42:27 +02:00
committed by GitHub
parent b6183baf84
commit 7353b253ab
2 changed files with 48 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c
+8 -3
View File
@@ -1506,6 +1506,7 @@ ecma_builtin_typedarray_prototype_sort (ecma_value_t this_arg, /**< this argumen
return ecma_copy_value (this_arg); return ecma_copy_value (this_arg);
} }
ecma_value_t ret_value = ECMA_VALUE_EMPTY;
JMEM_DEFINE_LOCAL_ARRAY (values_buffer, info.length, ecma_value_t); JMEM_DEFINE_LOCAL_ARRAY (values_buffer, info.length, ecma_value_t);
uint32_t byte_index = 0, buffer_index = 0; uint32_t byte_index = 0, buffer_index = 0;
@@ -1533,9 +1534,10 @@ ecma_builtin_typedarray_prototype_sort (ecma_value_t this_arg, /**< this argumen
if (ECMA_IS_VALUE_ERROR (sort_value)) if (ECMA_IS_VALUE_ERROR (sort_value))
{ {
return sort_value; ret_value = sort_value;
} }
else
{
JERRY_ASSERT (sort_value == ECMA_VALUE_EMPTY); JERRY_ASSERT (sort_value == ECMA_VALUE_EMPTY);
ecma_typedarray_setter_fn_t typedarray_setter_cb = ecma_get_typedarray_setter_fn (info.id); ecma_typedarray_setter_fn_t typedarray_setter_cb = ecma_get_typedarray_setter_fn (info.id);
@@ -1555,6 +1557,9 @@ ecma_builtin_typedarray_prototype_sort (ecma_value_t this_arg, /**< this argumen
JERRY_ASSERT (buffer_index == info.length); JERRY_ASSERT (buffer_index == info.length);
ret_value = ecma_copy_value (this_arg);
}
/* Free values that were copied to the local array. */ /* Free values that were copied to the local array. */
for (uint32_t index = 0; index < info.length; index++) for (uint32_t index = 0; index < info.length; index++)
{ {
@@ -1563,7 +1568,7 @@ ecma_builtin_typedarray_prototype_sort (ecma_value_t this_arg, /**< this argumen
JMEM_FINALIZE_LOCAL_ARRAY (values_buffer); JMEM_FINALIZE_LOCAL_ARRAY (values_buffer);
return ecma_copy_value (this_arg); return ret_value;
} /* ecma_builtin_typedarray_prototype_sort */ } /* ecma_builtin_typedarray_prototype_sort */
/** /**
tests/jerry/es.next/regression-test-issue-3975.js
+24
View File
@@ -0,0 +1,24 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
a = 10
b = new Uint8Array(a)
function c() { d }
try {
b.sort(c);
assert(false);
} catch (e) {
assert(e instanceof ReferenceError);
}