From 9c7b96878b53dfbb63195a6ca739316936b291c7 Mon Sep 17 00:00:00 2001 From: Robert Fancsik Date: Wed, 6 Mar 2019 18:23:57 +0100 Subject: [PATCH] Iterated object should be marked during GC (#2785) This patch fixes #2783 JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu --- jerry-core/ecma/base/ecma-gc.c | 7 +++++ .../es2015/regression-test-issue-2783.js | 30 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 tests/jerry/es2015/regression-test-issue-2783.js diff --git a/jerry-core/ecma/base/ecma-gc.c b/jerry-core/ecma/base/ecma-gc.c index 630ae167b..3a19aba3c 100644 --- a/jerry-core/ecma/base/ecma-gc.c +++ b/jerry-core/ecma/base/ecma-gc.c @@ -372,6 +372,13 @@ ecma_gc_mark (ecma_object_t *object_p) /**< object to mark from */ #ifndef CONFIG_DISABLE_ES2015_ITERATOR_BUILTIN case ECMA_PSEUDO_ARRAY_ITERATOR: { + ecma_object_t *iterated_obj_p = ECMA_GET_POINTER (ecma_object_t, + ext_object_p->u.pseudo_array.u2.iterated_value_cp); + + if (iterated_obj_p != NULL) + { + ecma_gc_set_object_visited (iterated_obj_p); + } break; } #endif /* !CONFIG_DISABLE_ES2015_ITERATOR_BUILTIN */ diff --git a/tests/jerry/es2015/regression-test-issue-2783.js b/tests/jerry/es2015/regression-test-issue-2783.js new file mode 100644 index 000000000..a6a500c40 --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-2783.js @@ -0,0 +1,30 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + + +var id_0; +$(encodeURIComponent); +function $ ( ) { } +array = [ $, $, $, $, $, $, $] ; +[0, 0, 0].forEach(function(e) {Object.defineProperty(array, e, {'get' : Int32Array})}) +iterator = array.entries(); +var id_2 = [ ]; +var id_3 = [ ]; +var id_4 ; +for (var i ; i < 1000000; i++) { + try { + array = iterator.next(); + $(Uint8ClampedArray.$[$]) + } catch (e) { $(e instanceof ReferenceError) } +}