Fix error handling in scanner when in case of OOM

rerobika · rerobika · commit 889b5769769d · 2020-05-25T16:08:55.000+02:00
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
diff --git a/jerry-core/parser/js/js-scanner.c b/jerry-core/parser/js/js-scanner.c
@@ -3193,7 +3193,7 @@ scanner_scan_all (parser_context_t *context_p, /**< context */
     }
     PARSER_CATCH
     {
-      JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR);
+      JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR || context_p->error == PARSER_ERR_OUT_OF_MEMORY);
 
       while (scanner_context.active_literal_pool_p != NULL)
       {
@@ -3214,6 +3214,14 @@ scanner_scan_all (parser_context_t *context_p, /**< context */
   PARSER_TRY_END
 
   context_p->status_flags = scanner_context.context_status_flags;
+
+  if (JERRY_UNLIKELY (context_p->error == PARSER_ERR_OUT_OF_MEMORY))
+  {
+    parser_stack_free (context_p);
+    scanner_cleanup (context_p);
+    return;
+  }
+
   scanner_reverse_info_list (context_p);
 
 #if ENABLED (JERRY_PARSER_DUMP_BYTE_CODE)
diff --git a/tests/jerry/es2015/regression-test-issue-3786.js b/tests/jerry/es2015/regression-test-issue-3786.js
@@ -0,0 +1,50 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var oom_reached = false;
+
+function main() {
+  var v2 = new Float64Array(63797);
+  var v4 = "d".constructor;
+  var v6 = [1337,1337,1337,1337];
+  var v7 = [];
+  var v8 = {constructor:v6,a:v7};
+  var v9 = v8.a;
+  var v12 = 0;
+  v9.toString = v4;
+  var v14 = new Int16Array();
+  do {
+      function v16(v17,v18,v19) {
+          'use strict'
+          var v20 = Int16Array.toLocaleString();
+          try {
+              var v22 = eval(v20);
+              assert(false)
+          } catch (e) {
+            if (e === null) {
+                oom_reached = true;
+                return
+              }
+            assert(e instanceof SyntaxError);
+          }
+      }
+      var v24 = new Promise(v16);
+      var v25 = v12 + 1;
+      v12 = v25;
+      v7[v25] = v14;
+  } while (v12 < 1337);
+}
+main();
+
+assert(oom_reached);
diff --git a/tests/jerry/es2015/regression-test-issue-3788.js b/tests/jerry/es2015/regression-test-issue-3788.js
@@ -0,0 +1,49 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var oom_reached = false;
+
+function main() {
+  var v2 = [13.37,13.37];
+  var v4 = [1337,1337,1337];
+  var v5 = [parseFloat,parseFloat,v2];
+  var v8 = new Float64Array(63797);
+  var v10 = "d".constructor;
+  var v12 = [1337,1337,1337,1337];
+  var v13 = [];
+  var v14 = {constructor:v12,a:v13};
+  var v15 = v14.a;
+  var v18 = 0;
+  v15.toString = v10;
+  var v20 = new Int16Array();
+  do {
+      var v25 = String.fromCharCode(1337,128);
+      try {
+        var v26 = eval(v25);
+        assert(false);
+      } catch(v27) {
+        if (v27 === null) {
+          oom_reached = true;
+          return
+        }
+        assert(v27 instanceof SyntaxError);
+      }
+      var v28 = v18 + 1;
+      v18 = v28;
+      v13[v28] = v20;
+  } while (v18 < 1337);
+}
+main();
+
+assert(oom_reached);
