diff --git a/jerry-core/parser/js/js-scanner.c b/jerry-core/parser/js/js-scanner.c index 45f643423b..f581f74be8 100644 --- a/jerry-core/parser/js/js-scanner.c +++ b/jerry-core/parser/js/js-scanner.c @@ -3193,7 +3193,7 @@ scanner_scan_all (parser_context_t *context_p, /**< context */ } PARSER_CATCH { - JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR); + JERRY_ASSERT (context_p->error == PARSER_ERR_NO_ERROR || context_p->error == PARSER_ERR_OUT_OF_MEMORY); while (scanner_context.active_literal_pool_p != NULL) { @@ -3214,6 +3214,14 @@ scanner_scan_all (parser_context_t *context_p, /**< context */ PARSER_TRY_END context_p->status_flags = scanner_context.context_status_flags; + + if (JERRY_UNLIKELY (context_p->error == PARSER_ERR_OUT_OF_MEMORY)) + { + parser_stack_free (context_p); + scanner_cleanup (context_p); + return; + } + scanner_reverse_info_list (context_p); #if ENABLED (JERRY_PARSER_DUMP_BYTE_CODE) diff --git a/tests/jerry/es2015/regression-test-issue-3786.js b/tests/jerry/es2015/regression-test-issue-3786.js new file mode 100644 index 0000000000..126e714021 --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-3786.js @@ -0,0 +1,50 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +var oom_reached = false; + +function main() { + var v2 = new Float64Array(63797); + var v4 = "d".constructor; + var v6 = [1337,1337,1337,1337]; + var v7 = []; + var v8 = {constructor:v6,a:v7}; + var v9 = v8.a; + var v12 = 0; + v9.toString = v4; + var v14 = new Int16Array(); + do { + function v16(v17,v18,v19) { + 'use strict' + var v20 = Int16Array.toLocaleString(); + try { + var v22 = eval(v20); + assert(false) + } catch (e) { + if (e === null) { + oom_reached = true; + return + } + assert(e instanceof SyntaxError); + } + } + var v24 = new Promise(v16); + var v25 = v12 + 1; + v12 = v25; + v7[v25] = v14; + } while (v12 < 1337); +} +main(); + +assert(oom_reached); diff --git a/tests/jerry/es2015/regression-test-issue-3788.js b/tests/jerry/es2015/regression-test-issue-3788.js new file mode 100644 index 0000000000..5b54192573 --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-3788.js @@ -0,0 +1,49 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +var oom_reached = false; + +function main() { + var v2 = [13.37,13.37]; + var v4 = [1337,1337,1337]; + var v5 = [parseFloat,parseFloat,v2]; + var v8 = new Float64Array(63797); + var v10 = "d".constructor; + var v12 = [1337,1337,1337,1337]; + var v13 = []; + var v14 = {constructor:v12,a:v13}; + var v15 = v14.a; + var v18 = 0; + v15.toString = v10; + var v20 = new Int16Array(); + do { + var v25 = String.fromCharCode(1337,128); + try { + var v26 = eval(v25); + assert(false); + } catch(v27) { + if (v27 === null) { + oom_reached = true; + return + } + assert(v27 instanceof SyntaxError); + } + var v28 = v18 + 1; + v18 = v28; + v13[v28] = v20; + } while (v18 < 1337); +} +main(); + +assert(oom_reached);