[parser] Clear scope_snapshot_ upon parser destruction to avoid use-after-(recent)free

|scope_snapshot_| might not have been cleared if there was a parser error between setting the snapshot and consuming it. Explicitly clear it at the end of parsing for that case. Otherwise Scope::Snapshot's destructor will possibly write into the already freed zone. Bug: chromium:909976 Change-Id: I8469d11f04e7f71528be5cba5663c652cd7eacb2 Reviewed-on: https://chromium-review.googlesource.com/c/1354880 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#57938}

[parser] Clear scope_snapshot_ upon parser destruction to avoid use-after-(recent)free
|scope_snapshot_| might not have been cleared if there was a parser error between setting the snapshot and consuming it. Explicitly clear it at the end of parsing for that case. Otherwise Scope::Snapshot's destructor will possibly write into the already freed zone. Bug: chromium:909976 Change-Id: I8469d11f04e7f71528be5cba5663c652cd7eacb2 Reviewed-on: https://chromium-review.googlesource.com/c/1354880 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#57938}
4b92b0f8 · Toon Verwaest · Commit Bot · bb22e322 · 4b92b0f8 · 4b92b0f8
Commit 4b92b0f8 authored Nov 29, 2018 by Toon Verwaest Committed by Commit Bot Nov 29, 2018
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

scopes.h src/ast/scopes.h +4 -2

parser-base.h src/parsing/parser-base.h +3 -2

No files found.
--- a/src/ast/scopes.h
+++ b/src/ast/scopes.h
@@ -128,7 +128,9 @@ class V8_EXPORT_PRIVATE Scope : public NON_EXPORTED_BASE(ZoneObject) {
    Snapshot()
        : outer_scope_and_calls_eval_(nullptr, false),
          top_unresolved_(),
-          top_local_() {}
+          top_local_() {
+      DCHECK(IsCleared());
+    }
    inline explicit Snapshot(Scope* scope);

    ~Snapshot() {
@@ -168,7 +170,6 @@ class V8_EXPORT_PRIVATE Scope : public NON_EXPORTED_BASE(ZoneObject) {
      return outer_scope_and_calls_eval_.GetPointer() == nullptr;
    }

-   private:
    void Clear() {
      outer_scope_and_calls_eval_.SetPointer(nullptr);
 #ifdef DEBUG
@@ -179,6 +180,7 @@ class V8_EXPORT_PRIVATE Scope : public NON_EXPORTED_BASE(ZoneObject) {
 #endif
    }

+   private:
    // During tracking calls_eval caches whether the outer scope called eval.
    // Upon move assignment we store whether the new inner scope calls eval into
    // the move target calls_eval bit, and restore calls eval on the outer

--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -263,12 +263,12 @@ class ParserBase {
    pointer_buffer_.reserve(128);
  }

+  ~ParserBase() { scope_snapshot_.Clear(); }
+
 #define ALLOW_ACCESSORS(name)                           \
  bool allow_##name() const { return allow_##name##_; } \
  void set_allow_##name(bool allow) { allow_##name##_ = allow; }

-  void set_rewritable_length(int i) { rewritable_length_ = i; }
-
  ALLOW_ACCESSORS(natives);
  ALLOW_ACCESSORS(harmony_public_fields);
  ALLOW_ACCESSORS(harmony_static_fields);
@@ -279,6 +279,7 @@ class ParserBase {

 #undef ALLOW_ACCESSORS

+  void set_rewritable_length(int i) { rewritable_length_ = i; }
  V8_INLINE bool has_error() const { return scanner()->has_parser_error(); }
  bool allow_harmony_numeric_separator() const {
    return scanner()->allow_harmony_numeric_separator();