MSFT:18171347 Parser's Temporary Guest Arena leaks in case of modules with Regex patterns.

Author: Atul Katti

lib/Parser/Parse.cpp

@@ -82,6 +82,7 @@ Parser::Parser(Js::ScriptContext* scriptContext, BOOL strictMode, PageAllocator
     m_doingFastScan(false),
 #endif
     m_nextBlockId(0),
+    m_tempGuestArenaReleased(false),
     m_tempGuestArena(scriptContext->GetTemporaryGuestAllocator(_u("ParserRegex")), scriptContext->GetRecycler()),
     // use the GuestArena directly for keeping the RegexPattern* alive during byte code generation
     m_registeredRegexPatterns(m_tempGuestArena->GetAllocator()),
@@ -155,11 +156,7 @@ Parser::Parser(Js::ScriptContext* scriptContext, BOOL strictMode, PageAllocator
 
 Parser::~Parser(void)
 {
-    m_registeredRegexPatterns.Reset();
-    if (m_scriptContext != nullptr)
-    {
-        m_scriptContext->ReleaseTemporaryGuestAllocator(m_tempGuestArena);
-    }
+    this->ReleaseTemporaryGuestArena();
 
 #if ENABLE_BACKGROUND_PARSING
     if (this->m_hasParallelJob)
@@ -13909,6 +13906,23 @@ void Parser::ProcessCapturedNames(ParseNodeFnc* pnodeFnc)
     }
 }
 
+void Parser::ReleaseTemporaryGuestArena()
+{
+    // In case of modules the Parser lives longer than the temporary Guest Arena. We may have already released the arena explicitly.
+    if (!m_tempGuestArenaReleased)
+    {
+        // The regex patterns list has references to the temporary Guest Arena. Reset it first.
+        m_registeredRegexPatterns.Reset();
+
+        if (this->m_scriptContext != nullptr)
+        {
+            this->m_scriptContext->ReleaseTemporaryGuestAllocator(m_tempGuestArena);
+        }
+
+        m_tempGuestArenaReleased = true;
+    }
+}
+
 bool Parser::IsCreatingStateCache()
 {
     return (((this->m_grfscr & fscrCreateParserState) == fscrCreateParserState)

lib/Parser/Parse.h

@@ -194,7 +194,7 @@ class Parser
     ~Parser(void);
 
     Js::ScriptContext* GetScriptContext() const { return m_scriptContext; }
-
+    void ReleaseTemporaryGuestArena();
     bool IsCreatingStateCache();
 
 #if ENABLE_BACKGROUND_PARSING
@@ -273,6 +273,7 @@ class Parser
     bool                m_isInBackground;
     bool                m_doingFastScan;
 #endif
+    bool                m_tempGuestArenaReleased;
     int                 m_nextBlockId;
 
     AutoRecyclerRootPtr<Js::TempArenaAllocatorWrapper<true>> m_tempGuestArena;
@@ -1153,5 +1154,4 @@ class Parser
 public:
     charcount_t GetSourceIchLim() { return m_sourceLim; }
     static BOOL NodeEqualsName(ParseNodePtr pnode, LPCOLESTR sz, uint32 cch);
-
 };

lib/Runtime/Language/SourceTextModuleRecord.cpp

@@ -915,6 +915,11 @@ namespace Js
                 childModuleRecord->GenerateRootFunction();
             });
         }
+
+        if (this->parser != nullptr)
+        {
+            this->parser->ReleaseTemporaryGuestArena();
+        }
     }
 
     Var SourceTextModuleRecord::ModuleEvaluation()

test/es6module/module-functionality.js

@@ -350,6 +350,19 @@ var tests = [
             testRunner.LoadModule(functionBody, 'samethread');
         }
     },
+    {
+        name: "OS18171347 - Module's parser leaks temporary Guest Arena allocator when module has a regex pattern.",
+        body: function() {
+            testRunner.LoadModule(` /x/ ;`, 'samethread');
+
+            try
+            {
+                // syntax error
+                testRunner.LoadModule(` /x/ ; for(i=0);`, 'samethread', {shouldFail:true});
+            }
+            catch(e){}
+        }
+    },
 ];
 
 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });