[MERGE #5496 @atulkatti] MSFT:18321215 Typed array functions need to release the guest arena if errors happen.

Atul Katti · Atul Katti · commit 6775a108a817 · 2018-07-23T09:57:12.000-07:00
Merge pull request #5496 from atulkatti:Bug18321215.TypedArray.ReleaseGuestArena.1
diff --git a/lib/Runtime/Base/ScriptContext.h b/lib/Runtime/Base/ScriptContext.h
@@ -2034,10 +2034,16 @@ namespace Js
     ArenaAllocator * allocator = nullptr;
 
 #define ACQUIRE_TEMP_GUEST_ALLOCATOR(allocator, scriptContext, name) \
-    tempGuest##allocator = scriptContext->GetTemporaryGuestAllocator(name); \
-    allocator = tempGuest##allocator->GetAllocator();
+    TryFinally([&]() \
+    { \
+        tempGuest##allocator = scriptContext->GetTemporaryGuestAllocator(name); \
+        allocator = tempGuest##allocator->GetAllocator();
 
 #define RELEASE_TEMP_GUEST_ALLOCATOR(allocator, scriptContext) \
-    if (tempGuest##allocator) \
-    scriptContext->ReleaseTemporaryGuestAllocator(tempGuest##allocator);
+    }, \
+    [&](bool /*hasException*/) \
+    { \
+        if (tempGuest##allocator) \
+        scriptContext->ReleaseTemporaryGuestAllocator(tempGuest##allocator); \
+    });
 
diff --git a/test/typedarray/bug18321215.js b/test/typedarray/bug18321215.js
@@ -0,0 +1,45 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+// OS18321215: Typed array functions need to release the guest arena if errors happen.
+// This is added as a seperate file and doesn't use the unittestframework as the test depends
+// on certain GC behavior that doesn't trigger otherwise.
+try
+{
+    // Type error in filter function
+    WScript.LoadModule(`;`);
+    (async () => {
+        testArray1 = new Float32Array(1);
+        testArray1.filter(function () {
+            // type error here
+            ArrayBuffer();
+        });
+    })().then();
+    /x/, /x/, /x/, /x/;
+}
+catch(e){}
+
+try
+{
+    // Type error in filter function
+    WScript.LoadModule(``);
+    for (var foo = 0; /x/g && 0; ) {
+    }
+    /x/g;
+    /x/g;
+    try {
+        testArray2 = new Float64Array(1);
+        testArray2.filter(function () {
+            // type error here
+            ArrayBuffer();
+        });
+    } catch (e) {
+    }
+    function bar(baz = /x/g) {
+    }
+}
+catch(e){}
+
+console.log("PASS");
diff --git a/test/typedarray/rlexe.xml b/test/typedarray/rlexe.xml
@@ -412,4 +412,9 @@ Below test fails with difference in space. Investigate the cause and re-enable t
       <files>typeofDetached.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug18321215.js</files>
+    </default>
+  </test>
 </regress-exe>
