The JS engine may free a literal twice if error occurs at function "parser_post_processing"

[wangzhikang123]

The test code:
regexp-simple-atom-and-iterations.js.txt

Compile like this:
python tools/build.py --error-messages=ON --line-info=ON --mem-heap 9 --debug

Then there will be an assertion fail to indicate the pointer to be freed is not pointing to the heap.

I think it's the double free of literal causing such a isuue.

First free at "js-parser.c" line 206,which is called by function "parser_post_processing" at line 1496

After error occurs at line 1726 for "out of memroy" error,the second free will happen at line 2416-->line 2413-->"common.c" line 42

Of course,when the second free happens,the address passed to function "jmem_heap_free_block" is totally wrong as it was changed at "js-parser.c" line 201,which is the reason why the assertion fails.

[zherczeg]

Could you share a test case?

[akosthekiss]

I think that this issue has been closed by the poster as invalid (as even the original issue report text has been edited out).

[zherczeg]

Thank you for the report. It looks like a literal_p->status_flags |= LEXER_FLAG_SOURCE_PTR; needs to be added after the first free.

[wangzhikang123]

How about line 645 and1984