Changeset 238979 in webkit


Ignore:
Timestamp:
Dec 7, 2018 4:25:08 PM (5 years ago)
Author:
Michael Catanzaro
Message:

Merge r238326 - All users of ArrayBuffer should agree on the same max size
https://bugs.webkit.org/show_bug.cgi?id=191771

Reviewed by Mark Lam.

JSTests:

  • stress/big-wasm-memory-grow-no-max.js: Added.

(foo):
(catch):

  • stress/big-wasm-memory-grow.js: Added.

(foo):
(catch):

  • stress/big-wasm-memory.js: Added.

(foo):
(catch):

Source/JavaScriptCore:

Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
instead.

  • runtime/ArrayBuffer.cpp:

(JSC::ArrayBufferContents::ArrayBufferContents):
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::transferTo):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBufferContents::shareWith):

  • runtime/ArrayBuffer.h:
  • wasm/WasmMemory.cpp:

(JSC::Wasm::Memory::tryCreate):
(JSC::Wasm::Memory::grow):

  • wasm/WasmPageCount.h:
Location:
releases/WebKitGTK/webkit-2.22
Files:
3 added
6 edited

Legend:

Unmodified
Added
Removed

  • releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog

    r238973 r238979  
     12018-11-16  Filip Pizlo  <fpizlo@apple.com>
     2
     3        All users of ArrayBuffer should agree on the same max size
     4        https://bugs.webkit.org/show_bug.cgi?id=191771
     5
     6        Reviewed by Mark Lam.
     7
     8        * stress/big-wasm-memory-grow-no-max.js: Added.
     9        (foo):
     10        (catch):
     11        * stress/big-wasm-memory-grow.js: Added.
     12        (foo):
     13        (catch):
     14        * stress/big-wasm-memory.js: Added.
     15        (foo):
     16        (catch):
     17
    1182018-10-03  Mark Lam  <mark.lam@apple.com>
    219

  • releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/ChangeLog

    r238976 r238979  
     12018-11-16  Filip Pizlo  <fpizlo@apple.com>
     2
     3        All users of ArrayBuffer should agree on the same max size
     4        https://bugs.webkit.org/show_bug.cgi?id=191771
     5
     6        Reviewed by Mark Lam.
     7
     8        Array buffers cannot be larger than 0x7fffffff, because otherwise loading typedArray.length in the DFG/FTL would produce
     9        a uint32 or would require a signedness check, neither of which sounds reasonable. It's better to just bound their max size
     10        instead.
     11
     12        * runtime/ArrayBuffer.cpp:
     13        (JSC::ArrayBufferContents::ArrayBufferContents):
     14        (JSC::ArrayBufferContents::tryAllocate):
     15        (JSC::ArrayBufferContents::transferTo):
     16        (JSC::ArrayBufferContents::copyTo):
     17        (JSC::ArrayBufferContents::shareWith):
     18        * runtime/ArrayBuffer.h:
     19        * wasm/WasmMemory.cpp:
     20        (JSC::Wasm::Memory::tryCreate):
     21        (JSC::Wasm::Memory::grow):
     22        * wasm/WasmPageCount.h:
     23
    1242018-11-27  Mark Lam  <mark.lam@apple.com>
    225

  • releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

    r234777 r238979  
    11/*
    2  * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6060    , m_sizeInBytes(sizeInBytes)
    6161{
     62    RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    6263    m_destructor = WTFMove(destructor);
    6364}
     
    9899    if (numElements) {
    99100        unsigned totalSize = numElements * elementByteSize;
    100         if (totalSize / numElements != elementByteSize
    101             || totalSize > static_cast<unsigned>(std::numeric_limits<int32_t>::max())) {
     101        if (totalSize / numElements != elementByteSize || totalSize > MAX_ARRAY_BUFFER_SIZE) {
    102102            reset();
    103103            return;
     
    117117
    118118    m_sizeInBytes = numElements * elementByteSize;
     119    RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    119120    m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
    120121}
     
    131132    other.m_data = m_data;
    132133    other.m_sizeInBytes = m_sizeInBytes;
     134    RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    133135    other.m_destructor = WTFMove(m_destructor);
    134136    other.m_shared = m_shared;
     
    144146    memcpy(other.m_data.get(), m_data.get(), m_sizeInBytes);
    145147    other.m_sizeInBytes = m_sizeInBytes;
     148    RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    146149}
    147150
     
    154157    other.m_data = m_data;
    155158    other.m_sizeInBytes = m_sizeInBytes;
     159    RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    156160}
    157161

  • releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/runtime/ArrayBuffer.h

    r234777 r238979  
    11/*
    2  * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3737namespace JSC {
    3838
     39#define MAX_ARRAY_BUFFER_SIZE 0x7fffffffu
     40
    3941class VM;
    4042class ArrayBuffer;

  • releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/wasm/WasmMemory.cpp

    r232613 r238979  
    11/*
    2  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    283283    const size_t maximumBytes = maximum ? maximum.bytes() : 0;
    284284
     285    RELEASE_ASSERT(initialBytes <= MAX_ARRAY_BUFFER_SIZE);
     286
    285287    if (maximum && !maximumBytes) {
    286288        // User specified a zero maximum, initial size must also be zero.
     
    373375   
    374376    const Wasm::PageCount newPageCount = oldPageCount + delta;
    375     if (!newPageCount)
     377    // FIXME: Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw
     378    // OOME not RangeError
     379    // https://bugs.webkit.org/show_bug.cgi?id=191776
     380    if (!newPageCount || !newPageCount.isValid() || newPageCount.bytes() >= MAX_ARRAY_BUFFER_SIZE)
    376381        return makeUnexpected(GrowFailReason::InvalidGrowSize);
    377382
     
    396401
    397402    size_t desiredSize = newPageCount.bytes();
     403    RELEASE_ASSERT(desiredSize <= MAX_ARRAY_BUFFER_SIZE);
    398404    RELEASE_ASSERT(desiredSize > m_size);
    399405    size_t extraBytes = desiredSize - m_size;

  • releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp

    r233122 r238979  
    7171        uint32_t size = toNonWrappingUint32(exec, minSizeValue);
    7272        RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
    73         if (!Wasm::PageCount::isValid(size))
     73        // FIXME: Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw
     74        // OOME not RangeError
     75        // https://bugs.webkit.org/show_bug.cgi?id=191776
     76        if (!Wasm::PageCount::isValid(size) || Wasm::PageCount(size).bytes() >= MAX_ARRAY_BUFFER_SIZE)
    7477            return JSValue::encode(throwException(exec, throwScope, createRangeError(exec, "WebAssembly.Memory 'initial' page count is too large"_s)));
    7578        initialPageCount = Wasm::PageCount(size);
Note: See TracChangeset for help on using the changeset viewer.