Changeset 215919 in webkit

Timestamp:

Apr 27, 2017, 9:15:00 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
​https://bugs.webkit.org/show_bug.cgi?id=171404
<rdar://problem/31876178>

Reviewed by Saam Barati.

JSTests:

• stress/js-fixed-array-out-of-memory.js: Added.

Source/JavaScriptCore:

1. Added some tryAllocate() functions in JSCellInlines.h.
2. Consolidated the implementations of allocateCell() template functions into a single tryAllocateCellHelper() to reduce redundancy and eliminate needing to copy-paste for variations of allocateCell and tryAllocateCell.
3. Changed JSFixedArray::createFromArray() and constructEmptyArray() to check for allocation failure and throw an OutOfMemoryError. It was already possible to throw errors from these functions for other reasons. So, their clients are already ready to handle OOMEs.

• ftl/FTLOperations.cpp:

(JSC::FTL::operationMaterializeObjectInOSR):

• runtime/JSCInlines.h:
• runtime/JSCell.h:
• runtime/JSCellInlines.h:

(JSC::tryAllocateCellHelper):
(JSC::allocateCell):
(JSC::tryAllocateCell):

• runtime/JSFixedArray.h:

(JSC::JSFixedArray::createFromArray):
(JSC::JSFixedArray::tryCreate):
(JSC::JSFixedArray::create): Deleted.

• runtime/JSGlobalObject.h:

(JSC::constructEmptyArray):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/js-fixed-array-out-of-memory.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCellInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSFixedArray.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-04-27  Mark Lam  <mark.lam@apple.com>
+
+        Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
+        https://bugs.webkit.org/show_bug.cgi?id=171404
+        <rdar://problem/31876178>
+
+        Reviewed by Saam Barati.
+
+        * stress/js-fixed-array-out-of-memory.js: Added.
+
 2017-04-27  David Kilzer  <ddkilzer@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-04-27  Mark Lam  <mark.lam@apple.com>
+
+        Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
+        https://bugs.webkit.org/show_bug.cgi?id=171404
+        <rdar://problem/31876178>
+
+        Reviewed by Saam Barati.
+
+        1. Added some tryAllocate() functions in JSCellInlines.h.
+        2. Consolidated the implementations of allocateCell() template functions into a
+           single tryAllocateCellHelper() to reduce redundancy and eliminate needing to
+           copy-paste for variations of allocateCell and tryAllocateCell.
+        3. Changed JSFixedArray::createFromArray() and constructEmptyArray() to check for
+           allocation failure and throw an OutOfMemoryError.  It was already possible to
+           throw errors from these functions for other reasons.  So, their clients are
+           already ready to handle OOMEs.
+
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * runtime/JSCInlines.h:
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        (JSC::allocateCell):
+        (JSC::tryAllocateCell):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::createFromArray):
+        (JSC::JSFixedArray::tryCreate):
+        (JSC::JSFixedArray::create): Deleted.
+        * runtime/JSGlobalObject.h:
+        (JSC::constructEmptyArray):
+
 2017-04-27  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

@@ -433 +433 @@
         // Any attempts to put a getter on any indices on the rest array will escape the array.
         JSFixedArray* fixedArray = JSFixedArray::createFromArray(exec, vm, array);
+        RELEASE_ASSERT(fixedArray);
         return fixedArray;
     }

trunk/Source/JavaScriptCore/runtime/JSCInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43 +43 @@
 #include "JSArrayBufferViewInlines.h"
 #include "JSCJSValueInlines.h"
+#include "JSCellInlines.h"
 #include "JSFunctionInlines.h"
 #include "JSGlobalObjectInlines.h"

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -51 +51 @@
 class Structure;
 
-template<typename T> void* allocateCell(Heap&);
-template<typename T> void* allocateCell(Heap&, size_t);
-
-template<typename T> void* allocateCell(Heap&, GCDeferralContext*);
-template<typename T> void* allocateCell(Heap&, GCDeferralContext*, size_t);
+enum class AllocationFailureMode {
+    ShouldAssertOnFailure,
+    ShouldNotAssertOnFailure
+};
+
+enum class GCDeferralContextArgPresense {
+    HasArg,
+    DoesNotHaveArg
+};
+
+template<typename T> void* allocateCell(Heap&, size_t = sizeof(T));
+template<typename T> void* tryAllocateCell(Heap&, size_t = sizeof(T));
+template<typename T> void* allocateCell(Heap&, GCDeferralContext*, size_t = sizeof(T));
+template<typename T> void* tryAllocateCell(Heap&, GCDeferralContext*, size_t = sizeof(T));
 
 #define DECLARE_EXPORT_INFO                                                  \
@@ -72 +81 @@
     friend class JSValue;
     friend class MarkedBlock;
-    template<typename T> friend void* allocateCell(Heap&);
-    template<typename T> friend void* allocateCell(Heap&, size_t);
-    template<typename T> friend void* allocateCell(Heap&, GCDeferralContext*);
-    template<typename T> friend void* allocateCell(Heap&, GCDeferralContext*, size_t);
+    template<typename T, AllocationFailureMode, GCDeferralContextArgPresense>
+    friend void* tryAllocateCellHelper(Heap&, GCDeferralContext*, size_t);
 
 public:

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -143 +143 @@
 }
 
-template<typename T>
-void* allocateCell(Heap& heap, size_t size)
-{
-    ASSERT(!DisallowGC::isInEffectOnCurrentThread());
+template<typename T, AllocationFailureMode mode, GCDeferralContextArgPresense deferralContextArgPresence>
+ALWAYS_INLINE void* tryAllocateCellHelper(Heap& heap, GCDeferralContext* deferralContext, size_t size)
+{
+    ASSERT(deferralContext || !DisallowGC::isInEffectOnCurrentThread());
     ASSERT(size >= sizeof(T));
-    JSCell* result = static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(size));
+    JSCell* result;
+    if (mode == AllocationFailureMode::ShouldAssertOnFailure) {
+        result = (deferralContextArgPresence == GCDeferralContextArgPresense::HasArg)
+            ? static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(deferralContext, size))
+            : static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(size));
+    } else {
+        result = (deferralContextArgPresence == GCDeferralContextArgPresense::HasArg)
+            ? static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->tryAllocate(deferralContext, size))
+            : static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->tryAllocate(size));
+        if (UNLIKELY(!result))
+            return nullptr;
+    }
 #if ENABLE(GC_VALIDATION)
     ASSERT(!heap.vm()->isInitializingObject());
@@ -156 +167 @@
     return result;
 }
-    
+
 template<typename T>
-void* allocateCell(Heap& heap)
-{
-    return allocateCell<T>(heap, sizeof(T));
-}
-    
+void* allocateCell(Heap& heap, size_t size)
+{
+    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldAssertOnFailure, GCDeferralContextArgPresense::DoesNotHaveArg>(heap, nullptr, size);
+}
+
+template<typename T>
+void* tryAllocateCell(Heap& heap, size_t size)
+{
+    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldNotAssertOnFailure, GCDeferralContextArgPresense::DoesNotHaveArg>(heap, nullptr, size);
+}
+
 template<typename T>
 void* allocateCell(Heap& heap, GCDeferralContext* deferralContext, size_t size)
 {
-    ASSERT(size >= sizeof(T));
-    JSCell* result = static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(deferralContext, size));
-#if ENABLE(GC_VALIDATION)
-    ASSERT(!heap.vm()->isInitializingObject());
-    heap.vm()->setInitializingObjectClass(T::info());
-#endif
-    result->clearStructure();
-    return result;
-}
-    
+    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldAssertOnFailure, GCDeferralContextArgPresense::HasArg>(heap, deferralContext, size);
+}
+
 template<typename T>
-void* allocateCell(Heap& heap, GCDeferralContext* deferralContext)
-{
-    return allocateCell<T>(heap, deferralContext, sizeof(T));
-}
-    
+void* tryAllocateCell(Heap& heap, GCDeferralContext* deferralContext, size_t size)
+{
+    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldNotAssertOnFailure, GCDeferralContextArgPresense::HasArg>(heap, deferralContext, size);
+}
+
 inline bool JSCell::isObject() const
 {

trunk/Source/JavaScriptCore/runtime/JSFixedArray.h

@@ -46 +46 @@
     ALWAYS_INLINE static JSFixedArray* createFromArray(ExecState* exec, VM& vm, JSArray* array)
     {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+
         IndexingType indexingType = array->indexingType() & IndexingShapeMask;
         unsigned length = array->length();
-        JSFixedArray* result = JSFixedArray::create(vm, vm.fixedArrayStructure.get(), length);
+        JSFixedArray* result = JSFixedArray::tryCreate(vm, vm.fixedArrayStructure.get(), length);
+        if (UNLIKELY(!result)) {
+            throwOutOfMemoryError(exec, throwScope);
+            return nullptr;
+        }
 
         if (!length)
@@ -71 +77 @@
         }
 
-
-        auto throwScope = DECLARE_THROW_SCOPE(vm);
         for (unsigned i = 0; i < length; i++) {
             JSValue value = array->getDirectIndex(exec, i);
@@ -117 +121 @@
     unsigned m_size;
 
-    ALWAYS_INLINE static JSFixedArray* create(VM& vm, Structure* structure, unsigned size)
+    ALWAYS_INLINE static JSFixedArray* tryCreate(VM& vm, Structure* structure, unsigned size)
     {
-        JSFixedArray* result = new (NotNull, allocateCell<JSFixedArray>(vm.heap, allocationSize(size))) JSFixedArray(vm, structure, size);
+        void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, allocationSize(size));
+        if (UNLIKELY(!buffer))
+            return nullptr;
+        JSFixedArray* result = new (NotNull, buffer) JSFixedArray(vm, structure, size);
         result->finishCreation(vm);
         return result;

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
- *  Copyright (C) 2007-2009, 2014-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -24 +24 @@
 #include "ArrayAllocationProfile.h"
 #include "ArrayBufferSharingMode.h"
+#include "ExceptionHelpers.h"
 #include "InternalFunction.h"
 #include "JSArray.h"
@@ -875 +876 @@
     RETURN_IF_EXCEPTION(scope, nullptr);
 
-    return ArrayAllocationProfile::updateLastAllocationFor(profile, JSArray::create(exec->vm(), structure, initialLength));
+    JSArray* result = JSArray::tryCreate(vm, structure, initialLength);
+    if (UNLIKELY(!result)) {
+        throwOutOfMemoryError(exec, scope);
+        return nullptr;
+    }
+    return ArrayAllocationProfile::updateLastAllocationFor(profile, result);
 }