Changeset 257907 in webkit

Timestamp:

Mar 4, 2020, 11:57:21 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Handle an out of memory error while constructing the BytecodeGenerator.
​https://bugs.webkit.org/show_bug.cgi?id=208622
<rdar://problem/59341136>

Reviewed by Saam Barati.

JSTests:

• stress/out-of-memory-while-constructing-BytecodeGenerator.js: Added.

Source/JavaScriptCore:

Added the ability to handle out of memory errors encountered during the
construction of the BytecodeGenerator. Currently, we only use this for the
case where we fail to instantiate a ScopedArgumentsTable.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):

• bytecompiler/BytecodeGeneratorBase.h:
• runtime/ScopedArgumentsTable.cpp:

(JSC::ScopedArgumentsTable::tryCreate):

• runtime/ScopedArgumentsTable.h:
• runtime/SymbolTable.h:

Source/WTF:

• wtf/CagedUniquePtr.h:

(WTF::CagedUniquePtr::tryCreate):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGeneratorBase.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ScopedArgumentsTable.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/SymbolTable.h (modified) (2 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/CagedUniquePtr.h (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-03-04  Mark Lam  <mark.lam@apple.com>
+
+        Handle an out of memory error while constructing the BytecodeGenerator.
+        https://bugs.webkit.org/show_bug.cgi?id=208622
+        <rdar://problem/59341136>
+
+        Reviewed by Saam Barati.
+
+        * stress/out-of-memory-while-constructing-BytecodeGenerator.js: Added.
+
 2020-03-03  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-03-04  Mark Lam  <mark.lam@apple.com>
+
+        Handle an out of memory error while constructing the BytecodeGenerator.
+        https://bugs.webkit.org/show_bug.cgi?id=208622
+        <rdar://problem/59341136>
+
+        Reviewed by Saam Barati.
+
+        Added the ability to handle out of memory errors encountered during the
+        construction of the BytecodeGenerator.  Currently, we only use this for the
+        case where we fail to instantiate a ScopedArgumentsTable.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * bytecompiler/BytecodeGeneratorBase.h:
+        * runtime/ScopedArgumentsTable.cpp:
+        (JSC::ScopedArgumentsTable::tryCreate):
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/SymbolTable.h:
+
 2020-03-04  Paulo Matos  <pmatos@igalia.com>
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
  * Copyright (C) 2012 Igalia, S.L.
@@ -158 +158 @@
 ParserError BytecodeGenerator::generate()
 {
+    if (UNLIKELY(m_outOfMemoryDuringConstruction))
+        return ParserError(ParserError::OutOfMemory);
+
     m_codeBlock->setThisRegister(m_thisRegister.virtualRegister());
 
@@ -491 +494 @@
         
         if (capturesAnyArgumentByName) {
-            functionSymbolTable->setArgumentsLength(vm, parameters.size());
-            
+            bool success = functionSymbolTable->trySetArgumentsLength(vm, parameters.size());
+            if (UNLIKELY(!success)) {
+                m_outOfMemoryDuringConstruction = true;
+                return;
+            }
+
             // For each parameter, we have two possibilities:
             // Either it's a binding node with no function overlap, in which case it gets a name

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGeneratorBase.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -81 +81 @@
     typename Traits::CodeBlock m_codeBlock;
 
+    bool m_outOfMemoryDuringConstruction { false };
     typename Traits::OpcodeID m_lastOpcodeID = Traits::opcodeForDisablingOptimizations;
     InstructionStream::MutableRef m_lastInstruction { m_writer.ref() };

trunk/Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -65 +65 @@
 }
 
+ScopedArgumentsTable* ScopedArgumentsTable::tryCreate(VM& vm, uint32_t length)
+{
+    void* buffer = tryAllocateCell<ScopedArgumentsTable>(vm.heap);
+    if (UNLIKELY(!buffer))
+        return nullptr;
+    ScopedArgumentsTable* result = new (NotNull, buffer) ScopedArgumentsTable(vm);
+    result->finishCreation(vm);
+
+    result->m_length = length;
+    result->m_arguments = ArgumentsPtr::tryCreate(length);
+    if (UNLIKELY(!result->m_arguments))
+        return nullptr;
+    return result;
+}
+
 ScopedArgumentsTable* ScopedArgumentsTable::clone(VM& vm)
 {

trunk/Source/JavaScriptCore/runtime/ScopedArgumentsTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -61 +61 @@
     static ScopedArgumentsTable* create(VM&);
     static ScopedArgumentsTable* create(VM&, uint32_t length);
-    
+    static ScopedArgumentsTable* tryCreate(VM&, uint32_t length);
+
     static void destroy(JSCell*);
 

trunk/Source/JavaScriptCore/runtime/SymbolTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2007-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -636 +636 @@
     }
     
-    void setArgumentsLength(VM& vm, uint32_t length)
-    {
-        if (UNLIKELY(!m_arguments))
-            m_arguments.set(vm, this, ScopedArgumentsTable::create(vm, length));
-        else
+    bool trySetArgumentsLength(VM& vm, uint32_t length)
+    {
+        if (UNLIKELY(!m_arguments)) {
+            ScopedArgumentsTable* table = ScopedArgumentsTable::tryCreate(vm, length);
+            if (UNLIKELY(!table))
+                return false;
+            m_arguments.set(vm, this, table);
+        } else
             m_arguments.set(vm, this, m_arguments->setLength(vm, length));
-    }
-    
+        return true;
+    }
+
     ScopeOffset argumentOffset(uint32_t i) const
     {

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-03-04  Mark Lam  <mark.lam@apple.com>
+
+        Handle an out of memory error while constructing the BytecodeGenerator.
+        https://bugs.webkit.org/show_bug.cgi?id=208622
+        <rdar://problem/59341136>
+
+        Reviewed by Saam Barati.
+
+        * wtf/CagedUniquePtr.h:
+        (WTF::CagedUniquePtr::tryCreate):
+
 2020-03-04  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WTF/wtf/CagedUniquePtr.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55 +55 @@
         return CagedUniquePtr(result, length);
     }
-    
+
+    template<typename... Arguments>
+    static CagedUniquePtr tryCreate(unsigned length, Arguments&&... arguments)
+    {
+        T* result = static_cast<T*>(Gigacage::tryMalloc(kind, sizeof(T) * length));
+        if (!result)
+            return { };
+        while (length--)
+            new (result + length) T(arguments...);
+        return CagedUniquePtr(result, length);
+    }
+
     CagedUniquePtr& operator=(CagedUniquePtr&& ptr)
     {