Changeset 264413 in webkit

Timestamp:

Jul 15, 2020, 12:20:21 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Add handling of out of memory handling while adding a worklet module.
​https://bugs.webkit.org/show_bug.cgi?id=214354
<rdar://problem/65271931>

Reviewed by Yusuke Suzuki and Keith Miller.

Source/JavaScriptCore:

Add VM::tryCreate() that can fail if we encounter an out of memory issue.
As always, we're taking a best effort approach to handling out of memory errors.
Hence, we will not attempt to exhaustively handle every OOME scenario. This patch
only checks for failure to allocate a BigInt due to Gigacage exhaustion. While it
doesn't handle other allocation errors, it does enable us to add handling of other
cases in the future as needed.

• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::tryCreate):

• runtime/VM.h:

Source/WebCore:

Test: fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html

• bindings/js/JSDOMExceptionHandling.cpp:

(WebCore::createDOMException):

• dom/ExceptionCode.h:
• worklets/PaintWorkletGlobalScope.cpp:

(WebCore::PaintWorkletGlobalScope::tryCreate):
(WebCore::PaintWorkletGlobalScope::PaintWorkletGlobalScope):
(WebCore::PaintWorkletGlobalScope::create): Deleted.

• worklets/PaintWorkletGlobalScope.h:
• worklets/Worklet.cpp:

(WebCore::Worklet::addModule):

• worklets/Worklet.h:
• worklets/Worklet.idl:
• worklets/WorkletGlobalScope.cpp:

(WebCore::WorkletGlobalScope::WorkletGlobalScope):

• worklets/WorkletGlobalScope.h:
• worklets/WorkletScriptController.cpp:

(WebCore::WorkletScriptController::WorkletScriptController):

• worklets/WorkletScriptController.h:

LayoutTests:

We're skipping the new test on Debug builds because it will always run too slow.
The Release build is sufficient to test this OOME handling.

• TestExpectations:
• fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt: Added.
• fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html: Added.
• fast/css-custom-paint/script-tests: Added.
• fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js: Added.

(useAllMemory.try.get Object):
(useAllMemory.try.foo):
(useAllMemory):
(catch):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt (added)
• LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html (added)
• LayoutTests/fast/css-custom-paint/script-tests (added)
• LayoutTests/fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMExceptionHandling.cpp (modified) (2 diffs)
• Source/WebCore/dom/ExceptionCode.h (modified) (2 diffs)
• Source/WebCore/worklets/PaintWorkletGlobalScope.cpp (modified) (2 diffs)
• Source/WebCore/worklets/PaintWorkletGlobalScope.h (modified) (4 diffs)
• Source/WebCore/worklets/Worklet.cpp (modified) (2 diffs)
• Source/WebCore/worklets/Worklet.h (modified) (2 diffs)
• Source/WebCore/worklets/Worklet.idl (modified) (2 diffs)
• Source/WebCore/worklets/WorkletGlobalScope.cpp (modified) (2 diffs)
• Source/WebCore/worklets/WorkletGlobalScope.h (modified) (2 diffs)
• Source/WebCore/worklets/WorkletScriptController.cpp (modified) (2 diffs)
• Source/WebCore/worklets/WorkletScriptController.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-07-15  Mark Lam  <mark.lam@apple.com>
+
+        Add handling of out of memory handling while adding a worklet module.
+        https://bugs.webkit.org/show_bug.cgi?id=214354
+        <rdar://problem/65271931>
+
+        Reviewed by Yusuke Suzuki and Keith Miller.
+
+        We're skipping the new test on Debug builds because it will always run too slow.
+        The Release build is sufficient to test this OOME handling.
+
+        * TestExpectations:
+        * fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt: Added.
+        * fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html: Added.
+        * fast/css-custom-paint/script-tests: Added.
+        * fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js: Added.
+        (useAllMemory.try.get Object):
+        (useAllMemory.try.foo):
+        (useAllMemory):
+        (catch):
+
 2020-07-15  Hector Lopez  <hector_i_lopez@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -1108 +1108 @@
 webkit.org/b/136078 fast/borders/border-painting-dotted.html [ ImageOnlyFailure ]
 webkit.org/b/136078 fast/borders/border-painting-double.html [ ImageOnlyFailure ]
+
+# Skip this because it is too slow on debug builds.
+[ Debug ] fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html [ Skip ]
 
 # official flexbox tests

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-07-15  Mark Lam  <mark.lam@apple.com>
+
+        Add handling of out of memory handling while adding a worklet module.
+        https://bugs.webkit.org/show_bug.cgi?id=214354
+        <rdar://problem/65271931>
+
+        Reviewed by Yusuke Suzuki and Keith Miller.
+
+        Add VM::tryCreate() that can fail if we encounter an out of memory issue.
+        As always, we're taking a best effort approach to handling out of memory errors.
+        Hence, we will not attempt to exhaustively handle every OOME scenario.  This patch
+        only checks for failure to allocate a BigInt due to Gigacage exhaustion.  While it
+        doesn't handle other allocation errors, it does enable us to add handling of other
+        cases in the future as needed.
+
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::tryCreate):
+        * runtime/VM.h:
+
 2020-07-15  Jim Mason  <jmason@ibinx.com>
 

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -263 +263 @@
 static bool vmCreationShouldCrash = false;
 
-VM::VM(VMType vmType, HeapType heapType, WTF::RunLoop* runLoop)
+VM::VM(VMType vmType, HeapType heapType, WTF::RunLoop* runLoop, bool* success)
     : m_id(nextID())
     , m_apiLock(adoptRef(new JSLock(this)))
@@ -465 +465 @@
     {
         auto* bigInt = JSBigInt::tryCreateFrom(*this, 1);
-        RELEASE_ASSERT(bigInt);
-        heapBigIntConstantOne.set(*this, bigInt);
+        if (bigInt)
+            heapBigIntConstantOne.set(*this, bigInt);
+        else {
+            if (success)
+                *success = false;
+            else
+                RELEASE_ASSERT(bigInt);
+        }
     }
 
@@ -673 +679 @@
 {
     return adoptRef(*new VM(Default, heapType, runLoop));
+}
+
+RefPtr<VM> VM::tryCreate(HeapType heapType, WTF::RunLoop* runLoop)
+{
+    bool success = true;
+    RefPtr<VM> vm = adoptRef(new VM(Default, heapType, runLoop, &success));
+    if (!success) {
+        // Here, we're destructing a partially constructed VM and we know that
+        // no one else can be using it at the same time. So, acquiring the lock
+        // is superflous. However, we don't want to change how VMs are destructed.
+        // Just going through the motion of acquiring the lock here allows us to
+        // use the standard destruction process.
+
+        // VM expects us to be holding the VM lock when destructing it. Acquiring
+        // the lock also puts the VM in a state (e.g. acquiring heap access) that
+        // is needed for destruction. The lock will hold the last reference to
+        // the VM after we nullify the refPtr below. The VM will actually be
+        // destructed in JSLockHolder's destructor.
+        JSLockHolder lock(vm.get());
+        vm = nullptr;
+    }
+    return vm;
 }
 

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -315 +315 @@
 
     JS_EXPORT_PRIVATE static Ref<VM> create(HeapType = SmallHeap, WTF::RunLoop* = nullptr);
+    JS_EXPORT_PRIVATE static RefPtr<VM> tryCreate(HeapType = SmallHeap, WTF::RunLoop* = nullptr);
     static Ref<VM> createContextGroup(HeapType = SmallHeap);
     JS_EXPORT_PRIVATE ~VM();
@@ -1102 +1103 @@
     friend class LLIntOffsetsExtractor;
 
-    VM(VMType, HeapType, WTF::RunLoop* = nullptr);
+    VM(VMType, HeapType, WTF::RunLoop* = nullptr, bool* success = nullptr);
     static VM*& sharedInstanceInternal();
     void createNativeThunk();

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-07-15  Mark Lam  <mark.lam@apple.com>
+
+        Add handling of out of memory handling while adding a worklet module.
+        https://bugs.webkit.org/show_bug.cgi?id=214354
+        <rdar://problem/65271931>
+
+        Reviewed by Yusuke Suzuki and Keith Miller.
+
+        Test: fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html
+
+        * bindings/js/JSDOMExceptionHandling.cpp:
+        (WebCore::createDOMException):
+        * dom/ExceptionCode.h:
+        * worklets/PaintWorkletGlobalScope.cpp:
+        (WebCore::PaintWorkletGlobalScope::tryCreate):
+        (WebCore::PaintWorkletGlobalScope::PaintWorkletGlobalScope):
+        (WebCore::PaintWorkletGlobalScope::create): Deleted.
+        * worklets/PaintWorkletGlobalScope.h:
+        * worklets/Worklet.cpp:
+        (WebCore::Worklet::addModule):
+        * worklets/Worklet.h:
+        * worklets/Worklet.idl:
+        * worklets/WorkletGlobalScope.cpp:
+        (WebCore::WorkletGlobalScope::WorkletGlobalScope):
+        * worklets/WorkletGlobalScope.h:
+        * worklets/WorkletScriptController.cpp:
+        (WebCore::WorkletScriptController::WorkletScriptController):
+        * worklets/WorkletScriptController.h:
+
 2020-07-15  Oriol Brufau  <obrufau@igalia.com>
 

trunk/Source/WebCore/bindings/js/JSDOMExceptionHandling.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
  *  Copyright (C) 2013 Michael Pruett <michael@68k.org>
@@ -140 +140 @@
     if (ec == StackOverflowError)
         return createStackOverflowError(lexicalGlobalObject);
+    if (ec == OutOfMemoryError)
+        return createOutOfMemoryError(lexicalGlobalObject);
 
     // FIXME: All callers to createDOMException need to pass in the correct global object.

trunk/Source/WebCore/dom/ExceptionCode.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2006-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -65 +65 @@
     // Non-standard error.
     StackOverflowError,
+    OutOfMemoryError,
 
     // Used to indicate to the bindings that a JS exception was thrown below and it should be propagated.

trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42 +42 @@
 WTF_MAKE_ISO_ALLOCATED_IMPL(PaintWorkletGlobalScope);
 
-Ref<PaintWorkletGlobalScope> PaintWorkletGlobalScope::create(Document& document, ScriptSourceCode&& code)
+RefPtr<PaintWorkletGlobalScope> PaintWorkletGlobalScope::tryCreate(Document& document, ScriptSourceCode&& code)
 {
-    return adoptRef(*new PaintWorkletGlobalScope(document, WTFMove(code)));
+    RefPtr<VM> vm = VM::tryCreate();
+    if (!vm)
+        return nullptr;
+    return adoptRef(*new PaintWorkletGlobalScope(document, vm.releaseNonNull(), WTFMove(code)));
 }
 
-PaintWorkletGlobalScope::PaintWorkletGlobalScope(Document& document, ScriptSourceCode&& code)
-    : WorkletGlobalScope(document, WTFMove(code))
+PaintWorkletGlobalScope::PaintWorkletGlobalScope(Document& document, Ref<VM>&& vm, ScriptSourceCode&& code)
+    : WorkletGlobalScope(document, WTFMove(vm), WTFMove(code))
 {
 }

trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
 namespace JSC {
 class JSObject;
+class VM;
 } // namespace JSC
 
@@ -43 +44 @@
     WTF_MAKE_ISO_ALLOCATED(PaintWorkletGlobalScope);
 public:
-    static Ref<PaintWorkletGlobalScope> create(Document&, ScriptSourceCode&&);
+    static RefPtr<PaintWorkletGlobalScope> tryCreate(Document&, ScriptSourceCode&&);
 
     ExceptionOr<void> registerPaint(JSC::JSGlobalObject&, const String& name, JSC::Strong<JSC::JSObject> paintConstructor);
@@ -73 +74 @@
 
 private:
-    PaintWorkletGlobalScope(Document&, ScriptSourceCode&&);
+    PaintWorkletGlobalScope(Document&, Ref<JSC::VM>&&, ScriptSourceCode&&);
 
     ~PaintWorkletGlobalScope()

trunk/Source/WebCore/worklets/Worklet.cpp

@@ -47 +47 @@
 }
 
-void Worklet::addModule(Document& document, const String& moduleURL)
+ExceptionOr<void> Worklet::addModule(Document& document, const String& moduleURL)
 {
     // FIXME: We should download the source from the URL
     // https://bugs.webkit.org/show_bug.cgi?id=191136
-    auto context = PaintWorkletGlobalScope::create(document, ScriptSourceCode(moduleURL));
+    auto maybeContext = PaintWorkletGlobalScope::tryCreate(document, ScriptSourceCode(moduleURL));
+    if (UNLIKELY(!maybeContext))
+        return Exception { OutOfMemoryError };
+    auto context = maybeContext.releaseNonNull();
     context->evaluate();
 
@@ -57 +60 @@
     for (auto& name : context->paintDefinitionMap().keys())
         document.setPaintWorkletGlobalScopeForName(name, makeRef(context.get()));
+
+    return { };
 }
 

trunk/Source/WebCore/worklets/Worklet.h

@@ -26 +26 @@
 #pragma once
 
+#include "ExceptionOr.h"
 #include "ScriptWrappable.h"
 #include <wtf/RefCounted.h>
@@ -39 +40 @@
     static Ref<Worklet> create();
     
-    void addModule(Document&, const String& moduleURL);
+    ExceptionOr<void> addModule(Document&, const String& moduleURL);
 
 private:

trunk/Source/WebCore/worklets/Worklet.idl

@@ -1 +1 @@
 /*
-* Copyright (C) 2018 Apple Inc. All rights reserved.
+* Copyright (C) 2018-2020 Apple Inc. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
     Global=Worklet,
 ] interface Worklet {
-    [CallWith=Document] void addModule(USVString moduleURL/*, optional WorkletOptions options*/);
+    [CallWith=Document, MayThrowException] void addModule(USVString moduleURL/*, optional WorkletOptions options*/);
 };

trunk/Source/WebCore/worklets/WorkletGlobalScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
 WTF_MAKE_ISO_ALLOCATED_IMPL(WorkletGlobalScope);
 
-WorkletGlobalScope::WorkletGlobalScope(Document& document, ScriptSourceCode&& code)
+WorkletGlobalScope::WorkletGlobalScope(Document& document, Ref<JSC::VM>&& vm, ScriptSourceCode&& code)
     : m_document(makeWeakPtr(document))
-    , m_script(makeUnique<WorkletScriptController>(this))
+    , m_script(makeUnique<WorkletScriptController>(WTFMove(vm), this))
     , m_topOrigin(SecurityOrigin::createUnique())
     , m_code(WTFMove(code))

trunk/Source/WebCore/worklets/WorkletGlobalScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -88 +88 @@
 
 protected:
-    WorkletGlobalScope(Document&, ScriptSourceCode&&);
+    WorkletGlobalScope(Document&, Ref<JSC::VM>&&, ScriptSourceCode&&);
     WorkletGlobalScope(const WorkletGlobalScope&) = delete;
     WorkletGlobalScope(WorkletGlobalScope&&) = delete;

trunk/Source/WebCore/worklets/WorkletScriptController.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2018 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
 using namespace JSC;
 
-WorkletScriptController::WorkletScriptController(WorkletGlobalScope* workletGlobalScope)
-    : m_vm(VM::create())
+WorkletScriptController::WorkletScriptController(Ref<VM>&& vm, WorkletGlobalScope* workletGlobalScope)
+    : m_vm(WTFMove(vm))
     , m_workletGlobalScope(workletGlobalScope)
     , m_workletGlobalScopeWrapper(*m_vm)

trunk/Source/WebCore/worklets/WorkletScriptController.h

@@ -50 +50 @@
     WTF_MAKE_NONCOPYABLE(WorkletScriptController); WTF_MAKE_FAST_ALLOCATED;
 public:
-    WorkletScriptController(WorkletGlobalScope*);
+    WorkletScriptController(Ref<VM>&&, WorkletGlobalScope*);
     ~WorkletScriptController();