Changeset 238433 in webkit


Ignore:
Timestamp:
Nov 21, 2018 5:51:33 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
https://bugs.webkit.org/show_bug.cgi?id=191776
<rdar://problem/46152851>

Reviewed by Saam Barati.

JSTests:

  • stress/big-wasm-memory-grow-no-max.js:
  • stress/big-wasm-memory-grow.js:
  • stress/big-wasm-memory.js:
  • updated these to expect an OutOfMemoryError.
  • wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.

(Binary.prototype.emit_u8):
(Binary.prototype.emit_u32v):
(Binary.prototype.emit_header):
(Binary.prototype.emit_section):
(Binary):
(WasmModuleBuilder):
(WasmModuleBuilder.prototype.addMemory):
(WasmModuleBuilder.prototype.toArray):
(WasmModuleBuilder.prototype.toBuffer):
(WasmModuleBuilder.prototype.instantiate):
(catch):

  • wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.

(catch):

Source/JavaScriptCore:

  • wasm/WasmMemory.cpp:

(JSC::Wasm::Memory::tryCreate):

  • return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE. The clients will already do a null check and throw an OutOfMemoryError if needed.

(JSC::Wasm::Memory::grow):

  • throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
  • wasm/js/WebAssemblyMemoryConstructor.cpp:

(JSC::constructJSWebAssemblyMemory):

  • throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
Location:
trunk
Files:
2 added
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r238425 r238433  
     12018-11-21  Mark Lam  <mark.lam@apple.com>
     2
     3        Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
     4        https://bugs.webkit.org/show_bug.cgi?id=191776
     5        <rdar://problem/46152851>
     6
     7        Reviewed by Saam Barati.
     8
     9        * stress/big-wasm-memory-grow-no-max.js:
     10        * stress/big-wasm-memory-grow.js:
     11        * stress/big-wasm-memory.js:
     12        - updated these to expect an OutOfMemoryError.
     13
     14        * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
     15        (Binary.prototype.emit_u8):
     16        (Binary.prototype.emit_u32v):
     17        (Binary.prototype.emit_header):
     18        (Binary.prototype.emit_section):
     19        (Binary):
     20        (WasmModuleBuilder):
     21        (WasmModuleBuilder.prototype.addMemory):
     22        (WasmModuleBuilder.prototype.toArray):
     23        (WasmModuleBuilder.prototype.toBuffer):
     24        (WasmModuleBuilder.prototype.instantiate):
     25        (catch):
     26        * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
     27        (catch):
     28
    1292018-11-21  Caio Lima  <ticaiolima@gmail.com>
    230
  • trunk/JSTests/stress/big-wasm-memory-grow-no-max.js

    r238373 r238433  
    2727    ok = true;
    2828} catch (e) {
    29     if (e.toString() != "RangeError: WebAssembly.Memory.grow expects the grown size to be a valid page count")
     29    if (e.toString() != "Error: Out of memory")
    3030        throw e;
    3131}
  • trunk/JSTests/stress/big-wasm-memory-grow.js

    r238373 r238433  
    2727    ok = true;
    2828} catch (e) {
    29     if (e.toString() != "RangeError: WebAssembly.Memory.grow expects the grown size to be a valid page count")
     29    if (e.toString() != "Error: Out of memory")
    3030        throw e;
    3131}
  • trunk/JSTests/stress/big-wasm-memory.js

    r238373 r238433  
    2525    ok = true;
    2626} catch (e) {
    27     if (e.toString() != "RangeError: WebAssembly.Memory 'initial' page count is too large")
     27    if (e.toString() != "Error: Out of memory")
    2828        throw e;
    2929}
  • trunk/Source/JavaScriptCore/ChangeLog

    r238425 r238433  
     12018-11-21  Mark Lam  <mark.lam@apple.com>
     2
     3        Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
     4        https://bugs.webkit.org/show_bug.cgi?id=191776
     5        <rdar://problem/46152851>
     6
     7        Reviewed by Saam Barati.
     8
     9        * wasm/WasmMemory.cpp:
     10        (JSC::Wasm::Memory::tryCreate):
     11        - return nullptr if the requested bytes exceed MAX_ARRAY_BUFFER_SIZE.
     12          The clients will already do a null check and throw an OutOfMemoryError if needed.
     13        (JSC::Wasm::Memory::grow):
     14        - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
     15        * wasm/js/WebAssemblyMemoryConstructor.cpp:
     16        (JSC::constructJSWebAssemblyMemory):
     17        - throw OOME if newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE.
     18
    1192018-11-21  Caio Lima  <ticaiolima@gmail.com>
    220
  • trunk/Source/JavaScriptCore/wasm/WasmMemory.cpp

    r238326 r238433  
    283283    const size_t maximumBytes = maximum ? maximum.bytes() : 0;
    284284
    285     RELEASE_ASSERT(initialBytes <= MAX_ARRAY_BUFFER_SIZE);
     285    if (initialBytes > MAX_ARRAY_BUFFER_SIZE)
     286        return nullptr; // Client will throw OOMError.
    286287
    287288    if (maximum && !maximumBytes) {
     
    375376   
    376377    const Wasm::PageCount newPageCount = oldPageCount + delta;
    377     // FIXME: Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw
    378     // OOME not RangeError
    379     // https://bugs.webkit.org/show_bug.cgi?id=191776
    380     if (!newPageCount || !newPageCount.isValid() || newPageCount.bytes() >= MAX_ARRAY_BUFFER_SIZE)
     378    if (!newPageCount || !newPageCount.isValid())
    381379        return makeUnexpected(GrowFailReason::InvalidGrowSize);
     380    if (newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE)
     381        return makeUnexpected(GrowFailReason::OutOfMemory);
    382382
    383383    auto success = [&] () {
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp

    r238326 r238433  
    11/*
    2  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    7171        uint32_t size = toNonWrappingUint32(exec, minSizeValue);
    7272        RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
    73         // FIXME: Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw
    74         // OOME not RangeError
    75         // https://bugs.webkit.org/show_bug.cgi?id=191776
    76         if (!Wasm::PageCount::isValid(size) || Wasm::PageCount(size).bytes() >= MAX_ARRAY_BUFFER_SIZE)
     73        if (!Wasm::PageCount::isValid(size))
    7774            return JSValue::encode(throwException(exec, throwScope, createRangeError(exec, "WebAssembly.Memory 'initial' page count is too large"_s)));
     75        if (Wasm::PageCount(size).bytes() > MAX_ARRAY_BUFFER_SIZE)
     76            return JSValue::encode(throwException(exec, throwScope, createOutOfMemoryError(exec)));
    7877        initialPageCount = Wasm::PageCount(size);
    7978    }
Note: See TracChangeset for help on using the changeset viewer.