Changeset 47092 in webkit

Timestamp:

Aug 11, 2009 11:22:41 PM (15 years ago)

Author:

oliver@apple.com

Message:

Make it harder to misuse try* allocation routines
​https://bugs.webkit.org/show_bug.cgi?id=27469

Reviewed by Gavin Barraclough

Jump through a few hoops to make it much harder to accidentally
miss null-checking of values returned by the try-* allocation
routines.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore_debug.def (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/runtime/JSArray.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/StringPrototype.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/UString.cpp (modified) (14 diffs)
• JavaScriptCore/runtime/UString.h (modified) (1 diff)
• JavaScriptCore/wtf/FastMalloc.cpp (modified) (7 diffs)
• JavaScriptCore/wtf/FastMalloc.h (modified) (2 diffs)
• JavaScriptCore/wtf/Platform.h (modified) (1 diff)
• JavaScriptCore/wtf/PossiblyNull.h (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/ForwardingHeaders/wtf/PossiblyNull.h (added)
• WebCore/platform/graphics/cg/ImageBufferCG.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ -75 +75 @@
         (JSC::FunctionBodyNode::make):
             Make this method inline (was FuncDeclNode::makeFunction).
+
+2009-08-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Make it harder to misuse try* allocation routines
+        https://bugs.webkit.org/show_bug.cgi?id=27469
+
+        Jump through a few hoops to make it much harder to accidentally
+        miss null-checking of values returned by the try-* allocation
+        routines.
+
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore_debug.def:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::putSlowCase):
+        (JSC::JSArray::increaseVectorLength):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncFontsize):
+        (JSC::stringProtoFuncLink):
+        * runtime/UString.cpp:
+        (JSC::allocChars):
+        (JSC::reallocChars):
+        (JSC::expandCapacity):
+        (JSC::UString::Rep::reserveCapacity):
+        (JSC::UString::expandPreCapacity):
+        (JSC::createRep):
+        (JSC::concatenate):
+        (JSC::UString::spliceSubstringsWithSeparators):
+        (JSC::UString::replaceRange):
+        (JSC::UString::append):
+        (JSC::UString::operator=):
+        * runtime/UString.h:
+        (JSC::UString::Rep::createEmptyBuffer):
+        * wtf/FastMalloc.cpp:
+        (WTF::tryFastZeroedMalloc):
+        (WTF::tryFastMalloc):
+        (WTF::tryFastCalloc):
+        (WTF::tryFastRealloc):
+        (WTF::TCMallocStats::tryFastMalloc):
+        (WTF::TCMallocStats::tryFastCalloc):
+        (WTF::TCMallocStats::tryFastRealloc):
+        * wtf/FastMalloc.h:
+        (WTF::TryMallocReturnValue::TryMallocReturnValue):
+        (WTF::TryMallocReturnValue::~TryMallocReturnValue):
+        (WTF::TryMallocReturnValue::operator PossiblyNull<T>):
+        (WTF::TryMallocReturnValue::getValue):
+        * wtf/Platform.h:
+        * wtf/PossiblyNull.h: Added.
+        (WTF::PossiblyNull::PossiblyNull):
+        (WTF::PossiblyNull::~PossiblyNull):
+        (WTF::::getValue):
 
 2009-08-11  Oliver Hunt  <oliver@apple.com>

trunk/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -265 +265 @@
     ?toUInt32@UString@JSC@@QBEIPA_N_N@Z
     ?toUInt32SlowCase@JSC@@YAINAA_N@Z
-    ?tryFastCalloc@WTF@@YAPAXII@Z
+    ?tryFastCalloc@WTF@@YA?AUTryMallocReturnValue@1@II@Z
     ?tryLock@Mutex@WTF@@QAE_NXZ
     ?type@DebuggerCallFrame@JSC@@QBE?AW4Type@12@XZ

trunk/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore_debug.def

@@ -264 +264 @@
     ?toUInt32@UString@JSC@@QBEIPA_N_N@Z
     ?toUInt32SlowCase@JSC@@YAINAA_N@Z
-    ?tryFastCalloc@WTF@@YAPAXII@Z
+    ?tryFastCalloc@WTF@@YA?AUTryMallocReturnValue@1@II@Z
     ?tryLock@Mutex@WTF@@QAE_NXZ
     ?type@DebuggerCallFrame@JSC@@QBE?AW4Type@12@XZ

trunk/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -208 +208 @@
                 A7B48F490EE8936F00DCBDB6 /* ExecutableAllocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */; };
                 A7C530E4102A3813005BC741 /* MarkStackPosix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7C530E3102A3813005BC741 /* MarkStackPosix.cpp */; };
+                A7D649AA1015224E009B2E1B /* PossiblyNull.h in Headers */ = {isa = PBXBuildFile; fileRef = A7D649A91015224E009B2E1B /* PossiblyNull.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A7E2EA6B0FB460CF00601F06 /* LiteralParser.h in Headers */ = {isa = PBXBuildFile; fileRef = A7E2EA690FB460CF00601F06 /* LiteralParser.h */; };
                 A7E2EA6C0FB460CF00601F06 /* LiteralParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7E2EA6A0FB460CF00601F06 /* LiteralParser.cpp */; };
@@ -753 +754 @@
                 A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutableAllocator.cpp; sourceTree = "<group>"; };
                 A7C530E3102A3813005BC741 /* MarkStackPosix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MarkStackPosix.cpp; sourceTree = "<group>"; };
+                A7D649A91015224E009B2E1B /* PossiblyNull.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PossiblyNull.h; sourceTree = "<group>"; };
                 A7E2EA690FB460CF00601F06 /* LiteralParser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LiteralParser.h; sourceTree = "<group>"; };
                 A7E2EA6A0FB460CF00601F06 /* LiteralParser.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LiteralParser.cpp; sourceTree = "<group>"; };
@@ -1243 +1245 @@
                                 6580F795094070560082C219 /* PassRefPtr.h */,
                                 65D6D87E09B5A32E0002E4D7 /* Platform.h */,
+                                A7D649A91015224E009B2E1B /* PossiblyNull.h */,
                                 0B1F921B0F17502D0036468E /* PtrAndFlags.h */,
                                 088FA5B90EF76D4300578E6F /* RandomNumber.cpp */,
@@ -1903 +1906 @@
                                 9688CB160ED12B4E001D649F /* X86Assembler.h in Headers */,
                                 A7795590101A74D500114E55 /* MarkStack.h in Headers */,
+                                A7D649AA1015224E009B2E1B /* PossiblyNull.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/JavaScriptCore/runtime/JSArray.cpp

@@ -349 +349 @@
     }
 
-    storage = static_cast<ArrayStorage*>(tryFastRealloc(storage, storageSize(newVectorLength)));
-    if (!storage) {
+    if (!tryFastRealloc(storage, storageSize(newVectorLength)).getValue(storage)) {
         throwOutOfMemoryError(exec);
         return;
@@ -468 +467 @@
     unsigned newVectorLength = increasedVectorLength(newLength);
 
-    storage = static_cast<ArrayStorage*>(tryFastRealloc(storage, storageSize(newVectorLength)));
-    if (!storage)
+    if (!tryFastRealloc(storage, storageSize(newVectorLength)).getValue(storage))
         return false;
 

trunk/JavaScriptCore/runtime/StringPrototype.cpp

@@ -822 +822 @@
         unsigned stringSize = s.size();
         unsigned bufferSize = 22 + stringSize;
-        UChar* buffer = static_cast<UChar*>(tryFastMalloc(bufferSize * sizeof(UChar)));
-        if (!buffer)
+        UChar* buffer;
+        if (!tryFastMalloc(bufferSize * sizeof(UChar)).getValue(buffer))
             return jsUndefined();
         buffer[0] = '<';
@@ -870 +870 @@
     unsigned stringSize = s.size();
     unsigned bufferSize = 15 + linkTextSize + stringSize;
-    UChar* buffer = static_cast<UChar*>(tryFastMalloc(bufferSize * sizeof(UChar)));
-    if (!buffer)
+    UChar* buffer;
+    if (!tryFastMalloc(bufferSize * sizeof(UChar)).getValue(buffer))
         return jsUndefined();
     buffer[0] = '<';

trunk/JavaScriptCore/runtime/UString.cpp

@@ -69 +69 @@
 static inline size_t maxUChars() { return std::numeric_limits<size_t>::max() / sizeof(UChar); }
 
-static inline UChar* allocChars(size_t length)
+static inline PossiblyNull<UChar*> allocChars(size_t length)
 {
     ASSERT(length);
     if (length > maxUChars())
         return 0;
-    return static_cast<UChar*>(tryFastMalloc(sizeof(UChar) * length));
-}
-
-static inline UChar* reallocChars(UChar* buffer, size_t length)
+    return tryFastMalloc(sizeof(UChar) * length);
+}
+
+static inline PossiblyNull<UChar*> reallocChars(UChar* buffer, size_t length)
 {
     ASSERT(length);
     if (length > maxUChars())
         return 0;
-    return static_cast<UChar*>(tryFastRealloc(buffer, sizeof(UChar) * length));
+    return tryFastRealloc(buffer, sizeof(UChar) * length);
 }
 
@@ -481 +481 @@
         size_t newCapacity = expandedSize(requiredLength, base->preCapacity);
         UChar* oldBuf = base->buf;
-        base->buf = reallocChars(base->buf, newCapacity);
-        if (!base->buf) {
+        if (!reallocChars(base->buf, newCapacity).getValue(base->buf)) {
             base->buf = oldBuf;
             return false;
@@ -513 +512 @@
     size_t newCapacity = expandedSize(capacity, base->preCapacity);
     UChar* oldBuf = base->buf;
-    base->buf = reallocChars(base->buf, newCapacity);
-    if (!base->buf) {
+    if (!reallocChars(base->buf, newCapacity).getValue(base->buf)) {
         base->buf = oldBuf;
         return false;
@@ -541 +539 @@
         int delta = newCapacity - base->capacity - base->preCapacity;
 
-        UChar* newBuf = allocChars(newCapacity);
-        if (!newBuf) {
+        UChar* newBuf;
+        if (!allocChars(newCapacity).getValue(newBuf)) {
             makeNull();
             return;
@@ -567 +565 @@
 
     size_t length = strlen(c);
-    UChar* d = allocChars(length);
-    if (!d)
+    UChar* d;
+    if (!allocChars(length).getValue(d))
         return &UString::Rep::null();
     else {
@@ -657 +655 @@
         // This is shared in some way that prevents us from modifying base, so we must make a whole new string.
         size_t newCapacity = expandedSize(length, 0);
-        UChar* d = allocChars(newCapacity);
-        if (!d)
+        UChar* d;
+        if (!allocChars(newCapacity).getValue(d))
             rep = &UString::Rep::null();
         else {
@@ -713 +711 @@
         // This is shared in some way that prevents us from modifying base, so we must make a whole new string.
         size_t newCapacity = expandedSize(length, 0);
-        UChar* d = allocChars(newCapacity);
-        if (!d)
+        UChar* d;
+        if (!allocChars(newCapacity).getValue(d))
             rep = &UString::Rep::null();
         else {
@@ -801 +799 @@
     // a does not qualify for append, and b does not qualify for prepend, gotta make a whole new string
     size_t newCapacity = expandedSize(length, 0);
-    UChar* d = allocChars(newCapacity);
-    if (!d)
+    UChar* d;
+    if (!allocChars(newCapacity).getValue(d))
         return 0;
     copyChars(d, a->data(), aSize);
@@ -1077 +1075 @@
         return "";
 
-    UChar* buffer = allocChars(totalLength);
-    if (!buffer)
+    UChar* buffer;
+    if (!allocChars(totalLength).getValue(buffer))
         return null();
 
@@ -1106 +1104 @@
         return "";
 
-    UChar* buffer = allocChars(totalLength);
-    if (!buffer)
+    UChar* buffer;
+    if (!allocChars(totalLength).getValue(buffer))
         return null();
 
@@ -1154 +1152 @@
         // This is shared in some way that prevents us from modifying base, so we must make a whole new string.
         size_t newCapacity = expandedSize(length, 0);
-        UChar* d = allocChars(newCapacity);
-        if (!d)
+        UChar* d;
+        if (!allocChars(newCapacity).getValue(d))
             makeNull();
         else {
@@ -1207 +1205 @@
         // this is empty - must make a new m_rep because we don't want to pollute the shared empty one 
         size_t newCapacity = expandedSize(1, 0);
-        UChar* d = allocChars(newCapacity);
-        if (!d)
+        UChar* d;
+        if (!allocChars(newCapacity).getValue(d))
             makeNull();
         else {
@@ -1235 +1233 @@
         // This is shared in some way that prevents us from modifying base, so we must make a whole new string.
         size_t newCapacity = expandedSize(length + 1, 0);
-        UChar* d = allocChars(newCapacity);
-        if (!d)
+        UChar* d;
+        if (!allocChars(newCapacity).getValue(d))
             makeNull();
         else {
@@ -1314 +1312 @@
         m_rep->len = l;
     } else {
-        d = allocChars(l);
-        if (!d) {
+        if (!allocChars(l).getValue(d)) {
             makeNull();
             return *this;

trunk/JavaScriptCore/runtime/UString.h

@@ -92 +92 @@
                 // Guard against integer overflow
                 if (size < (std::numeric_limits<size_t>::max() / sizeof(UChar))) {
-                    if (void * buf = tryFastMalloc(size * sizeof(UChar)))
+                    void * buf = 0;
+                    if (tryFastMalloc(size * sizeof(UChar)).getValue(buf))
                         return adoptRef(new BaseString(static_cast<UChar*>(buf), 0, size));
                 }

trunk/JavaScriptCore/wtf/FastMalloc.cpp

@@ -179 +179 @@
 }
     
-void* tryFastZeroedMalloc(size_t n) 
-{
-    void* result = tryFastMalloc(n);
-    if (!result)
+TryMallocReturnValue tryFastZeroedMalloc(size_t n) 
+{
+    void* result;
+    if (!tryFastMalloc(n).getValue(result))
         return 0;
     memset(result, 0, n);
@@ -201 +201 @@
 namespace WTF {
 
-void* tryFastMalloc(size_t n) 
+TryMallocReturnValue tryFastMalloc(size_t n) 
 {
     ASSERT(!isForbidden());
@@ -237 +237 @@
 }
 
-void* tryFastCalloc(size_t n_elements, size_t element_size)
+TryMallocReturnValue tryFastCalloc(size_t n_elements, size_t element_size)
 {
     ASSERT(!isForbidden());
@@ -292 +292 @@
 }
 
-void* tryFastRealloc(void* p, size_t n)
+TryMallocReturnValue tryFastRealloc(void* p, size_t n)
 {
     ASSERT(!isForbidden());
@@ -3577 +3577 @@
 }
 
-void* tryFastMalloc(size_t size)
+TryMallocReturnValue tryFastMalloc(size_t size)
 {
     return malloc<false>(size);
@@ -3638 +3638 @@
 }
 
-void* tryFastCalloc(size_t n, size_t elem_size)
+TryMallocReturnValue tryFastCalloc(size_t n, size_t elem_size)
 {
     return calloc<false>(n, elem_size);
@@ -3702 +3702 @@
 }
 
-void* tryFastRealloc(void* old_ptr, size_t new_size)
+TryMallocReturnValue tryFastRealloc(void* old_ptr, size_t new_size)
 {
     return realloc<false>(old_ptr, new_size);

trunk/JavaScriptCore/wtf/FastMalloc.h

@@ -23 +23 @@
 
 #include "Platform.h"
+#include "PossiblyNull.h"
 #include <stdlib.h>
 #include <new>
@@ -34 +35 @@
     void* fastRealloc(void*, size_t);
 
-    // These functions return 0 if an allocation fails.
-    void* tryFastMalloc(size_t);
-    void* tryFastZeroedMalloc(size_t);
-    void* tryFastCalloc(size_t numElements, size_t elementSize);
-    void* tryFastRealloc(void*, size_t);
+    struct TryMallocReturnValue {
+        TryMallocReturnValue(void* data)
+            : m_data(data)
+        {
+        }
+        TryMallocReturnValue(const TryMallocReturnValue& source)
+            : m_data(source.m_data)
+        {
+            source.m_data = 0;
+        }
+        ~TryMallocReturnValue() { ASSERT(!m_data); }
+        template <typename T> bool getValue(T& data) WARN_UNUSED_RETURN;
+        template <typename T> operator PossiblyNull<T>()
+        { 
+            T value; 
+            getValue(value); 
+            return PossiblyNull<T>(value);
+        } 
+    private:
+        mutable void* m_data;
+    };
+    
+    template <typename T> bool TryMallocReturnValue::getValue(T& data) {
+        union u { void* data; T target; } res;
+        res.data = m_data;
+        data = res.target;
+        bool returnValue = !!m_data;
+        m_data = 0;
+        return returnValue;
+    }
+
+    TryMallocReturnValue tryFastMalloc(size_t n);
+    TryMallocReturnValue tryFastZeroedMalloc(size_t n);
+    TryMallocReturnValue tryFastCalloc(size_t n_elements, size_t element_size);
+    TryMallocReturnValue tryFastRealloc(void* p, size_t n);
 
     void fastFree(void*);

trunk/JavaScriptCore/wtf/Platform.h

@@ -733 +733 @@
 #endif
 
+#if COMPILER(GCC)
+#define WARN_UNUSED_RETURN __attribute__ ((warn_unused_result))
+#else
+#define WARN_UNUSED_RETURN
+#endif
+
 #endif /* WTF_Platform_h */

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-08-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Make it harder to misuse try* allocation routines
+        https://bugs.webkit.org/show_bug.cgi?id=27469
+
+        Add forwarding header for PossiblyNull type, and add missing null check
+        to ImageBuffer creation.
+
+        * ForwardingHeaders/wtf/PossiblyNull.h: Added.
+        * platform/graphics/cg/ImageBufferCG.cpp:
+        (WebCore::ImageBuffer::ImageBuffer):
+
 2009-08-11  Gavin Barraclough  <barraclough@apple.com>
 

trunk/WebCore/platform/graphics/cg/ImageBufferCG.cpp

@@ -66 +66 @@
     }
 
-    m_data.m_data = tryFastCalloc(size.height(), bytesPerRow);
+    if (!tryFastCalloc(size.height(), bytesPerRow).getValue(m_data.m_data))
+        return;
+
     ASSERT((reinterpret_cast<size_t>(m_data.m_data) & 2) == 0);