Ignore:
Timestamp:
Nov 1, 2017, 6:54:43 PM (8 years ago)
Author:
[email protected]
Message:

Add support to throw OOM if MarkedArgumentBuffer may overflow.
https://bugs.webkit.org/show_bug.cgi?id=179092
<rdar://problem/35116160>

Reviewed by Saam Barati.

Source/JavaScriptCore:

The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
time, which renders it unsuitable for automated tests. Instead, I've run a
test manually to verify that an OutOfMemoryError will be thrown when an overflow
occurs.

The MarkedArgumentBuffer's destructor will now assert that the client has indeed
checked for an overflow after invoking methods that may result in an overflow i.e.
the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
This is only done on debug builds.

  • API/JSObjectRef.cpp:

(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeRegExp):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):

  • dfg/DFGOperations.cpp:
  • inspector/InjectedScriptManager.cpp:

(Inspector::InjectedScriptManager::createInjectedScript):

  • inspector/JSJavaScriptCallFrame.cpp:

(Inspector::JSJavaScriptCallFrame::scopeChain const):

  • interpreter/Interpreter.cpp:

(JSC::Interpreter::executeProgram):

  • jsc.cpp:

(functionDollarAgentReceiveBroadcast):

  • runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):

  • runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::appendWithAction):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
(JSC::MarkedArgumentBuffer::hasOverflowed):
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):

  • runtime/ArrayPrototype.cpp:
  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/GetterSetter.cpp:

(JSC::callSetter):

  • runtime/IteratorOperations.cpp:

(JSC::iteratorNext):
(JSC::iteratorClose):

  • runtime/JSBoundFunction.cpp:

(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):

  • runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::haveABadTime):

  • runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

  • runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

  • runtime/JSMapIterator.cpp:

(JSC::JSMapIterator::createPair):

  • runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

  • runtime/JSONObject.cpp:

(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Walker::callReviver):

  • runtime/JSObject.cpp:

(JSC::ordinarySetSlow):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):

  • runtime/JSPromise.cpp:

(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):

  • runtime/JSPromiseDeferred.cpp:

(JSC::newPromiseCapability):
(JSC::callFunction):

  • runtime/JSSetIterator.cpp:

(JSC::JSSetIterator::createPair):

  • runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

  • runtime/MapConstructor.cpp:

(JSC::constructMap):

  • runtime/ObjectConstructor.cpp:

(JSC::defineProperties):

  • runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

  • runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):

  • runtime/SetConstructor.cpp:

(JSC::constructSet):

  • runtime/StringPrototype.cpp:

(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):

  • runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

  • runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

  • wasm/js/WasmToJS.cpp:

(JSC::Wasm::wasmToJS):

Source/WebCore:

No new tests. The test for overflowing a MarkedArgumentBuffer will run for a
ridiculously long time, which renders it unsuitable for automated tests.

  • Modules/plugins/QuickTimePluginReplacement.mm:

(WebCore::QuickTimePluginReplacement::installReplacement):

  • bindings/js/JSCustomElementInterface.cpp:

(WebCore::constructCustomElementSynchronously):
(WebCore::JSCustomElementInterface::upgradeElement):
(WebCore::JSCustomElementInterface::invokeCallback):

  • bindings/js/JSCustomXPathNSResolver.cpp:

(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):

  • bindings/js/JSDOMBuiltinConstructorBase.cpp:

(WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):

  • bindings/js/JSDOMConvertSequences.h:

(WebCore::JSConverter<IDLSequence<T>>::convert):
(WebCore::JSConverter<IDLFrozenArray<T>>::convert):

  • bindings/js/JSDOMConvertWebGL.cpp:

(WebCore::convertToJSValue):

  • bindings/js/JSDOMIterator.h:

(WebCore::jsPair):
(WebCore::iteratorForEach):

  • bindings/js/JSDOMMapLike.cpp:

(WebCore::forwardFunctionCallToBackingMap):
(WebCore::forwardForEachCallToBackingMap):

  • bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::createRejectedPromiseWithTypeError):

  • bindings/js/JSErrorHandler.cpp:

(WebCore::JSErrorHandler::handleEvent):

  • bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent):

  • bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const):

  • bindings/js/JSPluginElementFunctions.cpp:

(WebCore::callPlugin):

  • bindings/js/JSReadableStreamPrivateConstructors.cpp:

(WebCore::constructJSReadableStreamReaderGeneric):

  • bindings/js/ReadableStream.cpp:

(WebCore::ReadableStream::create):
(WebCore::ReadableStream::pipeTo):
(WebCore::ReadableStream::tee):
(WebCore::ReadableStream::lock):
(WebCore::checkReadableStream):

  • bindings/js/ReadableStreamDefaultController.cpp:

(WebCore::ReadableStreamDefaultController::invoke):

  • bindings/js/ScheduledAction.cpp:

(WebCore::ScheduledAction::executeFunctionInContext):

  • bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::recordObject):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):

  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateCallbackImplementationContent):

  • bindings/scripts/test/JS/JSTestCallbackFunction.cpp:

(WebCore::JSTestCallbackFunction::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:

(WebCore::JSTestCallbackFunctionRethrow::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:

(WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:

(WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackInterface.cpp:

(WebCore::JSTestCallbackInterface::callbackWithNoParam):
(WebCore::JSTestCallbackInterface::callbackWithArrayParam):
(WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
(WebCore::JSTestCallbackInterface::callbackWithStringList):
(WebCore::JSTestCallbackInterface::callbackWithBoolean):
(WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
(WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
(WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
(WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
(WebCore::JSTestCallbackInterface::callbackWithThisObject):

  • bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:

(WebCore::JSTestVoidCallbackFunction::handleEvent):

  • bridge/NP_jsobject.cpp:
  • bridge/objc/WebScriptObject.mm:

(-[WebScriptObject callWebScriptMethod:withArguments:]):

  • html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::updateCaptionContainer):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):

  • html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

  • testing/Internals.cpp:

(WebCore::Internals::cloneArrayBuffer):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

    r223746 r224309  
    152152        args.append(jsString(exec, parameterNames[i]->string()));
    153153    args.append(jsString(exec, body->string()));
     154    if (UNLIKELY(args.hasOverflowed())) {
     155        auto throwScope = DECLARE_THROW_SCOPE(vm);
     156        throwOutOfMemoryError(exec, throwScope);
     157        handleExceptionIfNeeded(scope, exec, exception);
     158        return 0;
     159    }
    154160
    155161    auto sourceURLString = sourceURL ? sourceURL->string() : String();
     
    176182        for (size_t i = 0; i < argumentCount; ++i)
    177183            argList.append(toJS(exec, arguments[i]));
     184        if (UNLIKELY(argList.hasOverflowed())) {
     185            auto throwScope = DECLARE_THROW_SCOPE(vm);
     186            throwOutOfMemoryError(exec, throwScope);
     187            handleExceptionIfNeeded(scope, exec, exception);
     188            return 0;
     189        }
    178190
    179191        result = constructArray(exec, static_cast<ArrayAllocationProfile*>(0), argList);
     
    201213    for (size_t i = 0; i < argumentCount; ++i)
    202214        argList.append(toJS(exec, arguments[i]));
     215    if (UNLIKELY(argList.hasOverflowed())) {
     216        auto throwScope = DECLARE_THROW_SCOPE(vm);
     217        throwOutOfMemoryError(exec, throwScope);
     218        handleExceptionIfNeeded(scope, exec, exception);
     219        return 0;
     220    }
    203221
    204222    JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList);
     
    244262    for (size_t i = 0; i < argumentCount; ++i)
    245263        argList.append(toJS(exec, arguments[i]));
     264    if (UNLIKELY(argList.hasOverflowed())) {
     265        auto throwScope = DECLARE_THROW_SCOPE(vm);
     266        throwOutOfMemoryError(exec, throwScope);
     267        handleExceptionIfNeeded(scope, exec, exception);
     268        return 0;
     269    }
    246270
    247271    JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList);
     
    582606    for (size_t i = 0; i < argumentCount; i++)
    583607        argList.append(toJS(exec, arguments[i]));
     608    if (UNLIKELY(argList.hasOverflowed())) {
     609        auto throwScope = DECLARE_THROW_SCOPE(vm);
     610        throwOutOfMemoryError(exec, throwScope);
     611        handleExceptionIfNeeded(scope, exec, exception);
     612        return 0;
     613    }
    584614
    585615    CallData callData;
     
    623653    for (size_t i = 0; i < argumentCount; i++)
    624654        argList.append(toJS(exec, arguments[i]));
     655    if (UNLIKELY(argList.hasOverflowed())) {
     656        auto throwScope = DECLARE_THROW_SCOPE(vm);
     657        throwOutOfMemoryError(exec, throwScope);
     658        handleExceptionIfNeeded(scope, exec, exception);
     659        return 0;
     660    }
    625661
    626662    JSObjectRef result = toRef(profiledConstruct(exec, ProfilingReason::API, jsObject, constructType, constructData, argList));
Note: See TracChangeset for help on using the changeset viewer.