Ignore:
Timestamp:
Nov 1, 2017, 6:54:43 PM (8 years ago)
Author:
[email protected]
Message:

Add support to throw OOM if MarkedArgumentBuffer may overflow.
https://bugs.webkit.org/show_bug.cgi?id=179092
<rdar://problem/35116160>

Reviewed by Saam Barati.

Source/JavaScriptCore:

The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
time, which renders it unsuitable for automated tests. Instead, I've run a
test manually to verify that an OutOfMemoryError will be thrown when an overflow
occurs.

The MarkedArgumentBuffer's destructor will now assert that the client has indeed
checked for an overflow after invoking methods that may result in an overflow i.e.
the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
This is only done on debug builds.

  • API/JSObjectRef.cpp:

(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeRegExp):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):

  • dfg/DFGOperations.cpp:
  • inspector/InjectedScriptManager.cpp:

(Inspector::InjectedScriptManager::createInjectedScript):

  • inspector/JSJavaScriptCallFrame.cpp:

(Inspector::JSJavaScriptCallFrame::scopeChain const):

  • interpreter/Interpreter.cpp:

(JSC::Interpreter::executeProgram):

  • jsc.cpp:

(functionDollarAgentReceiveBroadcast):

  • runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):

  • runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::appendWithAction):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
(JSC::MarkedArgumentBuffer::hasOverflowed):
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):

  • runtime/ArrayPrototype.cpp:
  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/GetterSetter.cpp:

(JSC::callSetter):

  • runtime/IteratorOperations.cpp:

(JSC::iteratorNext):
(JSC::iteratorClose):

  • runtime/JSBoundFunction.cpp:

(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):

  • runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::haveABadTime):

  • runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

  • runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

  • runtime/JSMapIterator.cpp:

(JSC::JSMapIterator::createPair):

  • runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

  • runtime/JSONObject.cpp:

(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Walker::callReviver):

  • runtime/JSObject.cpp:

(JSC::ordinarySetSlow):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):

  • runtime/JSPromise.cpp:

(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):

  • runtime/JSPromiseDeferred.cpp:

(JSC::newPromiseCapability):
(JSC::callFunction):

  • runtime/JSSetIterator.cpp:

(JSC::JSSetIterator::createPair):

  • runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

  • runtime/MapConstructor.cpp:

(JSC::constructMap):

  • runtime/ObjectConstructor.cpp:

(JSC::defineProperties):

  • runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

  • runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):

  • runtime/SetConstructor.cpp:

(JSC::constructSet):

  • runtime/StringPrototype.cpp:

(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):

  • runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

  • runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

  • wasm/js/WasmToJS.cpp:

(JSC::Wasm::wasmToJS):

Source/WebCore:

No new tests. The test for overflowing a MarkedArgumentBuffer will run for a
ridiculously long time, which renders it unsuitable for automated tests.

  • Modules/plugins/QuickTimePluginReplacement.mm:

(WebCore::QuickTimePluginReplacement::installReplacement):

  • bindings/js/JSCustomElementInterface.cpp:

(WebCore::constructCustomElementSynchronously):
(WebCore::JSCustomElementInterface::upgradeElement):
(WebCore::JSCustomElementInterface::invokeCallback):

  • bindings/js/JSCustomXPathNSResolver.cpp:

(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):

  • bindings/js/JSDOMBuiltinConstructorBase.cpp:

(WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):

  • bindings/js/JSDOMConvertSequences.h:

(WebCore::JSConverter<IDLSequence<T>>::convert):
(WebCore::JSConverter<IDLFrozenArray<T>>::convert):

  • bindings/js/JSDOMConvertWebGL.cpp:

(WebCore::convertToJSValue):

  • bindings/js/JSDOMIterator.h:

(WebCore::jsPair):
(WebCore::iteratorForEach):

  • bindings/js/JSDOMMapLike.cpp:

(WebCore::forwardFunctionCallToBackingMap):
(WebCore::forwardForEachCallToBackingMap):

  • bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::createRejectedPromiseWithTypeError):

  • bindings/js/JSErrorHandler.cpp:

(WebCore::JSErrorHandler::handleEvent):

  • bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent):

  • bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const):

  • bindings/js/JSPluginElementFunctions.cpp:

(WebCore::callPlugin):

  • bindings/js/JSReadableStreamPrivateConstructors.cpp:

(WebCore::constructJSReadableStreamReaderGeneric):

  • bindings/js/ReadableStream.cpp:

(WebCore::ReadableStream::create):
(WebCore::ReadableStream::pipeTo):
(WebCore::ReadableStream::tee):
(WebCore::ReadableStream::lock):
(WebCore::checkReadableStream):

  • bindings/js/ReadableStreamDefaultController.cpp:

(WebCore::ReadableStreamDefaultController::invoke):

  • bindings/js/ScheduledAction.cpp:

(WebCore::ScheduledAction::executeFunctionInContext):

  • bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::recordObject):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):

  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateCallbackImplementationContent):

  • bindings/scripts/test/JS/JSTestCallbackFunction.cpp:

(WebCore::JSTestCallbackFunction::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:

(WebCore::JSTestCallbackFunctionRethrow::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:

(WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:

(WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):

  • bindings/scripts/test/JS/JSTestCallbackInterface.cpp:

(WebCore::JSTestCallbackInterface::callbackWithNoParam):
(WebCore::JSTestCallbackInterface::callbackWithArrayParam):
(WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
(WebCore::JSTestCallbackInterface::callbackWithStringList):
(WebCore::JSTestCallbackInterface::callbackWithBoolean):
(WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
(WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
(WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
(WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
(WebCore::JSTestCallbackInterface::callbackWithThisObject):

  • bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:

(WebCore::JSTestVoidCallbackFunction::handleEvent):

  • bridge/NP_jsobject.cpp:
  • bridge/objc/WebScriptObject.mm:

(-[WebScriptObject callWebScriptMethod:withArguments:]):

  • html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::updateCaptionContainer):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):

  • html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

  • testing/Internals.cpp:

(WebCore::Internals::cloneArrayBuffer):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

    r223125 r224309  
    4242    for (unsigned i = 0; i < exec->argumentCount(); ++i)
    4343        args.append(exec->uncheckedArgument(i));
     44    RELEASE_ASSERT(!args.hasOverflowed());
    4445
    4546    JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction());
     
    5758EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState* exec)
    5859{
     60    VM& vm = exec->vm();
     61    auto scope = DECLARE_THROW_SCOPE(vm);
    5962    JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee());
    6063
     
    6871    for (unsigned i = 0; i < exec->argumentCount(); ++i)
    6972        args.append(exec->uncheckedArgument(i));
     73    if (UNLIKELY(args.hasOverflowed())) {
     74        throwOutOfMemoryError(exec, scope);
     75        return encodedJSValue();
     76    }
    7077
    7178    JSObject* targetFunction = boundFunction->targetFunction();
     
    7380    CallType callType = getCallData(targetFunction, callData);
    7481    ASSERT(callType != CallType::None);
     82    scope.release();
    7583    return JSValue::encode(call(exec, targetFunction, callType, callData, boundFunction->boundThis(), args));
    7684}
     
    8391    for (unsigned i = 0; i < exec->argumentCount(); ++i)
    8492        args.append(exec->uncheckedArgument(i));
     93    RELEASE_ASSERT(!args.hasOverflowed());
    8594
    8695    JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction());
     
    93102EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState* exec)
    94103{
     104    VM& vm = exec->vm();
     105    auto scope = DECLARE_THROW_SCOPE(vm);
    95106    JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee());
    96107
     
    104115    for (unsigned i = 0; i < exec->argumentCount(); ++i)
    105116        args.append(exec->uncheckedArgument(i));
     117    if (UNLIKELY(args.hasOverflowed())) {
     118        throwOutOfMemoryError(exec, scope);
     119        return encodedJSValue();
     120    }
    106121
    107122    JSObject* targetFunction = boundFunction->targetFunction();
     
    109124    ConstructType constructType = getConstructData(targetFunction, constructData);
    110125    ASSERT(constructType != ConstructType::None);
     126    scope.release();
    111127    return JSValue::encode(construct(exec, targetFunction, constructType, constructData, args));
    112128}
Note: See TracChangeset for help on using the changeset viewer.