Changeset 224309 in webkit for trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

Timestamp:

Nov 1, 2017, 6:54:43 PM (8 years ago)

Author:

[email protected]

Message:

Add support to throw OOM if MarkedArgumentBuffer may overflow.
​https://bugs.webkit.org/show_bug.cgi?id=179092
<rdar://problem/35116160>

Reviewed by Saam Barati.

Source/JavaScriptCore:

The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
time, which renders it unsuitable for automated tests. Instead, I've run a
test manually to verify that an OutOfMemoryError will be thrown when an overflow
occurs.

The MarkedArgumentBuffer's destructor will now assert that the client has indeed
checked for an overflow after invoking methods that may result in an overflow i.e.
the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
This is only done on debug builds.

• API/JSObjectRef.cpp:

(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeRegExp):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):

• dfg/DFGOperations.cpp:
• inspector/InjectedScriptManager.cpp:

(Inspector::InjectedScriptManager::createInjectedScript):

• inspector/JSJavaScriptCallFrame.cpp:

(Inspector::JSJavaScriptCallFrame::scopeChain const):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::executeProgram):

• jsc.cpp:

(functionDollarAgentReceiveBroadcast):

• runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):

• runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::appendWithAction):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
(JSC::MarkedArgumentBuffer::hasOverflowed):
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):

• runtime/ArrayPrototype.cpp:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/GetterSetter.cpp:

(JSC::callSetter):

• runtime/IteratorOperations.cpp:

(JSC::iteratorNext):
(JSC::iteratorClose):

• runtime/JSBoundFunction.cpp:

(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):

• runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::haveABadTime):

• runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

• runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

• runtime/JSMapIterator.cpp:

(JSC::JSMapIterator::createPair):

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

• runtime/JSONObject.cpp:

(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Walker::callReviver):

• runtime/JSObject.cpp:

(JSC::ordinarySetSlow):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):

• runtime/JSPromise.cpp:

(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):

• runtime/JSPromiseDeferred.cpp:

(JSC::newPromiseCapability):
(JSC::callFunction):

• runtime/JSSetIterator.cpp:

(JSC::JSSetIterator::createPair):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/ObjectConstructor.cpp:

(JSC::defineProperties):

• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):

• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/StringPrototype.cpp:

(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):

• runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

• runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

• wasm/js/WasmToJS.cpp:

(JSC::Wasm::wasmToJS):

Source/WebCore:

No new tests. The test for overflowing a MarkedArgumentBuffer will run for a
ridiculously long time, which renders it unsuitable for automated tests.

• Modules/plugins/QuickTimePluginReplacement.mm:

(WebCore::QuickTimePluginReplacement::installReplacement):

• bindings/js/JSCustomElementInterface.cpp:

(WebCore::constructCustomElementSynchronously):
(WebCore::JSCustomElementInterface::upgradeElement):
(WebCore::JSCustomElementInterface::invokeCallback):

• bindings/js/JSCustomXPathNSResolver.cpp:

(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):

• bindings/js/JSDOMBuiltinConstructorBase.cpp:

(WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):

• bindings/js/JSDOMConvertSequences.h:

(WebCore::JSConverter<IDLSequence<T>>::convert):
(WebCore::JSConverter<IDLFrozenArray<T>>::convert):

• bindings/js/JSDOMConvertWebGL.cpp:

(WebCore::convertToJSValue):

• bindings/js/JSDOMIterator.h:

(WebCore::jsPair):
(WebCore::iteratorForEach):

• bindings/js/JSDOMMapLike.cpp:

(WebCore::forwardFunctionCallToBackingMap):
(WebCore::forwardForEachCallToBackingMap):

• bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::createRejectedPromiseWithTypeError):

• bindings/js/JSErrorHandler.cpp:

(WebCore::JSErrorHandler::handleEvent):

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent):

• bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const):

• bindings/js/JSPluginElementFunctions.cpp:

(WebCore::callPlugin):

• bindings/js/JSReadableStreamPrivateConstructors.cpp:

(WebCore::constructJSReadableStreamReaderGeneric):

• bindings/js/ReadableStream.cpp:

(WebCore::ReadableStream::create):
(WebCore::ReadableStream::pipeTo):
(WebCore::ReadableStream::tee):
(WebCore::ReadableStream::lock):
(WebCore::checkReadableStream):

• bindings/js/ReadableStreamDefaultController.cpp:

(WebCore::ReadableStreamDefaultController::invoke):

• bindings/js/ScheduledAction.cpp:

(WebCore::ScheduledAction::executeFunctionInContext):

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::recordObject):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateCallbackImplementationContent):

• bindings/scripts/test/JS/JSTestCallbackFunction.cpp:

(WebCore::JSTestCallbackFunction::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:

(WebCore::JSTestCallbackFunctionRethrow::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:

(WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:

(WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackInterface.cpp:

(WebCore::JSTestCallbackInterface::callbackWithNoParam):
(WebCore::JSTestCallbackInterface::callbackWithArrayParam):
(WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
(WebCore::JSTestCallbackInterface::callbackWithStringList):
(WebCore::JSTestCallbackInterface::callbackWithBoolean):
(WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
(WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
(WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
(WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
(WebCore::JSTestCallbackInterface::callbackWithThisObject):

• bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:

(WebCore::JSTestVoidCallbackFunction::handleEvent):

• bridge/NP_jsobject.cpp:
• bridge/objc/WebScriptObject.mm:

(-[WebScriptObject callWebScriptMethod:withArguments:]):

• html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::updateCaptionContainer):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):

• html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

• testing/Internals.cpp:

(WebCore::Internals::cloneArrayBuffer):

File:

• trunk/Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -314 +314 @@
     MarkedArgumentBuffer args;
     args.append(propertyName.value(m_exec));
+    ASSERT(!args.hasOverflowed());
     return call(m_exec, asObject(toJSONFunction), callType, callData, value, args);
 }
@@ -331 +332 @@
         args.append(propertyName.value(m_exec));
         args.append(value);
+        ASSERT(!args.hasOverflowed());
         value = call(m_exec, m_replacer.get(), m_replacerCallType, m_replacerCallData, holder.object(), args);
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
@@ -610 +612 @@
         args.append(property);
         args.append(unfiltered);
+        ASSERT(!args.hasOverflowed());
         return call(m_exec, m_function.get(), m_callType, m_callData, thisObj, args);
     }