[webkit-changes] [210540] trunk/Source/JavaScriptCore

[akling]

Title: [210540] trunk/Source/_javascript_Core

Revision

210540

Author

akl...@apple.com

Date

2017-01-10 04:16:35 -0800 (Tue, 10 Jan 2017)

Log Message

Crash when GC heap grows way too large.
<https://webkit.org/b/166875>
<rdar://problem/27896585>

Reviewed by Mark Lam.

Hard cap the _javascript_ heap at 4GB of live objects (determined post-GC.)
If we go past this limit, crash with a recognizable signature.

* heap/Heap.cpp:
(JSC::Heap::didExceedHeapSizeLimit):
(JSC::Heap::updateAllocationLimits):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/heap/Heap.cpp
• trunk/Source/_javascript_Core/heap/Heap.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (210539 => 210540)

--- trunk/Source/_javascript_Core/ChangeLog	2017-01-10 11:03:12 UTC (rev 210539)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-01-10 12:16:35 UTC (rev 210540)
@@ -1,3 +1,18 @@
+2017-01-10  Andreas Kling  <akl...@apple.com>
+
+        Crash when GC heap grows way too large.
+        <https://webkit.org/b/166875>
+        <rdar://problem/27896585>
+
+        Reviewed by Mark Lam.
+
+        Hard cap the _javascript_ heap at 4GB of live objects (determined post-GC.)
+        If we go past this limit, crash with a recognizable signature.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::didExceedHeapSizeLimit):
+        (JSC::Heap::updateAllocationLimits):
+
 2017-01-09  Yusuke Suzuki  <utatane....@gmail.com>
 
         Implement JSSourceCode to propagate SourceCode in module pipeline

Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (210539 => 210540)

--- trunk/Source/_javascript_Core/heap/Heap.cpp	2017-01-10 11:03:12 UTC (rev 210539)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp	2017-01-10 12:16:35 UTC (rev 210540)
@@ -1646,6 +1646,11 @@
     m_sweeper->startSweeping();
 }
 
+NEVER_INLINE void Heap::didExceedHeapSizeLimit()
+{
+    CRASH();
+}
+
 void Heap::updateAllocationLimits()
 {
     static const bool verbose = false;
@@ -1677,6 +1682,12 @@
 
     if (verbose)
         dataLog("extraMemorySize() = ", extraMemorySize(), ", currentHeapSize = ", currentHeapSize, "\n");
+
+#if USE(JSVALUE64)
+    // If the heap has grown larger than 4GB, just crash before things get out of control.
+    if (currentHeapSize > 4096 * MB)
+        didExceedHeapSizeLimit();
+#endif
     
     if (Options::gcMaxHeapSize() && currentHeapSize > Options::gcMaxHeapSize())
         HeapStatistics::exitWithFailure();

Modified: trunk/Source/_javascript_Core/heap/Heap.h (210539 => 210540)

--- trunk/Source/_javascript_Core/heap/Heap.h	2017-01-10 11:03:12 UTC (rev 210539)
+++ trunk/Source/_javascript_Core/heap/Heap.h	2017-01-10 12:16:35 UTC (rev 210540)
@@ -507,6 +507,8 @@
     
     void assertSharedMarkStacksEmpty();
 
+    NO_RETURN_DUE_TO_CRASH void didExceedHeapSizeLimit();
+
     const HeapType m_heapType;
     const size_t m_ramSize;
     const size_t m_minBytesPerCycle;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes