[webkit-changes] [259478] trunk

[ysuzuki]

Title: [259478] trunk

Revision

259478

Author

ysuz...@apple.com

Date

2020-04-03 11:29:05 -0700 (Fri, 03 Apr 2020)

Log Message

[JSC] TypedArray#subarray should throw OOM error gracefully
https://bugs.webkit.org/show_bug.cgi?id=209974
<rdar://problem/61253901>

Reviewed by Mark Lam.

JSTests:

* stress/typed-array-subarray-can-throw-oom-error.js: Added.
(foo):
(canThrow):
(bar):
(get bar):

Source/_javascript_Core:

After r259069 change, possiblySharedBuffer can return nullptr if OOM happens.
However, TypedArray#subarray didn't handle this case properly. This patch throws
an OOM error appropriately if possiblySharedBuffer returns nullptr in TypedArray#subarray.

* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

Added Paths

• trunk/JSTests/stress/typed-array-subarray-can-throw-oom-error.js

Diff

Modified: trunk/JSTests/ChangeLog (259477 => 259478)

--- trunk/JSTests/ChangeLog	2020-04-03 18:22:04 UTC (rev 259477)
+++ trunk/JSTests/ChangeLog	2020-04-03 18:29:05 UTC (rev 259478)
@@ -1,3 +1,17 @@
+2020-04-03  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] TypedArray#subarray should throw OOM error gracefully
+        https://bugs.webkit.org/show_bug.cgi?id=209974
+        <rdar://problem/61253901>
+
+        Reviewed by Mark Lam.
+
+        * stress/typed-array-subarray-can-throw-oom-error.js: Added.
+        (foo):
+        (canThrow):
+        (bar):
+        (get bar):
+
 2020-04-03  Paulo Matos  <pma...@igalia.com>
 
         Re-enable previously skipped arm tests

Added: trunk/JSTests/stress/typed-array-subarray-can-throw-oom-error.js (0 => 259478)

--- trunk/JSTests/stress/typed-array-subarray-can-throw-oom-error.js	                        (rev 0)
+++ trunk/JSTests/stress/typed-array-subarray-can-throw-oom-error.js	2020-04-03 18:29:05 UTC (rev 259478)
@@ -0,0 +1,38 @@
+function foo() {
+  Object.freeze(arguments);
+}
+
+function canThrow(func, errorMessage) {
+    var errorThrown = false;
+    var error = null;
+    try {
+        func();
+    } catch (e) {
+        errorThrown = true;
+        error = e;
+    }
+    if (errorThrown && String(error) !== errorMessage)
+        throw new Error(`bad error: ${String(error)}`);
+}
+
+foo();
+
+const a0 = [];
+a0.__proto__ = {};
+a0.length = 2**24
+Object.defineProperty(a0, 0, {get: bar});
+
+function bar() {
+  new ArrayBuffer(1000);
+  new Int16Array(a0);
+}
+
+for (let i=0; i<10000; i++) {
+  new Promise(bar);
+}
+
+for (let i=0; i<100000; i++) {
+    canThrow(() => {
+        new Uint32Array(1000).subarray();
+    }, `Error: Out of memory`);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (259477 => 259478)

--- trunk/Source/_javascript_Core/ChangeLog	2020-04-03 18:22:04 UTC (rev 259477)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-03 18:29:05 UTC (rev 259478)
@@ -1,3 +1,18 @@
+2020-04-03  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] TypedArray#subarray should throw OOM error gracefully
+        https://bugs.webkit.org/show_bug.cgi?id=209974
+        <rdar://problem/61253901>
+
+        Reviewed by Mark Lam.
+
+        After r259069 change, possiblySharedBuffer can return nullptr if OOM happens.
+        However, TypedArray#subarray didn't handle this case properly. This patch throws
+        an OOM error appropriately if possiblySharedBuffer returns nullptr in TypedArray#subarray.
+
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+
 2020-04-03  David Kilzer  <ddkil...@apple.com>
 
         [Xcode] Replace ASAN_OTHER_CFLAGS and ASAN_OTHER_CPLUSPLUSFLAGS with $(inherited)

Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (259477 => 259478)

--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2020-04-03 18:22:04 UTC (rev 259477)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h	2020-04-03 18:29:05 UTC (rev 259478)
@@ -542,6 +542,10 @@
     unsigned length = end - begin;
 
     RefPtr<ArrayBuffer> arrayBuffer = thisObject->possiblySharedBuffer();
+    if (UNLIKELY(!arrayBuffer)) {
+        throwOutOfMemoryError(globalObject, scope);
+        return encodedJSValue();
+    }
     RELEASE_ASSERT(thisLength == thisObject->length());
 
     unsigned newByteOffset = thisObject->byteOffset() + offset * ViewClass::elementSize;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes