JSFixedArray::allocationSize() should not allow for allocation failure.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 May 2017 17:55:11 +0000 (17:55 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 May 2017 17:55:11 +0000 (17:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=171516

Reviewed by Geoffrey Garen.

Since JSFixedArray::createFromArray() now handles allocation failures by throwing
OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
size to allocate) should also allow for allocation failure on overflow.

This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
run on 32-bit builds.

* runtime/JSFixedArray.h:
(JSC::JSFixedArray::tryCreate):
(JSC::JSFixedArray::allocationSize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216076 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSFixedArray.h

index c304696..00550b7 100644 (file)
@@ -1,3 +1,21 @@
+2017-05-02  Mark Lam  <mark.lam@apple.com>
+
+        JSFixedArray::allocationSize() should not allow for allocation failure.
+        https://bugs.webkit.org/show_bug.cgi?id=171516
+
+        Reviewed by Geoffrey Garen.
+
+        Since JSFixedArray::createFromArray() now handles allocation failures by throwing
+        OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
+        size to allocate) should also allow for allocation failure on overflow.
+
+        This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
+        run on 32-bit builds.
+
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::tryCreate):
+        (JSC::JSFixedArray::allocationSize):
+
 2017-05-01  Zan Dobersek  <zdobersek@igalia.com>
 
         [aarch64][Linux] m_allowScratchRegister assert hit in MacroAssemblerARM64 under B3::Air::CCallSpecial::generate()
index 4a6477d..ceaff26 100644 (file)
@@ -122,7 +122,11 @@ private:
 
     ALWAYS_INLINE static JSFixedArray* tryCreate(VM& vm, Structure* structure, unsigned size)
     {
-        void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, allocationSize(size));
+        Checked<size_t, RecordOverflow> checkedAllocationSize = allocationSize(size);
+        if (UNLIKELY(checkedAllocationSize.hasOverflowed()))
+            return nullptr;
+
+        void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, checkedAllocationSize.unsafeGet());
         if (UNLIKELY(!buffer))
             return nullptr;
         JSFixedArray* result = new (NotNull, buffer) JSFixedArray(vm, structure, size);
@@ -140,9 +144,9 @@ private:
     }
 
 
-    static size_t allocationSize(Checked<size_t> numItems)
+    static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems)
     {
-        return (offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>)).unsafeGet();
+        return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);
     }
 };