Closed Bug 1517823 Opened 5 years ago Closed 5 years ago

Store out of line TypedArray data in ArrayBufferContentsArena?

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: anba, Assigned: anba)

References

Details

Attachments

(2 files)

bug1517823-part1-typedarray-data-arena.patch
7.05 KB, patch
sfink
: review+
Details | Diff | Splinter Review
bug1517823-part2-requested-arena-on-retry-alloc.patch
12.99 KB, patch
sfink
: review+
Details | Diff | Splinter Review 
bug 1052582 changed ArrayBuffers to use a separate arena for the ArrayBuffer contents, but no similar changed happened for TypedArray.

bug 1052582, comment #18 mentions:
> Allocating out of line ArrayBuffer data in a separate heap region *does* seem like a large security win to me, [...]

Doesn't this also apply for out of line TypedArray data [1,2]?

[1] https://searchfox.org/mozilla-central/rev/fef7f858efb695a76010b4c624da5277c16e95b3/js/src/jit/MacroAssembler.cpp#1194
[2] https://searchfox.org/mozilla-central/rev/fef7f858efb695a76010b4c624da5277c16e95b3/js/src/vm/TypedArrayObject.cpp#215
We also ignore the requested arena_t in MallocProvider when we call onOutOfMemory. Which in turn means it's possible to create an ArrayBuffer in the js::MallocArena instead of the js::ArrayBufferContentsArena in near OOM situations.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Changes the inlined TypedArray constructor to use |js::ArrayBufferContentsArena| instead of |js::MallocArena| for its data. This should fix the issue noted in comment #0.

Applies on top of bug 1518101 and bug 1517259.
Attachment #9034718 - Flags: review?(sphink)
When retrying an allocation after near OOM situations, the previously requested arena should be used again. Otherwise it's possible to create an ArrayBuffer/TypedArray whose data is in the normal js::MallocArena instead of js::ArrayBufferContentsArena.
Attachment #9034719 - Flags: review?(sphink)
Comment on attachment 9034718 [details] [diff] [review]
bug1517823-part1-typedarray-data-arena.patch

Review of attachment 9034718 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.
Attachment #9034718 - Flags: review?(sphink) → review+
Comment on attachment 9034719 [details] [diff] [review]
bug1517823-part2-requested-arena-on-retry-alloc.patch

Review of attachment 9034719 [details] [diff] [review]:
-----------------------------------------------------------------

Ouch. Thanks for the cleanup.
Attachment #9034719 - Flags: review?(sphink) → review+

Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d09512072a5
Part 1: Store out of line TypedArray data in ArrayBuffer malloc-arena. r=sfink
https://hg.mozilla.org/integration/mozilla-inbound/rev/752c683e631d
Part 2: Pass arena to MallocProvider client. r=sfink

Keywords: checkin-needed
Depends on: 1518495

https://hg.mozilla.org/mozilla-central/rev/3d09512072a5
https://hg.mozilla.org/mozilla-central/rev/752c683e631d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: