ArrayBuffers can contain data in the wrong malloc arena
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: sfink, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(10 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
It looks like the right way to allocate memory that will end up held in an ArrayBuffer is js_pod_arena_malloc<char>(js::ArrayBufferContentsArena, size), which is bleeding internal details all over. It would better to provide JS::MallocForArrayBuffer(size) or perhaps JS::MallocForArrayBuffer(cx, size) to encapsulate this, and encourage calls of JS::NewArrayBufferWithContents to allocate the memory that way.
(Even better would be to able to assert when freeing ArrayBuffer data that it is in the correct arena.)
|
||
Updated•3 years ago
|
|
||
Comment 1•2 years ago
|
||
This uses the suggested names from https://bugzilla.mozilla.org/show_bug.cgi?id=1784116#c0,
therefore it doesn't match the existing JS_string_malloc function. (JS_string_malloc is
unused, so we could also rename it to JS::MallocForString.)
|
|
||
Comment 2•2 years ago
|
||
Update JS_malloc to instead use JS::MallocForArrayBuffer.
Depends on D198800
|
|
||
Comment 3•2 years ago
|
||
Keep using the internal API instead of JS::ReallocForArrayBuffer to minimise
the changes.
Depends on D198802
|
|
||
Comment 4•2 years ago
|
||
Keep using the internal API to minimise the changes.
Depends on D198804
|
|
||
Comment 5•2 years ago
|
||
Keep using the internal API to minimise the changes.
Depends on D198806
|
|
||
Comment 6•2 years ago
|
||
dom/indexedDB/test/gtest/TestKey:
- Call
JS::MallocForArrayBufferinstead of usingstrdupto allocate memory
for an ArrayBuffer.
dom/media/webcodecs/EncoderTemplate:
- Call
JS::MallocForArrayBufferinstead ofnew[]to allocate memory for an
ArrayBuffer. - Out-of-memory is ignored because the existing code already ignores OOM, for
example the result ofJS::NewArrayBufferWithContentsis not checked.
dom/media/webrtc/jsapi:
- Use
js_pod_arena_mallocinstead of usingnew[](throughMakeUnique). - Update the
UniquePtrto use the correct deleter (JS::FreePolicy).
dom/serviceworkers/ServiceWorkerEvents:
- Call
JS::MallocForArrayBufferinstead ofmallocwhen allocating memory
for an ArrayBuffer.
Depends on D198807
|
|
||
Comment 7•2 years ago
|
||
JS::TranscodeBuffer allocates in the default arena, so we have to copy the
data instead of using BufferContents::createMalloced.
Depends on D198809
|
|
||
Comment 8•2 years ago
|
||
Parts 1-7 ensure the buffer contents are allocated in the correct arena, so we
can now assert this, too. Also see js::AssertJSStringBufferInCorrectArena for
a similar check for JSString memory.
Depends on D198810
|
|
||
Comment 9•2 years ago
|
||
SharedArrayBuffers should also be allocated in a separate arena.
Depends on D198811
|
|
||
Comment 10•2 years ago
|
||
This change is missing in parts 1-7. This approach allocates all StreamLoader
memory in js::ArrayBufferContentsArena, which isn't really what we want to
do. I guess we need a separate StreamLoader which uses the correct jemalloc
arena, so that mozilla::dom::BodyConsumer can use that new StreamLoader when
mozilla::dom::BodyConsumer::mConsumeType is
mozilla::dom::BodyConsumer::CONSUME_ARRAYBUFFER.
Depends on D198812
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•