Open Bug 1784116 Opened 2 years ago Updated 6 months ago

ArrayBuffers can contain data in the wrong malloc arena

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

People

(Reporter: sfink, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(10 files)

48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

It looks like the right way to allocate memory that will end up held in an ArrayBuffer is js_pod_arena_malloc<char>(js::ArrayBufferContentsArena, size), which is bleeding internal details all over. It would better to provide JS::MallocForArrayBuffer(size) or perhaps JS::MallocForArrayBuffer(cx, size) to encapsulate this, and encourage calls of JS::NewArrayBufferWithContents to allocate the memory that way.

(Even better would be to able to assert when freeing ArrayBuffer data that it is in the correct arena.)

Blocks: sm-meta
Severity: -- → N/A
Priority: -- → P3

This uses the suggested names from https://bugzilla.mozilla.org/show_bug.cgi?id=1784116#c0,
therefore it doesn't match the existing JS_string_malloc function. (JS_string_malloc is
unused, so we could also rename it to JS::MallocForString.)

Update JS_malloc to instead use JS::MallocForArrayBuffer.

Depends on D198800

Keep using the internal API instead of JS::ReallocForArrayBuffer to minimise
the changes.

Depends on D198802

Keep using the internal API to minimise the changes.

Depends on D198804

Keep using the internal API to minimise the changes.

Depends on D198806

dom/indexedDB/test/gtest/TestKey:

  • Call JS::MallocForArrayBuffer instead of using strdup to allocate memory
    for an ArrayBuffer.

dom/media/webcodecs/EncoderTemplate:

  • Call JS::MallocForArrayBuffer instead of new[] to allocate memory for an
    ArrayBuffer.
  • Out-of-memory is ignored because the existing code already ignores OOM, for
    example the result of JS::NewArrayBufferWithContents is not checked.

dom/media/webrtc/jsapi:

  • Use js_pod_arena_malloc instead of using new[] (through MakeUnique).
  • Update the UniquePtr to use the correct deleter (JS::FreePolicy).

dom/serviceworkers/ServiceWorkerEvents:

  • Call JS::MallocForArrayBuffer instead of malloc when allocating memory
    for an ArrayBuffer.

Depends on D198807

JS::TranscodeBuffer allocates in the default arena, so we have to copy the
data instead of using BufferContents::createMalloced.

Depends on D198809

Parts 1-7 ensure the buffer contents are allocated in the correct arena, so we
can now assert this, too. Also see js::AssertJSStringBufferInCorrectArena for
a similar check for JSString memory.

Depends on D198810

SharedArrayBuffers should also be allocated in a separate arena.

Depends on D198811

This change is missing in parts 1-7. This approach allocates all StreamLoader
memory in js::ArrayBufferContentsArena, which isn't really what we want to
do. I guess we need a separate StreamLoader which uses the correct jemalloc
arena, so that mozilla::dom::BodyConsumer can use that new StreamLoader when
mozilla::dom::BodyConsumer::mConsumeType is
mozilla::dom::BodyConsumer::CONSUME_ARRAYBUFFER.

Depends on D198812

Type: enhancement → defect
Summary: Expose JS::MallocForArrayBuffer → ArrayBuffers can contain data in the wrong malloc arena
Severity: N/A → S3
No longer blocks: sm-meta
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: