ArrayBuffers can contain data in the wrong malloc arena
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: sfink, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(10 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
It looks like the right way to allocate memory that will end up held in an ArrayBuffer is js_pod_arena_malloc<char>(js::ArrayBufferContentsArena, size)
, which is bleeding internal details all over. It would better to provide JS::MallocForArrayBuffer(size)
or perhaps JS::MallocForArrayBuffer(cx, size)
to encapsulate this, and encourage calls of JS::NewArrayBufferWithContents
to allocate the memory that way.
(Even better would be to able to assert when freeing ArrayBuffer data that it is in the correct arena.)
Updated•2 years ago
|
Comment 1•9 months ago
|
||
This uses the suggested names from https://bugzilla.mozilla.org/show_bug.cgi?id=1784116#c0,
therefore it doesn't match the existing JS_string_malloc
function. (JS_string_malloc
is
unused, so we could also rename it to JS::MallocForString
.)
Comment 2•9 months ago
|
||
Update JS_malloc
to instead use JS::MallocForArrayBuffer
.
Depends on D198800
Comment 3•9 months ago
|
||
Keep using the internal API instead of JS::ReallocForArrayBuffer
to minimise
the changes.
Depends on D198802
Comment 4•9 months ago
|
||
Keep using the internal API to minimise the changes.
Depends on D198804
Comment 5•9 months ago
|
||
Keep using the internal API to minimise the changes.
Depends on D198806
Comment 6•9 months ago
|
||
dom/indexedDB/test/gtest/TestKey:
- Call
JS::MallocForArrayBuffer
instead of usingstrdup
to allocate memory
for an ArrayBuffer.
dom/media/webcodecs/EncoderTemplate:
- Call
JS::MallocForArrayBuffer
instead ofnew[]
to allocate memory for an
ArrayBuffer. - Out-of-memory is ignored because the existing code already ignores OOM, for
example the result ofJS::NewArrayBufferWithContents
is not checked.
dom/media/webrtc/jsapi:
- Use
js_pod_arena_malloc
instead of usingnew[]
(throughMakeUnique
). - Update the
UniquePtr
to use the correct deleter (JS::FreePolicy
).
dom/serviceworkers/ServiceWorkerEvents:
- Call
JS::MallocForArrayBuffer
instead ofmalloc
when allocating memory
for an ArrayBuffer.
Depends on D198807
Comment 7•9 months ago
|
||
JS::TranscodeBuffer
allocates in the default arena, so we have to copy the
data instead of using BufferContents::createMalloced
.
Depends on D198809
Comment 8•9 months ago
|
||
Parts 1-7 ensure the buffer contents are allocated in the correct arena, so we
can now assert this, too. Also see js::AssertJSStringBufferInCorrectArena
for
a similar check for JSString memory.
Depends on D198810
Comment 9•9 months ago
|
||
SharedArrayBuffers should also be allocated in a separate arena.
Depends on D198811
Comment 10•9 months ago
|
||
This change is missing in parts 1-7. This approach allocates all StreamLoader
memory in js::ArrayBufferContentsArena
, which isn't really what we want to
do. I guess we need a separate StreamLoader which uses the correct jemalloc
arena, so that mozilla::dom::BodyConsumer
can use that new StreamLoader when
mozilla::dom::BodyConsumer::mConsumeType
is
mozilla::dom::BodyConsumer::CONSUME_ARRAYBUFFER
.
Depends on D198812
Reporter | ||
Updated•9 months ago
|
Updated•9 months ago
|
Description
•