Closed Bug 969879 Opened 10 years ago Closed 10 years ago

Use fallible allocation to store the style information for CSS transitions and animations

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

Attachments

(1 file, 1 obsolete file)

Use infallible allocation to store the style information for CSS transitions and animations; r=dbaron
3.78 KB, patch
dbaron
: review+
Details | Diff | Splinter Review 
It seems like the sizes for these data structures can be controlled from
Web content, and we are already prepared to deal with OOM conditions,
except that we are using infallible allocations by mistake.
Assignee: nobody → ehsan
Blocks: 969864
Attachment #8372849 - Flags: review?(dholbert)
Seems like we can't do this unless the relevant code that modifies these arrays actually checks for whether allocation fails. (and that we behave sanely after that).

Is that the case?

(Side note: a while back, we made an intentional choice to use infallible allocators in the CSS parser, in bug 659963. That doesn't necessarily mean we have to be infallible here as well, though.)
Also: at some point in the past, I remember being made aware of a rule-of-thumb that we should use fallible allocation when *both* of the following hold:
  (a) data's size is author-controllable
  (b) the data's size can be made much larger than the markup that the author has to send

I'm not (yet) sure about (b) here.

(i.e. we care more about cases where a 1 MB HTML file could make us OOM, than about cases where a 4 GB file could make us OOM. In the latter case, it's often worth just using infallible allocators because of the error-checking complexity that it saves us. Do you know whether this is closer to the former or the latter case?)
(In reply to Daniel Holbert [:dholbert] from comment #2)
> Seems like we can't do this unless the relevant code that modifies these
> arrays actually checks for whether allocation fails. (and that we behave
> sanely after that).
> 
> Is that the case?

Yes:

http://mxr.mozilla.org/mozilla-central/source/layout/style/nsRuleNode.cpp#4916
http://mxr.mozilla.org/mozilla-central/source/layout/style/nsRuleNode.cpp#4749

> (Side note: a while back, we made an intentional choice to use infallible
> allocators in the CSS parser, in bug 659963. That doesn't necessarily mean
> we have to be infallible here as well, though.)

We just need to be consistent here.  The above code clearly assumes the fallibility of these allocations.

(In reply to Daniel Holbert [:dholbert] from comment #3)
> Also: at some point in the past, I remember being made aware of a
> rule-of-thumb that we should use fallible allocation when *both* of the
> following hold:
>   (a) data's size is author-controllable
>   (b) the data's size can be made much larger than the markup that the
> author has to send
> 
> I'm not (yet) sure about (b) here.

(b) will apply to nything that is controllable from content script (including CSS through the CSSOM and the DOM), right?
Comment on attachment 8372849 [details] [diff] [review]
Use fallible allocation to store the style information for CSS transitions and animations

Oh, true. I was just thinking about static stylesheets as being the attack vector here, but I suppose you could have a JS loop that dynamically generates zillions of transitions/animations using the CSSOM.

And yup, it looks like fallible allocation is expected & failures are handled by the users of these arrays. Seems reasonable to explicitly make them fallible, given that.

Thanks!
Attachment #8372849 - Flags: review?(dholbert) → review+
(In reply to :Ehsan Akhgari (needinfo? me!) (slow responsiveness, emailacopolypse) from comment #0)
> It seems like the sizes for these data structures can be controlled from
> Web content, and we are already prepared to deal with OOM conditions,
> except that we are using infallible allocations by mistake.

It's not clear to me which way the "mistake" was; there are tons of places where we have switched to infallible allocation but haven't gone through and removed the handling of allocation failure.
(In reply to comment #7)
> (In reply to :Ehsan Akhgari (needinfo? me!) (slow responsiveness,
> emailacopolypse) from comment #0)
> > It seems like the sizes for these data structures can be controlled from
> > Web content, and we are already prepared to deal with OOM conditions,
> > except that we are using infallible allocations by mistake.
> 
> It's not clear to me which way the "mistake" was; there are tons of places
> where we have switched to infallible allocation but haven't gone through and
> removed the handling of allocation failure.

Well, I was referring to the fact that we were checking the result of SetLength() which would always be true.  If you think we should do infallible allocation here I would be happy to write that patch.
I indeed think these should be infallible, since the allocation sizes are a function of the size of the input (the number of array elements is a function of the number of comma-separated parts in the value of a CSS property, e.g., "transition-property: margin-left, margin-right, margin-top, margin-bottom, opacity"), which seems analogous to allocation of things like large numbers of nodes, with the only difference being that the allocation happens in a single chunk.
(In reply to comment #9)
> I indeed think these should be infallible, since the allocation sizes are a
> function of the size of the input (the number of array elements is a function
> of the number of comma-separated parts in the value of a CSS property, e.g.,
> "transition-property: margin-left, margin-right, margin-top, margin-bottom,
> opacity"), which seems analogous to allocation of things like large numbers of
> nodes, with the only difference being that the allocation happens in a single
> chunk.

OK, I'll do that then.
Attachment #8372849 - Attachment is obsolete: true
Attachment #8372883 - Flags: review?(dbaron)
Comment on attachment 8372883 [details] [diff] [review]
Use infallible allocation to store the style information for CSS transitions and animations; r=dbaron

Thanks.  r=dbaron
Attachment #8372883 - Flags: review?(dbaron) → review+
https://hg.mozilla.org/mozilla-central/rev/26d0e83eb70a
https://hg.mozilla.org/mozilla-central/rev/2e7e01ec0ab2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: