From 92104eb6828ba026550e1f4a3c6890c5b8254d36 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 4 Jan 2018 22:24:58 +0100 Subject: Limit the number of SharedArrayBuffers in normal JS code (not just asm.js). --- js/src/vm/SharedArrayObject.cpp | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) (limited to 'js') diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp index 730578cd4a..c69306aaca 100644 --- a/js/src/vm/SharedArrayObject.cpp +++ b/js/src/vm/SharedArrayObject.cpp @@ -116,22 +116,22 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) if (allocSize <= length) return nullptr; + // Test >= to guard against the case where multiple extant runtimes + // race to allocate. + if (++numLive >= maxLive) { + JSRuntime* rt = cx->runtime(); + if (rt->largeAllocationFailureCallback) + rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); + if (numLive >= maxLive) { + numLive--; + return nullptr; + } + } + bool preparedForAsmJS = jit::JitOptions.asmJSAtomicsEnable && IsValidAsmJSHeapLength(length); void* p = nullptr; if (preparedForAsmJS) { - // Test >= to guard against the case where multiple extant runtimes - // race to allocate. - if (++numLive >= maxLive) { - JSRuntime* rt = cx->runtime(); - if (rt->largeAllocationFailureCallback) - rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); - if (numLive >= maxLive) { - numLive--; - return nullptr; - } - } - uint32_t mappedSize = SharedArrayMappedSize(allocSize); // Get the entire reserved region (with all pages inaccessible) @@ -154,8 +154,10 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) # endif } else { p = MapMemory(allocSize, true); - if (!p) + if (!p) { + numLive--; return nullptr; + } } uint8_t* buffer = reinterpret_cast(p) + gc::SystemPageSize(); @@ -189,8 +191,6 @@ SharedArrayRawBuffer::dropReference() uint32_t allocSize = SharedArrayAllocSize(this->length); if (this->preparedForAsmJS) { - numLive--; - uint32_t mappedSize = SharedArrayMappedSize(allocSize); UnmapMemory(address, mappedSize); @@ -202,6 +202,10 @@ SharedArrayRawBuffer::dropReference() } else { UnmapMemory(address, allocSize); } + + // Decrement the buffer counter at the end -- otherwise, a race condition + // could enable the creation of unlimited buffers. + numLive--; } -- cgit v1.2.3