diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-09 08:53:46 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-09 08:53:46 +0100 |
commit | 8cecf8d5208f3945b35f879bba3015bb1a11bec6 (patch) | |
tree | 0926f5c21f9d10cf929e4c35e7d7e8e8c084dbf5 /js/src/vm/SharedArrayObject.cpp | |
parent | 8cd777888a40e987ad536ab68421068f5c06d83b (diff) | |
parent | 92104eb6828ba026550e1f4a3c6890c5b8254d36 (diff) | |
download | UXP-8cecf8d5208f3945b35f879bba3015bb1a11bec6.tar UXP-8cecf8d5208f3945b35f879bba3015bb1a11bec6.tar.gz UXP-8cecf8d5208f3945b35f879bba3015bb1a11bec6.tar.lz UXP-8cecf8d5208f3945b35f879bba3015bb1a11bec6.tar.xz UXP-8cecf8d5208f3945b35f879bba3015bb1a11bec6.zip |
Merge branch 'ported-upstream'
Diffstat (limited to 'js/src/vm/SharedArrayObject.cpp')
-rw-r--r-- | js/src/vm/SharedArrayObject.cpp | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp index 730578cd4..c69306aac 100644 --- a/js/src/vm/SharedArrayObject.cpp +++ b/js/src/vm/SharedArrayObject.cpp @@ -116,22 +116,22 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) if (allocSize <= length) return nullptr; + // Test >= to guard against the case where multiple extant runtimes + // race to allocate. + if (++numLive >= maxLive) { + JSRuntime* rt = cx->runtime(); + if (rt->largeAllocationFailureCallback) + rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); + if (numLive >= maxLive) { + numLive--; + return nullptr; + } + } + bool preparedForAsmJS = jit::JitOptions.asmJSAtomicsEnable && IsValidAsmJSHeapLength(length); void* p = nullptr; if (preparedForAsmJS) { - // Test >= to guard against the case where multiple extant runtimes - // race to allocate. - if (++numLive >= maxLive) { - JSRuntime* rt = cx->runtime(); - if (rt->largeAllocationFailureCallback) - rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); - if (numLive >= maxLive) { - numLive--; - return nullptr; - } - } - uint32_t mappedSize = SharedArrayMappedSize(allocSize); // Get the entire reserved region (with all pages inaccessible) @@ -154,8 +154,10 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) # endif } else { p = MapMemory(allocSize, true); - if (!p) + if (!p) { + numLive--; return nullptr; + } } uint8_t* buffer = reinterpret_cast<uint8_t*>(p) + gc::SystemPageSize(); @@ -189,8 +191,6 @@ SharedArrayRawBuffer::dropReference() uint32_t allocSize = SharedArrayAllocSize(this->length); if (this->preparedForAsmJS) { - numLive--; - uint32_t mappedSize = SharedArrayMappedSize(allocSize); UnmapMemory(address, mappedSize); @@ -202,6 +202,10 @@ SharedArrayRawBuffer::dropReference() } else { UnmapMemory(address, allocSize); } + + // Decrement the buffer counter at the end -- otherwise, a race condition + // could enable the creation of unlimited buffers. + numLive--; } |