diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-01-04 22:24:58 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-09 08:04:59 +0100 |
| commit | 92104eb6828ba026550e1f4a3c6890c5b8254d36 (patch) | |
| tree | b1bbb4f0b8a8586d90840883e032d469b6d7992a /js/src | |
| parent | d0ccfc6d08c6e17e52a29dbbe412c5b66d30a7d9 (diff) | |
| download | UXP-92104eb6828ba026550e1f4a3c6890c5b8254d36.tar UXP-92104eb6828ba026550e1f4a3c6890c5b8254d36.tar.gz UXP-92104eb6828ba026550e1f4a3c6890c5b8254d36.tar.lz UXP-92104eb6828ba026550e1f4a3c6890c5b8254d36.tar.xz UXP-92104eb6828ba026550e1f4a3c6890c5b8254d36.zip | |
Limit the number of SharedArrayBuffers in normal JS code (not just asm.js).
Diffstat (limited to 'js/src')
| -rw-r--r-- | js/src/vm/SharedArrayObject.cpp | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp index 730578cd4..c69306aac 100644 --- a/js/src/vm/SharedArrayObject.cpp +++ b/js/src/vm/SharedArrayObject.cpp @@ -116,22 +116,22 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) if (allocSize <= length) return nullptr; + // Test >= to guard against the case where multiple extant runtimes + // race to allocate. + if (++numLive >= maxLive) { + JSRuntime* rt = cx->runtime(); + if (rt->largeAllocationFailureCallback) + rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); + if (numLive >= maxLive) { + numLive--; + return nullptr; + } + } + bool preparedForAsmJS = jit::JitOptions.asmJSAtomicsEnable && IsValidAsmJSHeapLength(length); void* p = nullptr; if (preparedForAsmJS) { - // Test >= to guard against the case where multiple extant runtimes - // race to allocate. - if (++numLive >= maxLive) { - JSRuntime* rt = cx->runtime(); - if (rt->largeAllocationFailureCallback) - rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData); - if (numLive >= maxLive) { - numLive--; - return nullptr; - } - } - uint32_t mappedSize = SharedArrayMappedSize(allocSize); // Get the entire reserved region (with all pages inaccessible) @@ -154,8 +154,10 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length) # endif } else { p = MapMemory(allocSize, true); - if (!p) + if (!p) { + numLive--; return nullptr; + } } uint8_t* buffer = reinterpret_cast<uint8_t*>(p) + gc::SystemPageSize(); @@ -189,8 +191,6 @@ SharedArrayRawBuffer::dropReference() uint32_t allocSize = SharedArrayAllocSize(this->length); if (this->preparedForAsmJS) { - numLive--; - uint32_t mappedSize = SharedArrayMappedSize(allocSize); UnmapMemory(address, mappedSize); @@ -202,6 +202,10 @@ SharedArrayRawBuffer::dropReference() } else { UnmapMemory(address, allocSize); } + + // Decrement the buffer counter at the end -- otherwise, a race condition + // could enable the creation of unlimited buffers. + numLive--; } |