Bug 212512

Summary:

[JSC] JSBigInt allocation should be graceful for OOM

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

alecflett, beidson, ews-watchlist, jsbell, keith_miller, mark.lam, msaboff, saam, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none
Patch	mark.lam: review+
Patch	none
Patch	none
Patch for landing	none

Yusuke Suzuki

Reported 2020-05-28 23:40:47 PDT

<rdar://problem/63600600>

Attachments
Patch (89.66 KB, patch) 2020-05-28 23:57 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (89.29 KB, patch) 2020-05-29 00:06 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (89.50 KB, patch) 2020-05-29 00:12 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (88.71 KB, patch) 2020-05-29 00:22 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (88.71 KB, patch) 2020-05-29 00:33 PDT, Yusuke Suzuki	mark.lam: review+	Details Formatted Diff Diff
Patch (90.99 KB, patch) 2020-05-29 01:50 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (91.30 KB, patch) 2020-05-29 03:07 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch for landing (91.27 KB, patch) 2020-05-29 17:27 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2020-05-28 23:57:40 PDT

Created attachment 400553 [details] Patch

Yusuke Suzuki

Comment 2 2020-05-29 00:06:55 PDT

Created attachment 400554 [details] Patch

Yusuke Suzuki

Comment 3 2020-05-29 00:12:53 PDT

Created attachment 400555 [details] Patch

Yusuke Suzuki

Comment 4 2020-05-29 00:22:41 PDT

Created attachment 400556 [details] Patch

Yusuke Suzuki

Comment 5 2020-05-29 00:33:03 PDT

Created attachment 400557 [details] Patch

Mark Lam

Comment 6 2020-05-29 00:35:46 PDT

Comment on attachment 400554 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400554&action=review > Source/JavaScriptCore/runtime/JSBigInt.cpp:85 > +inline JSBigInt* JSBigInt::createZero(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm) Use Optional? > Source/JavaScriptCore/runtime/JSBigInt.cpp:95 > +inline JSBigInt* JSBigInt::createWithLength(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, unsigned length) Is there a good reason to not use Optional<JSGlobalObject> here? > Source/JavaScriptCore/runtime/JSBigInt.cpp:126 > +inline JSBigInt* JSBigInt::createFrom(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, int32_t value) Ditto: use Optional here? > Source/JavaScriptCore/runtime/JSBigInt.cpp:318 > +JSValue JSBigInt::parseInt(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, StringView s, uint8_t radix, ErrorParseMode parserMode, ParseIntSign sign) Ditto. > Source/JavaScriptCore/runtime/JSBigInt.cpp:1541 > +bool JSBigInt::absoluteDivWithDigitDivisor(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, BigIntImpl x, Digit divisor, JSBigInt** quotient, Digit& remainder) Ditto. > Source/JavaScriptCore/runtime/JSBigInt.cpp:2155 > +String JSBigInt::toStringBasePowerOfTwo(VM& vm, JSGlobalObject* nullOrGlobalObjectForOOM, JSBigInt* x, unsigned radix) Ditto. > Source/JavaScriptCore/runtime/JSBigInt.cpp:2304 > +JSBigInt* JSBigInt::rightTrim(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm) Ditto. > Source/JavaScriptCore/runtime/JSBigInt.cpp:2345 > +JSBigInt* JSBigInt::allocateFor(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, unsigned radix, unsigned charcount) Ditto. > Source/JavaScriptCore/runtime/JSBigInt.cpp:2427 > +JSValue JSBigInt::parseInt(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, CharType* data, unsigned length, unsigned startIndex, unsigned radix, ErrorParseMode errorParseMode, ParseIntSign sign, ParseIntMode parseMode) Ditto.

Mark Lam

Comment 7 2020-05-29 00:38:07 PDT

Comment on attachment 400557 [details] Patch r=me if EWS bots are green.

Yusuke Suzuki

Comment 8 2020-05-29 01:48:39 PDT

Comment on attachment 400554 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400554&action=review >> Source/JavaScriptCore/runtime/JSBigInt.cpp:85 >> +inline JSBigInt* JSBigInt::createZero(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm) > > Use Optional? For now, I would like to keep the consistency with JSString's `JSGlobalObject* nullOrGlobalObjectForOOM`. We should consider introducing this, but I would like to do that at once. >> Source/JavaScriptCore/runtime/JSBigInt.cpp:95 >> +inline JSBigInt* JSBigInt::createWithLength(JSGlobalObject* nullOrGlobalObjectForOOM, VM& vm, unsigned length) > > Is there a good reason to not use Optional<JSGlobalObject> here? Ditto.

Yusuke Suzuki

Comment 9 2020-05-29 01:50:14 PDT

Created attachment 400559 [details] Patch

Yusuke Suzuki

Comment 10 2020-05-29 03:07:29 PDT

Created attachment 400563 [details] Patch

Caio Lima

Comment 11 2020-05-29 08:43:40 PDT

Comment on attachment 400563 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400563&action=review LGTM as well. I pointed out the issue breaking on 32-bits. > Source/JavaScriptCore/runtime/JSBigInt.cpp:2558 > + RELEASE_AND_RETURN(scope, JSBigInt::createFrom(nullOrGlobalObjectForOOM, static_cast<int32_t>(maybeResult))); This call will cause segfault when globalObject is `nullptr`. This happens when `parseInt` is called from `BytecodeGenerator.cpp`, for instance. This is one of the reasons of failures on ARMv7 and MIPS bots.

Yusuke Suzuki

Comment 12 2020-05-29 17:13:35 PDT

Comment on attachment 400563 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400563&action=review >> Source/JavaScriptCore/runtime/JSBigInt.cpp:2558 >> + RELEASE_AND_RETURN(scope, JSBigInt::createFrom(nullOrGlobalObjectForOOM, static_cast<int32_t>(maybeResult))); > > This call will cause segfault when globalObject is `nullptr`. This happens when `parseInt` is called from `BytecodeGenerator.cpp`, for instance. This is one of the reasons of failures on ARMv7 and MIPS bots. Nice catch. We should call `JSBigInt::createFrom(nullOrGlobalObjectForOOM, vm, static_cast<int32_t>(maybeResult))` instead.

Yusuke Suzuki

Comment 13 2020-05-29 17:27:38 PDT

Created attachment 400639 [details] Patch for landing

Yusuke Suzuki

Comment 14 2020-05-30 00:46:59 PDT

Committed r262342: <https://trac.webkit.org/changeset/262342>

Yusuke Suzuki

Comment 15 2020-05-30 20:01:14 PDT

Committed r262353: <https://trac.webkit.org/changeset/262353>

Note You need to log in before you can comment on or make changes to this bug.