Skip to content

Commit f813761

Browse files
committed
RELEASE_ASSERT(bigInt) in VM constructor when constructing a WorkletGlobalScope
https://bugs.webkit.org/show_bug.cgi?id=221425 <rdar://73747997> Reviewed by Keith Miller. Source/WebCore: WorkletGlobalScope should use VM::tryCreate() instead of VM::create() to deal with out-of-memory errors. Test: webaudio/audioworket-out-of-memory.html * Modules/webaudio/AudioWorkletGlobalScope.cpp: (WebCore::AudioWorkletGlobalScope::tryCreate): (WebCore::AudioWorkletGlobalScope::AudioWorkletGlobalScope): * Modules/webaudio/AudioWorkletGlobalScope.h: * Modules/webaudio/AudioWorkletThread.cpp: (WebCore::AudioWorkletThread::createGlobalScope): * Modules/webaudio/AudioWorkletThread.h: * WebCore.xcodeproj/project.pbxproj: * workers/WorkerOrWorkletThread.cpp: (WebCore::WorkerOrWorkletThread::workerOrWorkletThread): * workers/WorkerOrWorkletThread.h: * workers/WorkerThread.cpp: (WebCore::WorkerThread::createGlobalScope): * workers/WorkerThread.h: * worklets/WorkletGlobalScope.cpp: (WebCore::WorkletGlobalScope::WorkletGlobalScope): * worklets/WorkletGlobalScope.h: LayoutTests: Add layout test coverage. * webaudio/audioworket-out-of-memory-expected.txt: Added. * webaudio/audioworket-out-of-memory.html: Added. Canonical link: https://commits.webkit.org/233718@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272393 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 41c5947 commit f813761

15 files changed

Lines changed: 109 additions & 16 deletions

LayoutTests/ChangeLog

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,16 @@
1+
2021-02-04 Chris Dumez <cdumez@apple.com>
2+
3+
RELEASE_ASSERT(bigInt) in VM constructor when constructing a WorkletGlobalScope
4+
https://bugs.webkit.org/show_bug.cgi?id=221425
5+
<rdar://73747997>
6+
7+
Reviewed by Keith Miller.
8+
9+
Add layout test coverage.
10+
11+
* webaudio/audioworket-out-of-memory-expected.txt: Added.
12+
* webaudio/audioworket-out-of-memory.html: Added.
13+
114
2021-02-04 Chris Fleizach <cfleizach@apple.com>
215

316
AX: expose focusable elements even if element or ancestor has aria-hidden=true

LayoutTests/TestExpectations

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -401,6 +401,7 @@ fast/history/page-cache-active-fetch-request-blobReadAsText.html [ DumpJSConsole
401401
fast/history/page-cache-active-fetch-request-blobReadAsReadableStream.html [ DumpJSConsoleLogInStdErr ]
402402
fast/history/page-cache-active-fetch-response-blobReadAsBlob.html [ DumpJSConsoleLogInStdErr ]
403403
fast/dom/navigator-detached-no-crash.html [ DumpJSConsoleLogInStdErr ]
404+
webaudio/audioworket-out-of-memory.html [ DumpJSConsoleLogInStdErr ]
404405

405406
webkit.org/b/202495 imported/w3c/web-platform-tests/shadow-dom/directionality-002.tentative.html [ ImageOnlyFailure ]
406407

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
This test passes if it does not crash
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
<p>This test passes if it does not crash</p>
2+
<script>
3+
if (window.testRunner)
4+
testRunner.dumpAsText();
5+
6+
function useAllMemory() {
7+
const a = [0];
8+
a.__proto__ = {};
9+
Object.defineProperty(a, 0, {get: foo});
10+
Object.defineProperty(a, 80000000, {});
11+
12+
function foo() {
13+
new Uint8Array(a);
14+
}
15+
16+
new Promise(foo);
17+
18+
try {
19+
for (let i = 0; i < 2**20; i++) {
20+
new ArrayBuffer(1000);
21+
}
22+
} catch {
23+
}
24+
}
25+
26+
useAllMemory();
27+
for (let i = 0; i < 100; i++) {
28+
CSS.paintWorklet.addModule('');
29+
}
30+
new AudioContext().audioWorklet.addModule('');
31+
</script>

Source/WebCore/ChangeLog

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,34 @@
1+
2021-02-04 Chris Dumez <cdumez@apple.com>
2+
3+
RELEASE_ASSERT(bigInt) in VM constructor when constructing a WorkletGlobalScope
4+
https://bugs.webkit.org/show_bug.cgi?id=221425
5+
<rdar://73747997>
6+
7+
Reviewed by Keith Miller.
8+
9+
WorkletGlobalScope should use VM::tryCreate() instead of VM::create() to deal with out-of-memory
10+
errors.
11+
12+
Test: webaudio/audioworket-out-of-memory.html
13+
14+
* Modules/webaudio/AudioWorkletGlobalScope.cpp:
15+
(WebCore::AudioWorkletGlobalScope::tryCreate):
16+
(WebCore::AudioWorkletGlobalScope::AudioWorkletGlobalScope):
17+
* Modules/webaudio/AudioWorkletGlobalScope.h:
18+
* Modules/webaudio/AudioWorkletThread.cpp:
19+
(WebCore::AudioWorkletThread::createGlobalScope):
20+
* Modules/webaudio/AudioWorkletThread.h:
21+
* WebCore.xcodeproj/project.pbxproj:
22+
* workers/WorkerOrWorkletThread.cpp:
23+
(WebCore::WorkerOrWorkletThread::workerOrWorkletThread):
24+
* workers/WorkerOrWorkletThread.h:
25+
* workers/WorkerThread.cpp:
26+
(WebCore::WorkerThread::createGlobalScope):
27+
* workers/WorkerThread.h:
28+
* worklets/WorkletGlobalScope.cpp:
29+
(WebCore::WorkletGlobalScope::WorkletGlobalScope):
30+
* worklets/WorkletGlobalScope.h:
31+
132
2021-02-04 Chris Fleizach <cfleizach@apple.com>
233

334
AX: expose focusable elements even if element or ancestor has aria-hidden=true

Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
#include "AudioWorkletMessagingProxy.h"
3737
#include "AudioWorkletProcessorConstructionData.h"
3838
#include "BaseAudioContext.h"
39+
#include "CommonVM.h"
3940
#include "JSAudioWorkletProcessor.h"
4041
#include "JSAudioWorkletProcessorConstructor.h"
4142
#include "JSDOMConvert.h"
@@ -47,8 +48,16 @@ namespace WebCore {
4748

4849
WTF_MAKE_ISO_ALLOCATED_IMPL(AudioWorkletGlobalScope);
4950

50-
AudioWorkletGlobalScope::AudioWorkletGlobalScope(AudioWorkletThread& thread, const WorkletParameters& parameters)
51-
: WorkletGlobalScope(thread, parameters)
51+
RefPtr<AudioWorkletGlobalScope> AudioWorkletGlobalScope::tryCreate(AudioWorkletThread& thread, const WorkletParameters& parameters)
52+
{
53+
auto vm = JSC::VM::tryCreate();
54+
if (!vm)
55+
return nullptr;
56+
return adoptRef(*new AudioWorkletGlobalScope(thread, vm.releaseNonNull(), parameters));
57+
}
58+
59+
AudioWorkletGlobalScope::AudioWorkletGlobalScope(AudioWorkletThread& thread, Ref<JSC::VM>&& vm, const WorkletParameters& parameters)
60+
: WorkletGlobalScope(thread, WTFMove(vm), parameters)
5261
, m_sampleRate(parameters.sampleRate)
5362
{
5463
ASSERT(!isMainThread());

Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.h

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,10 @@
3333
#include "MessagePort.h"
3434
#include "WorkletGlobalScope.h"
3535

36+
namespace JSC {
37+
class VM;
38+
}
39+
3640
namespace WebCore {
3741

3842
class AudioWorkletProcessorConstructionData;
@@ -45,10 +49,7 @@ struct WorkletParameters;
4549
class AudioWorkletGlobalScope : public WorkletGlobalScope {
4650
WTF_MAKE_ISO_ALLOCATED(AudioWorkletGlobalScope);
4751
public:
48-
static Ref<AudioWorkletGlobalScope> create(AudioWorkletThread& thread, const WorkletParameters& parameters)
49-
{
50-
return adoptRef(*new AudioWorkletGlobalScope(thread, parameters));
51-
}
52+
static RefPtr<AudioWorkletGlobalScope> tryCreate(AudioWorkletThread&, const WorkletParameters&);
5253
~AudioWorkletGlobalScope();
5354

5455
ExceptionOr<void> registerProcessor(String&& name, Ref<JSAudioWorkletProcessorConstructor>&&);
@@ -69,7 +70,7 @@ class AudioWorkletGlobalScope : public WorkletGlobalScope {
6970
void handlePostRenderTasks(size_t currentFrame);
7071

7172
private:
72-
AudioWorkletGlobalScope(AudioWorkletThread&, const WorkletParameters&);
73+
AudioWorkletGlobalScope(AudioWorkletThread&, Ref<JSC::VM>&&, const WorkletParameters&);
7374

7475
bool isAudioWorkletGlobalScope() const final { return true; }
7576

Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,9 @@ AudioWorkletThread::AudioWorkletThread(AudioWorkletMessagingProxy& messagingProx
4646

4747
AudioWorkletThread::~AudioWorkletThread() = default;
4848

49-
Ref<WorkerOrWorkletGlobalScope> AudioWorkletThread::createGlobalScope()
49+
RefPtr<WorkerOrWorkletGlobalScope> AudioWorkletThread::createGlobalScope()
5050
{
51-
return AudioWorkletGlobalScope::create(*this, m_parameters);
51+
return AudioWorkletGlobalScope::tryCreate(*this, m_parameters);
5252
}
5353

5454
WorkerLoaderProxy& AudioWorkletThread::workerLoaderProxy()

Source/WebCore/Modules/webaudio/AudioWorkletThread.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ class AudioWorkletThread : public WorkerOrWorkletThread {
5858

5959
// WorkerOrWorkletThread.
6060
Ref<WTF::Thread> createThread() final;
61-
Ref<WorkerOrWorkletGlobalScope> createGlobalScope() final;
61+
RefPtr<WorkerOrWorkletGlobalScope> createGlobalScope() final;
6262

6363
AudioWorkletMessagingProxy& m_messagingProxy;
6464
WorkletParameters m_parameters;

Source/WebCore/workers/WorkerOrWorkletThread.cpp

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,12 @@ void WorkerOrWorkletThread::workerOrWorkletThread()
111111
auto locker = holdLock(m_threadCreationAndGlobalScopeLock);
112112
m_globalScope = createGlobalScope();
113113

114+
// When running out of memory, createGlobalScope() may return null because we could not allocate a JSC::VM.
115+
if (!m_globalScope) {
116+
WTFLogAlways("Error: Failed to create a WorkerOrWorkerGlobalScope.");
117+
return;
118+
}
119+
114120
scriptController = m_globalScope->script();
115121

116122
if (m_runLoop.terminated()) {

0 commit comments

Comments
 (0)