Bug 1891412 - Handle uninitialized object in SharedArrayBufferObject::addSizeOfExcludingThis. r=jonco

Differential Revision: https://phabricator.services.mozilla.com/D207420
2024-04-16 07:51:36 +00:00 · 2024-04-16 07:51:36 +00:00 · 3c102993f0
--- a/js/src/jit-test/tests/sharedbuf/size-with-uninitialized.js
+++ b/js/src/jit-test/tests/sharedbuf/size-with-uninitialized.js
@ -0,0 +1,15 @@
+// OOM during SharedArrayBuffer initialization can expose partially initialized
+// object to metadata builder.
+// It shouldn't crash.
+
+newGlobal({ newCompartment: true }).Debugger(this).memory.trackingAllocationSites = true;
+for (let i = 0; i < 9; i++) {
+  oomTest(function () {
+    class C extends WebAssembly.Memory {}
+    new C({
+      initial: 0,
+      maximum: 1,
+      shared: 1,
+    });
+  });
+}
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@ -587,6 +587,7 @@ SharedArrayBufferType* SharedArrayBufferObject::NewWith(

 bool SharedArrayBufferObject::acceptRawBuffer(SharedArrayRawBuffer* buffer,
                                              size_t length) {
+  MOZ_ASSERT(!isInitialized());
  if (!zone()->addSharedMemory(buffer,
                               SharedArrayMappedSize(buffer->isWasm(), length),
                               MemoryUse::SharedArrayRawBuffer)) {
@ -595,6 +596,7 @@ bool SharedArrayBufferObject::acceptRawBuffer(SharedArrayRawBuffer* buffer,

  setFixedSlot(RAWBUF_SLOT, PrivateValue(buffer));
  setFixedSlot(LENGTH_SLOT, PrivateValue(length));
+  MOZ_ASSERT(isInitialized());
  return true;
 }

@ -605,6 +607,7 @@ void SharedArrayBufferObject::dropRawBuffer() {
                                          MemoryUse::SharedArrayRawBuffer);
  rawBufferObject()->dropReference();
  setFixedSlot(RAWBUF_SLOT, UndefinedValue());
+  MOZ_ASSERT(!isInitialized());
 }

 SharedArrayRawBuffer* SharedArrayBufferObject::rawBufferObject() const {
@ -639,6 +642,11 @@ void SharedArrayBufferObject::addSizeOfExcludingThis(
  // the refcount goes down). But that's unlikely and hard to avoid, so we
  // just live with the risk.
  const SharedArrayBufferObject& buf = obj->as<SharedArrayBufferObject>();
+
+  if (MOZ_UNLIKELY(!buf.isInitialized())) {
+    return;
+  }
+
  size_t nbytes = buf.byteLengthOrMaxByteLength();
  size_t owned = nbytes / buf.rawBufferObject()->refcount();
  if (buf.isWasm()) {
--- a/js/src/vm/SharedArrayObject.h
+++ b/js/src/vm/SharedArrayObject.h
@ -344,6 +344,13 @@ class SharedArrayBufferObject : public ArrayBufferObjectMaybeShared {
    return rawBufferObject()->volatileByteLength();
  }

+ private:
+  bool isInitialized() const {
+    bool initialized = getFixedSlot(RAWBUF_SLOT).isDouble();
+    MOZ_ASSERT_IF(initialized, getFixedSlot(LENGTH_SLOT).isDouble());
+    return initialized;
+  }
+
 public:
  // Returns either the byte length for fixed-length shared arrays. Or the
  // maximum byte length for growable shared arrays.