Diff
Modified: trunk/LayoutTests/ChangeLog (264412 => 264413)
--- trunk/LayoutTests/ChangeLog 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/LayoutTests/ChangeLog 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,3 +1,24 @@
+2020-07-15 Mark Lam <[email protected]>
+
+ Add handling of out of memory handling while adding a worklet module.
+ https://bugs.webkit.org/show_bug.cgi?id=214354
+ <rdar://problem/65271931>
+
+ Reviewed by Yusuke Suzuki and Keith Miller.
+
+ We're skipping the new test on Debug builds because it will always run too slow.
+ The Release build is sufficient to test this OOME handling.
+
+ * TestExpectations:
+ * fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt: Added.
+ * fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html: Added.
+ * fast/css-custom-paint/script-tests: Added.
+ * fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js: Added.
+ (useAllMemory.try.get Object):
+ (useAllMemory.try.foo):
+ (useAllMemory):
+ (catch):
+
2020-07-15 Hector Lopez <[email protected]>
[ iOS Debug ] fast/text-indicator/text-indicator-empty-link.html is a flaky crash
Modified: trunk/LayoutTests/TestExpectations (264412 => 264413)
--- trunk/LayoutTests/TestExpectations 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/LayoutTests/TestExpectations 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1108,6 +1108,9 @@
webkit.org/b/136078 fast/borders/border-painting-dotted.html [ ImageOnlyFailure ]
webkit.org/b/136078 fast/borders/border-painting-double.html [ ImageOnlyFailure ]
+# Skip this because it is too slow on debug builds.
+[ Debug ] fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html [ Skip ]
+
# official flexbox tests
webkit.org/b/143294 imported/w3c/web-platform-tests/css/css-flexbox/css-flexbox-height-animation-stretch.html [ Pass ImageOnlyFailure ]
webkit.org/b/136754 css3/flexbox/csswg/flex-align-items-center.html [ ImageOnlyFailure ]
Added: trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt (0 => 264413)
--- trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module-expected.txt 2020-07-15 19:20:21 UTC (rev 264413)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: RangeError: Out of memory
+
Added: trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html (0 => 264413)
--- trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html (rev 0)
+++ trunk/LayoutTests/fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html 2020-07-15 19:20:21 UTC (rev 264413)
@@ -0,0 +1,3 @@
+<script src=""
+<script src=""
+<script src=""
Added: trunk/LayoutTests/fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js (0 => 264413)
--- trunk/LayoutTests/fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js (rev 0)
+++ trunk/LayoutTests/fast/css-custom-paint/script-tests/out-of-memory-while-adding-worklet-module.js 2020-07-15 19:20:21 UTC (rev 264413)
@@ -0,0 +1,28 @@
+function useAllMemory() {
+ try {
+ const a = [];
+ a.__proto__ = {};
+ Object.defineProperty(a, 0, { get: foo });
+ Object.defineProperty(a, 80000000, {});
+ function foo() {
+ new Uint8Array(a);
+ }
+ new Promise(foo);
+ while(1) {
+ new ArrayBuffer(1000);
+ }
+ } catch { }
+}
+
+var exception;
+useAllMemory();
+try {
+ for (let i = 0; i < 1000; i++) {
+ CSS.paintWorklet.addModule('');
+ }
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Out of memory")
+ throw "FAIL: expect: 'RangeError: Out of memory', actual: '" + exception + "'";
Modified: trunk/Source/_javascript_Core/ChangeLog (264412 => 264413)
--- trunk/Source/_javascript_Core/ChangeLog 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,3 +1,23 @@
+2020-07-15 Mark Lam <[email protected]>
+
+ Add handling of out of memory handling while adding a worklet module.
+ https://bugs.webkit.org/show_bug.cgi?id=214354
+ <rdar://problem/65271931>
+
+ Reviewed by Yusuke Suzuki and Keith Miller.
+
+ Add VM::tryCreate() that can fail if we encounter an out of memory issue.
+ As always, we're taking a best effort approach to handling out of memory errors.
+ Hence, we will not attempt to exhaustively handle every OOME scenario. This patch
+ only checks for failure to allocate a BigInt due to Gigacage exhaustion. While it
+ doesn't handle other allocation errors, it does enable us to add handling of other
+ cases in the future as needed.
+
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ (JSC::VM::tryCreate):
+ * runtime/VM.h:
+
2020-07-15 Jim Mason <[email protected]>
[WTF] Fix PackedAlignedPtr for X86_64 canonical addresses
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (264412 => 264413)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -262,7 +262,7 @@
static bool vmCreationShouldCrash = false;
-VM::VM(VMType vmType, HeapType heapType, WTF::RunLoop* runLoop)
+VM::VM(VMType vmType, HeapType heapType, WTF::RunLoop* runLoop, bool* success)
: m_id(nextID())
, m_apiLock(adoptRef(new JSLock(this)))
, m_runLoop(runLoop ? *runLoop : WTF::RunLoop::current())
@@ -464,8 +464,14 @@
}
{
auto* bigInt = JSBigInt::tryCreateFrom(*this, 1);
- RELEASE_ASSERT(bigInt);
- heapBigIntConstantOne.set(*this, bigInt);
+ if (bigInt)
+ heapBigIntConstantOne.set(*this, bigInt);
+ else {
+ if (success)
+ *success = false;
+ else
+ RELEASE_ASSERT(bigInt);
+ }
}
Thread::current().setCurrentAtomStringTable(existingEntryAtomStringTable);
@@ -674,6 +680,28 @@
return adoptRef(*new VM(Default, heapType, runLoop));
}
+RefPtr<VM> VM::tryCreate(HeapType heapType, WTF::RunLoop* runLoop)
+{
+ bool success = true;
+ RefPtr<VM> vm = adoptRef(new VM(Default, heapType, runLoop, &success));
+ if (!success) {
+ // Here, we're destructing a partially constructed VM and we know that
+ // no one else can be using it at the same time. So, acquiring the lock
+ // is superflous. However, we don't want to change how VMs are destructed.
+ // Just going through the motion of acquiring the lock here allows us to
+ // use the standard destruction process.
+
+ // VM expects us to be holding the VM lock when destructing it. Acquiring
+ // the lock also puts the VM in a state (e.g. acquiring heap access) that
+ // is needed for destruction. The lock will hold the last reference to
+ // the VM after we nullify the refPtr below. The VM will actually be
+ // destructed in JSLockHolder's destructor.
+ JSLockHolder lock(vm.get());
+ vm = nullptr;
+ }
+ return vm;
+}
+
bool VM::sharedInstanceExists()
{
return sharedInstanceInternal();
Modified: trunk/Source/_javascript_Core/runtime/VM.h (264412 => 264413)
--- trunk/Source/_javascript_Core/runtime/VM.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -314,6 +314,7 @@
JS_EXPORT_PRIVATE static VM& sharedInstance();
JS_EXPORT_PRIVATE static Ref<VM> create(HeapType = SmallHeap, WTF::RunLoop* = nullptr);
+ JS_EXPORT_PRIVATE static RefPtr<VM> tryCreate(HeapType = SmallHeap, WTF::RunLoop* = nullptr);
static Ref<VM> createContextGroup(HeapType = SmallHeap);
JS_EXPORT_PRIVATE ~VM();
@@ -1101,7 +1102,7 @@
private:
friend class LLIntOffsetsExtractor;
- VM(VMType, HeapType, WTF::RunLoop* = nullptr);
+ VM(VMType, HeapType, WTF::RunLoop* = nullptr, bool* success = nullptr);
static VM*& sharedInstanceInternal();
void createNativeThunk();
Modified: trunk/Source/WebCore/ChangeLog (264412 => 264413)
--- trunk/Source/WebCore/ChangeLog 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/ChangeLog 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,3 +1,32 @@
+2020-07-15 Mark Lam <[email protected]>
+
+ Add handling of out of memory handling while adding a worklet module.
+ https://bugs.webkit.org/show_bug.cgi?id=214354
+ <rdar://problem/65271931>
+
+ Reviewed by Yusuke Suzuki and Keith Miller.
+
+ Test: fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html
+
+ * bindings/js/JSDOMExceptionHandling.cpp:
+ (WebCore::createDOMException):
+ * dom/ExceptionCode.h:
+ * worklets/PaintWorkletGlobalScope.cpp:
+ (WebCore::PaintWorkletGlobalScope::tryCreate):
+ (WebCore::PaintWorkletGlobalScope::PaintWorkletGlobalScope):
+ (WebCore::PaintWorkletGlobalScope::create): Deleted.
+ * worklets/PaintWorkletGlobalScope.h:
+ * worklets/Worklet.cpp:
+ (WebCore::Worklet::addModule):
+ * worklets/Worklet.h:
+ * worklets/Worklet.idl:
+ * worklets/WorkletGlobalScope.cpp:
+ (WebCore::WorkletGlobalScope::WorkletGlobalScope):
+ * worklets/WorkletGlobalScope.h:
+ * worklets/WorkletScriptController.cpp:
+ (WebCore::WorkletScriptController::WorkletScriptController):
+ * worklets/WorkletScriptController.h:
+
2020-07-15 Oriol Brufau <[email protected]>
[css-grid] Rename SmallestTrackStart to ExplicitGridStart
Modified: trunk/Source/WebCore/bindings/js/JSDOMExceptionHandling.cpp (264412 => 264413)
--- trunk/Source/WebCore/bindings/js/JSDOMExceptionHandling.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/bindings/js/JSDOMExceptionHandling.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2001 Harri Porten ([email protected])
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2020 Apple Inc. All rights reserved.
* Copyright (C) 2007 Samuel Weinig <[email protected]>
* Copyright (C) 2013 Michael Pruett <[email protected]>
*
@@ -139,6 +139,8 @@
if (ec == StackOverflowError)
return createStackOverflowError(lexicalGlobalObject);
+ if (ec == OutOfMemoryError)
+ return createOutOfMemoryError(lexicalGlobalObject);
// FIXME: All callers to createDOMException need to pass in the correct global object.
// For now, we're going to assume the lexicalGlobalObject. Which is wrong in cases like this:
Modified: trunk/Source/WebCore/dom/ExceptionCode.h (264412 => 264413)
--- trunk/Source/WebCore/dom/ExceptionCode.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/dom/ExceptionCode.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2020 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -64,6 +64,7 @@
// Non-standard error.
StackOverflowError,
+ OutOfMemoryError,
// Used to indicate to the bindings that a JS exception was thrown below and it should be propagated.
ExistingExceptionError,
Modified: trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.cpp (264412 => 264413)
--- trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -41,13 +41,16 @@
WTF_MAKE_ISO_ALLOCATED_IMPL(PaintWorkletGlobalScope);
-Ref<PaintWorkletGlobalScope> PaintWorkletGlobalScope::create(Document& document, ScriptSourceCode&& code)
+RefPtr<PaintWorkletGlobalScope> PaintWorkletGlobalScope::tryCreate(Document& document, ScriptSourceCode&& code)
{
- return adoptRef(*new PaintWorkletGlobalScope(document, WTFMove(code)));
+ RefPtr<VM> vm = VM::tryCreate();
+ if (!vm)
+ return nullptr;
+ return adoptRef(*new PaintWorkletGlobalScope(document, vm.releaseNonNull(), WTFMove(code)));
}
-PaintWorkletGlobalScope::PaintWorkletGlobalScope(Document& document, ScriptSourceCode&& code)
- : WorkletGlobalScope(document, WTFMove(code))
+PaintWorkletGlobalScope::PaintWorkletGlobalScope(Document& document, Ref<VM>&& vm, ScriptSourceCode&& code)
+ : WorkletGlobalScope(document, WTFMove(vm), WTFMove(code))
{
}
Modified: trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.h (264412 => 264413)
--- trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/PaintWorkletGlobalScope.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -34,6 +34,7 @@
namespace JSC {
class JSObject;
+class VM;
} // namespace JSC
namespace WebCore {
@@ -42,7 +43,7 @@
class PaintWorkletGlobalScope : public WorkletGlobalScope {
WTF_MAKE_ISO_ALLOCATED(PaintWorkletGlobalScope);
public:
- static Ref<PaintWorkletGlobalScope> create(Document&, ScriptSourceCode&&);
+ static RefPtr<PaintWorkletGlobalScope> tryCreate(Document&, ScriptSourceCode&&);
ExceptionOr<void> registerPaint(JSC::JSGlobalObject&, const String& name, JSC::Strong<JSC::JSObject> paintConstructor);
double devicePixelRatio() const;
@@ -72,7 +73,7 @@
}
private:
- PaintWorkletGlobalScope(Document&, ScriptSourceCode&&);
+ PaintWorkletGlobalScope(Document&, Ref<JSC::VM>&&, ScriptSourceCode&&);
~PaintWorkletGlobalScope()
{
Modified: trunk/Source/WebCore/worklets/Worklet.cpp (264412 => 264413)
--- trunk/Source/WebCore/worklets/Worklet.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/Worklet.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -46,16 +46,21 @@
{
}
-void Worklet::addModule(Document& document, const String& moduleURL)
+ExceptionOr<void> Worklet::addModule(Document& document, const String& moduleURL)
{
// FIXME: We should download the source from the URL
// https://bugs.webkit.org/show_bug.cgi?id=191136
- auto context = PaintWorkletGlobalScope::create(document, ScriptSourceCode(moduleURL));
+ auto maybeContext = PaintWorkletGlobalScope::tryCreate(document, ScriptSourceCode(moduleURL));
+ if (UNLIKELY(!maybeContext))
+ return Exception { OutOfMemoryError };
+ auto context = maybeContext.releaseNonNull();
context->evaluate();
auto locker = holdLock(context->paintDefinitionLock());
for (auto& name : context->paintDefinitionMap().keys())
document.setPaintWorkletGlobalScopeForName(name, makeRef(context.get()));
+
+ return { };
}
} // namespace WebCore
Modified: trunk/Source/WebCore/worklets/Worklet.h (264412 => 264413)
--- trunk/Source/WebCore/worklets/Worklet.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/Worklet.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -25,6 +25,7 @@
#pragma once
+#include "ExceptionOr.h"
#include "ScriptWrappable.h"
#include <wtf/RefCounted.h>
@@ -38,7 +39,7 @@
public:
static Ref<Worklet> create();
- void addModule(Document&, const String& moduleURL);
+ ExceptionOr<void> addModule(Document&, const String& moduleURL);
private:
Worklet();
Modified: trunk/Source/WebCore/worklets/Worklet.idl (264412 => 264413)
--- trunk/Source/WebCore/worklets/Worklet.idl 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/Worklet.idl 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
-* Copyright (C) 2018 Apple Inc. All rights reserved.
+* Copyright (C) 2018-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,5 +29,5 @@
ImplementationLacksVTable,
Global=Worklet,
] interface Worklet {
- [CallWith=Document] void addModule(USVString moduleURL/*, optional WorkletOptions options*/);
+ [CallWith=Document, MayThrowException] void addModule(USVString moduleURL/*, optional WorkletOptions options*/);
};
Modified: trunk/Source/WebCore/worklets/WorkletGlobalScope.cpp (264412 => 264413)
--- trunk/Source/WebCore/worklets/WorkletGlobalScope.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/WorkletGlobalScope.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,9 +47,9 @@
WTF_MAKE_ISO_ALLOCATED_IMPL(WorkletGlobalScope);
-WorkletGlobalScope::WorkletGlobalScope(Document& document, ScriptSourceCode&& code)
+WorkletGlobalScope::WorkletGlobalScope(Document& document, Ref<JSC::VM>&& vm, ScriptSourceCode&& code)
: m_document(makeWeakPtr(document))
- , m_script(makeUnique<WorkletScriptController>(this))
+ , m_script(makeUnique<WorkletScriptController>(WTFMove(vm), this))
, m_topOrigin(SecurityOrigin::createUnique())
, m_code(WTFMove(code))
{
Modified: trunk/Source/WebCore/worklets/WorkletGlobalScope.h (264412 => 264413)
--- trunk/Source/WebCore/worklets/WorkletGlobalScope.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/WorkletGlobalScope.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -87,7 +87,7 @@
virtual void prepareForDestruction();
protected:
- WorkletGlobalScope(Document&, ScriptSourceCode&&);
+ WorkletGlobalScope(Document&, Ref<JSC::VM>&&, ScriptSourceCode&&);
WorkletGlobalScope(const WorkletGlobalScope&) = delete;
WorkletGlobalScope(WorkletGlobalScope&&) = delete;
Modified: trunk/Source/WebCore/worklets/WorkletScriptController.cpp (264412 => 264413)
--- trunk/Source/WebCore/worklets/WorkletScriptController.cpp 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/WorkletScriptController.cpp 2020-07-15 19:20:21 UTC (rev 264413)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,8 +47,8 @@
namespace WebCore {
using namespace JSC;
-WorkletScriptController::WorkletScriptController(WorkletGlobalScope* workletGlobalScope)
- : m_vm(VM::create())
+WorkletScriptController::WorkletScriptController(Ref<VM>&& vm, WorkletGlobalScope* workletGlobalScope)
+ : m_vm(WTFMove(vm))
, m_workletGlobalScope(workletGlobalScope)
, m_workletGlobalScopeWrapper(*m_vm)
{
Modified: trunk/Source/WebCore/worklets/WorkletScriptController.h (264412 => 264413)
--- trunk/Source/WebCore/worklets/WorkletScriptController.h 2020-07-15 19:05:39 UTC (rev 264412)
+++ trunk/Source/WebCore/worklets/WorkletScriptController.h 2020-07-15 19:20:21 UTC (rev 264413)
@@ -49,7 +49,7 @@
class WorkletScriptController {
WTF_MAKE_NONCOPYABLE(WorkletScriptController); WTF_MAKE_FAST_ALLOCATED;
public:
- WorkletScriptController(WorkletGlobalScope*);
+ WorkletScriptController(Ref<VM>&&, WorkletGlobalScope*);
~WorkletScriptController();
JSWorkletGlobalScope* workletGlobalScopeWrapper()
