From 8dd16259287f58f9273002717ec4d27e97127719 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 12 Jun 2024 07:43:14 +0200 Subject: Merging upstream version 127.0. Signed-off-by: Daniel Baumann --- js/src/vm/SharedArrayObject.cpp | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'js/src/vm/SharedArrayObject.cpp') diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp index e3e25e3de5..cf31660692 100644 --- a/js/src/vm/SharedArrayObject.cpp +++ b/js/src/vm/SharedArrayObject.cpp @@ -71,6 +71,23 @@ SharedArrayRawBuffer* SharedArrayRawBuffer::Allocate(bool isGrowable, if (!p) { return nullptr; } + MOZ_ASSERT(reinterpret_cast(p) % + ArrayBufferObject::ARRAY_BUFFER_ALIGNMENT == + 0, + "shared array buffer memory is aligned"); + + // jemalloc tiny allocations can produce allocations not aligned to the + // smallest std::malloc allocation. Ensure shared array buffer allocations + // don't have to worry about this special case. + static_assert(sizeof(SharedArrayRawBuffer) > sizeof(void*), + "SharedArrayRawBuffer doesn't fit in jemalloc tiny allocation"); + + static_assert(sizeof(SharedArrayRawBuffer) % + ArrayBufferObject::ARRAY_BUFFER_ALIGNMENT == + 0, + "sizeof(SharedArrayRawBuffer) is a multiple of the array " + "buffer alignment, so |p + sizeof(SharedArrayRawBuffer)| is " + "also array buffer aligned"); uint8_t* buffer = p + sizeof(SharedArrayRawBuffer); return new (p) SharedArrayRawBuffer(isGrowable, buffer, length); @@ -587,6 +604,7 @@ SharedArrayBufferType* SharedArrayBufferObject::NewWith( bool SharedArrayBufferObject::acceptRawBuffer(SharedArrayRawBuffer* buffer, size_t length) { + MOZ_ASSERT(!isInitialized()); if (!zone()->addSharedMemory(buffer, SharedArrayMappedSize(buffer->isWasm(), length), MemoryUse::SharedArrayRawBuffer)) { @@ -595,6 +613,7 @@ bool SharedArrayBufferObject::acceptRawBuffer(SharedArrayRawBuffer* buffer, setFixedSlot(RAWBUF_SLOT, PrivateValue(buffer)); setFixedSlot(LENGTH_SLOT, PrivateValue(length)); + MOZ_ASSERT(isInitialized()); return true; } @@ -605,6 +624,7 @@ void SharedArrayBufferObject::dropRawBuffer() { MemoryUse::SharedArrayRawBuffer); rawBufferObject()->dropReference(); setFixedSlot(RAWBUF_SLOT, UndefinedValue()); + MOZ_ASSERT(!isInitialized()); } SharedArrayRawBuffer* SharedArrayBufferObject::rawBufferObject() const { @@ -639,6 +659,11 @@ void SharedArrayBufferObject::addSizeOfExcludingThis( // the refcount goes down). But that's unlikely and hard to avoid, so we // just live with the risk. const SharedArrayBufferObject& buf = obj->as(); + + if (MOZ_UNLIKELY(!buf.isInitialized())) { + return; + } + size_t nbytes = buf.byteLengthOrMaxByteLength(); size_t owned = nbytes / buf.rawBufferObject()->refcount(); if (buf.isWasm()) { @@ -683,6 +708,7 @@ SharedArrayBufferObject* SharedArrayBufferObject::createFromNewRawBuffer( if (!obj->acceptRawBuffer(buffer, initialSize)) { buffer->dropReference(); + js::ReportOutOfMemory(cx); return nullptr; } -- cgit v1.2.3