Bug 1416179: Prevent ArrayBufferObject from reserving memory larger than UINT32_MAX on !WASM_HUGE_MEMORY 64-bit platforms; r=lth
authordragan.mladjenovic <dragan.mladjenovic@rt-rk.com>
Tue, 07 Nov 2017 12:51:25 +0100
changeset 391993 7141bc93ea02033d8bd13859cf39ee1e426452ef
parent 391992 e74e4ec2cb39d737da0e16d0645e9dbdc564acd1
child 391994 c2e4e6d7886e75c3f545526880aa914abbde5ea0
push id32909
push usercbrindusan@mozilla.com
push dateWed, 15 Nov 2017 22:25:14 +0000
treeherdermozilla-central@f41930a869a8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerslth
bugs1416179
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1416179: Prevent ArrayBufferObject from reserving memory larger than UINT32_MAX on !WASM_HUGE_MEMORY 64-bit platforms; r=lth
js/src/vm/ArrayBufferObject.cpp
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -713,16 +713,28 @@ ArrayBufferObject::createForWasm(JSConte
     // memory". Maintain the invariant that initialSize <= maxSize.
     Maybe<uint32_t> maxSize = maybeMaxSize;
     if (sizeof(void*) == 4 && maybeMaxSize) {
         static const uint32_t OneGiB = 1 << 30;
         uint32_t clamp = Max(OneGiB, initialSize);
         maxSize = Some(Min(clamp, maybeMaxSize.value()));
     }
 
+#ifndef WASM_HUGE_MEMORY
+    if (sizeof(void*) == 8 && maybeMaxSize && maybeMaxSize.value() == UINT32_MAX) {
+        // On 64-bit platforms that don't define WASM_HUGE_MEMORY
+        // clamp maxSize to smaller value that satisfies the 32-bit invariants
+        // maxSize + wasm::PageSize < UINT32_MAX and maxSize % wasm::PageSize == 0
+        uint32_t clamp = (wasm::MaxMemoryMaximumPages - 2) * wasm::PageSize;
+        MOZ_ASSERT(clamp < UINT32_MAX);
+        MOZ_ASSERT(initialSize <= clamp);
+        maxSize = Some(clamp);
+    }
+#endif
+
     RootedArrayBufferObject buffer(cx, ArrayBufferObject::createEmpty(cx));
     if (!buffer)
         return nullptr;
 
     // Try to reserve the maximum requested memory
     WasmArrayRawBuffer* wasmBuf = WasmArrayRawBuffer::Allocate(initialSize, maxSize);
     if (!wasmBuf) {
 #ifdef  WASM_HUGE_MEMORY