Bug 1844011: Handle OOM after JS_smprintf and js_calloc. r=rhunt

Differential Revision: https://phabricator.services.mozilla.com/D183847
2025-02-25 20:01:50 +00:00 · 2023-07-26 08:08:11 +00:00 · 2023-07-26 08:08:11 +00:00 · 84d736bc13
commit 84d736bc13
parent 21ded2975d
5 changed files with 48 additions and 0 deletions
--- a/js/src/jit-test/tests/wasm/exceptions/oom-construct-message.js
+++ b/js/src/jit-test/tests/wasm/exceptions/oom-construct-message.js
@ -0,0 +1,6 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+const tag = new WebAssembly.Tag({ parameters: ["i32"] });
+oomTest(() => {
+  new WebAssembly.Exception(tag, []);
+});
--- a/js/src/jit-test/tests/wasm/exceptions/oom-create-exception-data.js
+++ b/js/src/jit-test/tests/wasm/exceptions/oom-create-exception-data.js
@ -0,0 +1,9 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+const tag = new WebAssembly.Tag({ parameters: ["i32", "i32", "i32", "i32"] });
+const params = [0, 0, 0, 0];
+oomTest(() => {
+  for (var i = 0; i < 5; ++i) {
+    new WebAssembly.Exception(tag, params);
+  }
+});
--- a/js/src/jit-test/tests/wasm/regress/oom-wrong-argument-number-for-import-call.js
+++ b/js/src/jit-test/tests/wasm/regress/oom-wrong-argument-number-for-import-call.js
@ -0,0 +1,24 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+function f() {
+  // Too many results returned.
+  return [52, 10, 0, 0];
+}
+
+let binary = wasmTextToBinary(`
+  (module
+    (import "env" "f" (func $f (result i32 i32 i32)))
+    (func (export "run") (result i32)
+      (call $f)
+      i32.sub
+      i32.sub))
+`);
+
+let module = new WebAssembly.Module(binary);
+let instance = new WebAssembly.Instance(module, { env: { f } });
+let run = instance.exports.run;
+
+// Run once for setup.
+try { run(); } catch {}
+
+oomTest(run);
--- a/js/src/wasm/WasmInstance.cpp
+++ b/js/src/wasm/WasmInstance.cpp
@ -155,6 +155,10 @@ static bool UnpackResults(JSContext* cx, const ValTypeVector& resultTypes,
  if (resultTypes.length() != array->length()) {
    UniqueChars expected(JS_smprintf("%zu", resultTypes.length()));
    UniqueChars got(JS_smprintf("%u", array->length()));
+    if (!expected || !got) {
+      ReportOutOfMemory(cx);
+      return false;
+    }

    JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr,
                             JSMSG_WASM_WRONG_NUMBER_OF_VALUES, expected.get(),
--- a/js/src/wasm/WasmJS.cpp
+++ b/js/src/wasm/WasmJS.cpp
@ -3719,6 +3719,10 @@ bool WasmExceptionObject::construct(JSContext* cx, unsigned argc, Value* vp) {
    if (done) {
      UniqueChars expected(JS_smprintf("%zu", params.length()));
      UniqueChars got(JS_smprintf("%zu", i));
+      if (!expected || !got) {
+        ReportOutOfMemory(cx);
+        return false;
+      }

      JS_ReportErrorNumberUTF8(cx, GetErrorMessage, nullptr,
                               JSMSG_WASM_BAD_EXN_PAYLOAD_LEN, expected.get(),
@ -3751,6 +3755,7 @@ WasmExceptionObject* WasmExceptionObject::create(JSContext* cx,
  // does not result in a partially constructed object.
  uint8_t* data = (uint8_t*)js_calloc(tagType->size_);
  if (!data) {
+    ReportOutOfMemory(cx);
    return nullptr;
  }