Chromium Code Reviews Chromium Code Reviews
Issue 1414553002:
Fix out-of-memory crashes related to ArrayBuffer allocation
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "modules/presentation/PresentationConnection.h" | 6 #include "modules/presentation/PresentationConnection.h" |
| 7 | 7 |
| 8 #include "bindings/core/v8/ScriptPromiseResolver.h" | 8 #include "bindings/core/v8/ScriptPromiseResolver.h" |
| 9 #include "core/dom/DOMArrayBuffer.h" | 9 #include "core/dom/DOMArrayBuffer.h" |
| 10 #include "core/dom/DOMArrayBufferView.h" | 10 #include "core/dom/DOMArrayBufferView.h" |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 73 { | 73 { |
| 74 m_loader.start(m_PresentationConnection->executionContext(), blobDataHan dle); | 74 m_loader.start(m_PresentationConnection->executionContext(), blobDataHan dle); |
| 75 } | 75 } |
| 76 ~BlobLoader() override { } | 76 ~BlobLoader() override { } |
| 77 | 77 |
| 78 // FileReaderLoaderClient functions. | 78 // FileReaderLoaderClient functions. |
| 79 void didStartLoading() override { } | 79 void didStartLoading() override { } |
| 80 void didReceiveData() override { } | 80 void didReceiveData() override { } |
| 81 void didFinishLoading() override | 81 void didFinishLoading() override |
| 82 { | 82 { |
| 83 m_PresentationConnection->didFinishLoadingBlob(m_loader.arrayBufferResul t()); | 83 RefPtr<DOMArrayBuffer> result = m_loader.arrayBufferResultOrNull(); |
| 84 // TODO(junov): crbug.com/536816 | |
| 85 // Is there a better way to handle an allocation failure instead | |
| 86 // of crashing? Would it be okay to fail silently by passing a nullptr? | |
| 87 // Should we call didFailLoadingBlob? If so, with which ErrorCode? | |
| 88 // Spec may need to be ammended for this. | |
| 89 RELEASE_ASSERT(result); // This is essentially an out-of-memory crash. | |
| 90 m_PresentationConnection->didFinishLoadingBlob(result.release()); | |
| 84 } | 91 } |
| 85 void didFail(FileError::ErrorCode errorCode) override | 92 void didFail(FileError::ErrorCode errorCode) override |
| 86 { | 93 { |
| 87 m_PresentationConnection->didFailLoadingBlob(errorCode); | 94 m_PresentationConnection->didFailLoadingBlob(errorCode); |
| 88 } | 95 } |
| 89 | 96 |
| 90 void cancel() | 97 void cancel() |
| 91 { | 98 { |
| 92 m_loader.cancel(); | 99 m_loader.cancel(); |
| 93 } | 100 } |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 200 m_messages.append(adoptPtr(new Message(arrayBuffer))); | 207 m_messages.append(adoptPtr(new Message(arrayBuffer))); |
| 201 handleMessageQueue(); | 208 handleMessageQueue(); |
| 202 } | 209 } |
| 203 | 210 |
| 204 void PresentationConnection::send(PassRefPtr<DOMArrayBufferView> arrayBufferView , ExceptionState& exceptionState) | 211 void PresentationConnection::send(PassRefPtr<DOMArrayBufferView> arrayBufferView , ExceptionState& exceptionState) |
| 205 { | 212 { |
| 206 ASSERT(arrayBufferView); | 213 ASSERT(arrayBufferView); |
| 207 if (!canSendMessage(exceptionState)) | 214 if (!canSendMessage(exceptionState)) |
| 208 return; | 215 return; |
| 209 | 216 |
| 210 m_messages.append(adoptPtr(new Message(arrayBufferView->buffer()))); | 217 RefPtr<DOMArrayBuffer> buffer = arrayBufferView->bufferOrNull(); |
| 218 RELEASE_ASSERT(buffer); // crbug.com/536816 | |
|
haraken
2015/10/29 18:58:37
Another idea would be to create bufferOrCrash(). T
Justin Novosad
2015/11/05 00:17:52
This bit of code was reverted. Getting a buffer ou
| |
| 219 m_messages.append(adoptPtr(new Message(buffer))); | |
| 211 handleMessageQueue(); | 220 handleMessageQueue(); |
| 212 } | 221 } |
| 213 | 222 |
| 214 void PresentationConnection::send(Blob* data, ExceptionState& exceptionState) | 223 void PresentationConnection::send(Blob* data, ExceptionState& exceptionState) |
| 215 { | 224 { |
| 216 ASSERT(data); | 225 ASSERT(data); |
| 217 if (!canSendMessage(exceptionState)) | 226 if (!canSendMessage(exceptionState)) |
| 218 return; | 227 return; |
| 219 | 228 |
| 220 m_messages.append(adoptPtr(new Message(data->blobDataHandle()))); | 229 m_messages.append(adoptPtr(new Message(data->blobDataHandle()))); |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 297 | 306 |
| 298 switch (m_binaryType) { | 307 switch (m_binaryType) { |
| 299 case BinaryTypeBlob: { | 308 case BinaryTypeBlob: { |
| 300 OwnPtr<BlobData> blobData = BlobData::create(); | 309 OwnPtr<BlobData> blobData = BlobData::create(); |
| 301 blobData->appendBytes(data, length); | 310 blobData->appendBytes(data, length); |
| 302 Blob* blob = Blob::create(BlobDataHandle::create(blobData.release(), len gth)); | 311 Blob* blob = Blob::create(BlobDataHandle::create(blobData.release(), len gth)); |
| 303 dispatchEvent(MessageEvent::create(blob)); | 312 dispatchEvent(MessageEvent::create(blob)); |
| 304 return; | 313 return; |
| 305 } | 314 } |
| 306 case BinaryTypeArrayBuffer: | 315 case BinaryTypeArrayBuffer: |
| 307 RefPtr<DOMArrayBuffer> buffer = DOMArrayBuffer::create(data, length); | 316 // TODO(junov): crbug.com/536816 |
| 317 // Use createOrNull instead of deprecatedCReateOrCrash. Requires | |
| 318 // determing an accepatble alternative to crashing when buffer | |
|
haraken
2015/10/29 18:58:37
determining an acceptable
Justin Novosad
2015/11/05 00:17:52
Done.
| |
| 319 // allocation fails. Should we just drop the event? Dispatch | |
| 320 // an event with null data? Dispatch some kind of error code? | |
| 321 // Behavior needs to be defined in the spec. | |
| 322 RefPtr<DOMArrayBuffer> buffer = DOMArrayBuffer::deprecatedCreateOrCrash( data, length); | |
| 308 dispatchEvent(MessageEvent::create(buffer.release())); | 323 dispatchEvent(MessageEvent::create(buffer.release())); |
| 309 return; | |
| 310 } | 324 } |
| 311 ASSERT_NOT_REACHED(); | 325 ASSERT_NOT_REACHED(); |
| 312 } | 326 } |
| 313 | 327 |
| 314 void PresentationConnection::close() | 328 void PresentationConnection::close() |
| 315 { | 329 { |
| 316 if (m_state != WebPresentationConnectionState::Connected) | 330 if (m_state != WebPresentationConnectionState::Connected) |
| 317 return; | 331 return; |
| 318 WebPresentationClient* client = presentationClient(executionContext()); | 332 WebPresentationClient* client = presentationClient(executionContext()); |
| 319 if (client) | 333 if (client) |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 362 { | 376 { |
| 363 ASSERT(!m_messages.isEmpty() && m_messages.first()->type == MessageTypeBlob) ; | 377 ASSERT(!m_messages.isEmpty() && m_messages.first()->type == MessageTypeBlob) ; |
| 364 // FIXME: generate error message? | 378 // FIXME: generate error message? |
| 365 // Ignore the current failed blob item and continue with next items. | 379 // Ignore the current failed blob item and continue with next items. |
| 366 m_messages.removeFirst(); | 380 m_messages.removeFirst(); |
| 367 m_blobLoader.clear(); | 381 m_blobLoader.clear(); |
| 368 handleMessageQueue(); | 382 handleMessageQueue(); |
| 369 } | 383 } |
| 370 | 384 |
| 371 } // namespace blink | 385 } // namespace blink |
| OLD | NEW |
