Fix out-of-memory crashes related to ArrayBuffer allocation

third_party/WebKit/Source/modules/websockets/DocumentWebSocketChannel.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 82 matching lines @@
 
 void DocumentWebSocketChannel::BlobLoader::cancel()
 {
     m_loader.cancel();
     // didFail will be called immediately.
     // |this| is deleted here.
 }
 
 void DocumentWebSocketChannel::BlobLoader::didFinishLoading()
 {
-    m_channel->didFinishLoadingBlob(m_loader.arrayBufferResult());
+    RefPtr<DOMArrayBuffer> result = m_loader.arrayBufferResultOrNull();
+    // TODO(junov): crbug.com/536816
+    // Is there a better way to handle an allocation failure instead
+    // of crashing? Would it be okay to fail silently by passing a nullptr?
+    // Should we call didFailLoadingBlob? If so, with which ErrorCode?
+    // Spec may need to be ammended for this.
+    RELEASE_ASSERT(result); // This is essentially an out-of-memory crash
+    m_channel->didFinishLoadingBlob(result.release());
     // |this| is deleted here.
 }
 
 void DocumentWebSocketChannel::BlobLoader::didFail(FileError::ErrorCode errorCode)
 {
     m_channel->didFailLoadingBlob(errorCode);
     // |this| is deleted here.
 }
 
 DocumentWebSocketChannel::DocumentWebSocketChannel(Document* document, WebSocketChannelClient* client, const String& sourceURL, unsigned lineNumber, WebSocketHandle *handle)
@@ skipping 78 matching lines @@
 
 void DocumentWebSocketChannel::send(const DOMArrayBuffer& buffer, unsigned byteOffset, unsigned byteLength)
 {
     WTF_LOG(Network, "DocumentWebSocketChannel %p sendArrayBuffer(%p, %u, %u)", this, buffer.data(), byteOffset, byteLength);
     // FIXME: Change the inspector API to show the entire message instead
     // of individual frames.
     InspectorInstrumentation::didSendWebSocketFrame(document(), m_identifier, WebSocketFrame::OpCodeBinary, true, static_cast<const char*>(buffer.data()) + byteOffset, byteLength);
     // buffer.slice copies its contents.
     // FIXME: Reduce copy by sending the data immediately when we don't need to
     // queue the data.
-    m_messages.append(adoptPtr(new Message(buffer.slice(byteOffset, byteOffset + byteLength))));
+    RefPtr<DOMArrayBuffer> slice = buffer.sliceOrNull(byteOffset, byteOffset + byteLength);
+    // FIXME: Could we propagate a RangeError exception from here instead the following assert?
+    RELEASE_ASSERT(slice); // This is an out-of-memory condition.
+    m_messages.append(adoptPtr(new Message(slice.release())));
     processSendQueue();
 }
 
 void DocumentWebSocketChannel::sendTextAsCharVector(PassOwnPtr<Vector<char>> data)
 {
     WTF_LOG(Network, "DocumentWebSocketChannel %p sendTextAsCharVector(%p, %llu)", this, data.get(), static_cast<unsigned long long>(data->size()));
     // FIXME: Change the inspector API to show the entire message instead
     // of individual frames.
     InspectorInstrumentation::didSendWebSocketFrame(document(), m_identifier, WebSocketFrame::OpCodeText, true, data->data(), data->size());
     m_messages.append(adoptPtr(new Message(data, MessageTypeTextAsCharVector)));
@@ skipping 342 matching lines @@
 
 DEFINE_TRACE(DocumentWebSocketChannel)
 {
     visitor->trace(m_blobLoader);
     visitor->trace(m_client);
     WebSocketChannel::trace(visitor);
     ContextLifecycleObserver::trace(visitor);
 }
 
 } // namespace blink