summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--js/src/vm/SharedArrayObject.cpp34
1 files changed, 19 insertions, 15 deletions
diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp
index 730578cd4a..c69306aaca 100644
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -116,22 +116,22 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length)
if (allocSize <= length)
return nullptr;
+ // Test >= to guard against the case where multiple extant runtimes
+ // race to allocate.
+ if (++numLive >= maxLive) {
+ JSRuntime* rt = cx->runtime();
+ if (rt->largeAllocationFailureCallback)
+ rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData);
+ if (numLive >= maxLive) {
+ numLive--;
+ return nullptr;
+ }
+ }
+
bool preparedForAsmJS = jit::JitOptions.asmJSAtomicsEnable && IsValidAsmJSHeapLength(length);
void* p = nullptr;
if (preparedForAsmJS) {
- // Test >= to guard against the case where multiple extant runtimes
- // race to allocate.
- if (++numLive >= maxLive) {
- JSRuntime* rt = cx->runtime();
- if (rt->largeAllocationFailureCallback)
- rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData);
- if (numLive >= maxLive) {
- numLive--;
- return nullptr;
- }
- }
-
uint32_t mappedSize = SharedArrayMappedSize(allocSize);
// Get the entire reserved region (with all pages inaccessible)
@@ -154,8 +154,10 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length)
# endif
} else {
p = MapMemory(allocSize, true);
- if (!p)
+ if (!p) {
+ numLive--;
return nullptr;
+ }
}
uint8_t* buffer = reinterpret_cast<uint8_t*>(p) + gc::SystemPageSize();
@@ -189,8 +191,6 @@ SharedArrayRawBuffer::dropReference()
uint32_t allocSize = SharedArrayAllocSize(this->length);
if (this->preparedForAsmJS) {
- numLive--;
-
uint32_t mappedSize = SharedArrayMappedSize(allocSize);
UnmapMemory(address, mappedSize);
@@ -202,6 +202,10 @@ SharedArrayRawBuffer::dropReference()
} else {
UnmapMemory(address, allocSize);
}
+
+ // Decrement the buffer counter at the end -- otherwise, a race condition
+ // could enable the creation of unlimited buffers.
+ numLive--;
}