fix(ecmascript): Do not expose uninitialized data through ArrayBuffer…

… resizing (#563)

nova_vm/src/ecmascript/types/spec/data_block.rs

@@ -6,6 +6,7 @@
 
 use std::{
     alloc::{alloc_zeroed, dealloc, handle_alloc_error, realloc, Layout},
+    mem::MaybeUninit,
     ptr::{self, read_unaligned, write_unaligned, NonNull},
 };
 
@@ -737,6 +738,24 @@ impl DataBlock {
         // size is non-zero, and cannot overflow isize (on a 64-bit machine).
         let ptr = unsafe { realloc(ptr, layout, new_byte_length) };
         self.ptr = NonNull::new(ptr);
+        if new_byte_length > self.byte_length {
+            // Need to zero out the new data.
+            if let Some(ptr) = self.ptr {
+                // SAFETY: The new pointer does point to valid data which is
+                // big enough.
+                let new_data_ptr = unsafe { ptr.add(self.byte_length) };
+                // SAFETY: The new pointer does point to valid, big enough
+                // allocation which contains uninitialized bytes. No one else
+                // can hold a reference to it currently.
+                let data_slice = unsafe {
+                    std::slice::from_raw_parts_mut(
+                        new_data_ptr.as_ptr().cast::<MaybeUninit<u8>>(),
+                        new_byte_length - self.byte_length,
+                    )
+                };
+                data_slice.fill(MaybeUninit::new(0));
+            }
+        }
         self.byte_length = new_byte_length;
     }
 }

tests/expectations.json

@@ -107,7 +107,6 @@
   "built-ins/Array/proto-from-ctor-realm-two.js": "FAIL",
   "built-ins/Array/proto-from-ctor-realm-zero.js": "FAIL",
   "built-ins/Array/prototype/Symbol.unscopables/prop-desc.js": "FAIL",
-  "built-ins/Array/prototype/at/typed-array-resizable-buffer.js": "CRASH",
   "built-ins/Array/prototype/concat/Array.prototype.concat_spreadable-string-wrapper.js": "CRASH",
   "built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js": "FAIL",
   "built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js": "FAIL",
@@ -117,7 +116,6 @@
   "built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js": "FAIL",
   "built-ins/Array/prototype/copyWithin/negative-out-of-bounds-end.js": "CRASH",
   "built-ins/Array/prototype/copyWithin/resizable-buffer.js": "CRASH",
-  "built-ins/Array/prototype/entries/resizable-buffer-grow-mid-iteration.js": "CRASH",
   "built-ins/Array/prototype/entries/resizable-buffer.js": "CRASH",
   "built-ins/Array/prototype/every/15.4.4.16-1-10.js": "FAIL",
   "built-ins/Array/prototype/every/15.4.4.16-1-11.js": "CRASH",
@@ -152,7 +150,6 @@
   "built-ins/Array/prototype/fill/fill-values-relative-end.js": "FAIL",
   "built-ins/Array/prototype/fill/fill-values-relative-start.js": "FAIL",
   "built-ins/Array/prototype/fill/fill-values.js": "FAIL",
-  "built-ins/Array/prototype/fill/resizable-buffer.js": "CRASH",
   "built-ins/Array/prototype/fill/return-this.js": "FAIL",
   "built-ins/Array/prototype/filter/15.4.4.20-1-11.js": "CRASH",
   "built-ins/Array/prototype/filter/15.4.4.20-1-12.js": "CRASH",
@@ -313,7 +310,6 @@
   "built-ins/Array/prototype/reverse/get_if_present_with_delete.js": "CRASH",
   "built-ins/Array/prototype/reverse/length-exceeding-integer-limit-with-proxy.js": "CRASH",
   "built-ins/Array/prototype/reverse/resizable-buffer.js": "CRASH",
-  "built-ins/Array/prototype/slice/coerced-start-end-grow.js": "CRASH",
   "built-ins/Array/prototype/slice/create-proto-from-ctor-realm-array.js": "FAIL",
   "built-ins/Array/prototype/slice/create-proto-from-ctor-realm-non-array.js": "FAIL",
   "built-ins/Array/prototype/slice/create-revoked-proxy.js": "CRASH",
@@ -327,7 +323,6 @@
   "built-ins/Array/prototype/some/15.4.4.17-7-c-iii-21.js": "CRASH",
   "built-ins/Array/prototype/some/15.4.4.17-7-c-iii-22.js": "CRASH",
   "built-ins/Array/prototype/some/resizable-buffer.js": "CRASH",
-  "built-ins/Array/prototype/sort/comparefn-grow.js": "CRASH",
   "built-ins/Array/prototype/sort/comparefn-resizable-buffer.js": "CRASH",
   "built-ins/Array/prototype/sort/resizable-buffer-default-comparator.js": "CRASH",
   "built-ins/Array/prototype/splice/create-proto-from-ctor-realm-array.js": "FAIL",
@@ -2387,7 +2382,6 @@
   "built-ins/Object/defineProperty/15.2.3.6-4-589.js": "CRASH",
   "built-ins/Object/defineProperty/15.2.3.6-4-591.js": "CRASH",
   "built-ins/Object/defineProperty/15.2.3.6-4-596.js": "CRASH",
-  "built-ins/Object/defineProperty/coerced-P-grow.js": "CRASH",
   "built-ins/Object/defineProperty/typedarray-backed-by-resizable-buffer.js": "CRASH",
   "built-ins/Object/freeze/15.2.3.9-2-d-6.js": "CRASH",
   "built-ins/Object/freeze/15.2.3.9-2-d-7.js": "CRASH",
@@ -9575,8 +9569,6 @@
   "built-ins/TypedArray/of/not-a-constructor.js": "FAIL",
   "built-ins/TypedArray/of/prop-desc.js": "FAIL",
   "built-ins/TypedArray/of/resized-with-out-of-bounds-and-in-bounds-indices.js": "CRASH",
-  "built-ins/TypedArray/out-of-bounds-get-and-set.js": "CRASH",
-  "built-ins/TypedArray/prototype/at/resizable-buffer.js": "CRASH",
   "built-ins/TypedArray/prototype/byteLength/resized-out-of-bounds-1.js": "CRASH",
   "built-ins/TypedArray/prototype/byteLength/resized-out-of-bounds-2.js": "CRASH",
   "built-ins/TypedArray/prototype/byteOffset/resized-out-of-bounds.js": "CRASH",
@@ -9637,7 +9629,6 @@
   "built-ins/TypedArray/prototype/copyWithin/this-is-not-object.js": "CRASH",
   "built-ins/TypedArray/prototype/copyWithin/this-is-not-typedarray-instance.js": "CRASH",
   "built-ins/TypedArray/prototype/copyWithin/undefined-end.js": "CRASH",
-  "built-ins/TypedArray/prototype/entries/resizable-buffer-grow-mid-iteration.js": "CRASH",
   "built-ins/TypedArray/prototype/entries/resizable-buffer.js": "CRASH",
   "built-ins/TypedArray/prototype/every/BigInt/callbackfn-set-value-during-interaction.js": "CRASH",
   "built-ins/TypedArray/prototype/every/resizable-buffer.js": "CRASH",

tests/metrics.json

@@ -1,8 +1,8 @@
 {
   "results": {
     "crash": 13145,
-    "fail": 9061,
-    "pass": 24530,
+    "fail": 9052,
+    "pass": 24539,
     "skip": 65,
     "timeout": 0,
     "unresolved": 0