Changeset 208699 in webkit

Timestamp:

Nov 14, 2016, 11:42:41 AM (9 years ago)

Author:

mark.lam@apple.com

Message:

Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
​https://bugs.webkit.org/show_bug.cgi?id=164701
<rdar://problem/27462104>

Reviewed by Darin Adler.

JSTests:

• stress/string-prototype-charCodeAt-on-too-long-rope.js: Added.

Source/JavaScriptCore:

The characters8(), characters16(), and operator[] in JSString::SafeView converts
the underlying JSString to a StringView via get(), and then uses the StringView
without first checking if an exception was thrown during the conversion. This is
unsafe because the conversion may have failed.

Instead, we should remove these 3 convenience methods, and make the caller
explicitly call get() and do the appropriate exception checks before using the
StringView.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::toStringView):
(JSC::encode):
(JSC::decode):
(JSC::globalFuncParseInt):
(JSC::globalFuncEscape):
(JSC::globalFuncUnescape):
(JSC::toSafeView): Deleted.

• runtime/JSONObject.cpp:

(JSC::JSONProtoFuncParse):

• runtime/JSString.h:

(JSC::JSString::SafeView::length):
(JSC::JSString::SafeView::characters8): Deleted.
(JSC::JSString::SafeView::characters16): Deleted.
(JSC::JSString::SafeView::operator[]): Deleted.

• runtime/StringPrototype.cpp:

(JSC::stringProtoFuncRepeatCharacter):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncNormalize):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/string-prototype-charCodeAt-on-too-long-rope.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (6 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-11-14  Mark Lam  <mark.lam@apple.com>
+
+        Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
+        https://bugs.webkit.org/show_bug.cgi?id=164701
+        <rdar://problem/27462104>
+
+        Reviewed by Darin Adler.
+
+        * stress/string-prototype-charCodeAt-on-too-long-rope.js: Added.
+
 2016-11-14  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-14  Mark Lam  <mark.lam@apple.com>
+
+        Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
+        https://bugs.webkit.org/show_bug.cgi?id=164701
+        <rdar://problem/27462104>
+
+        Reviewed by Darin Adler.
+
+        The characters8(), characters16(), and operator[] in JSString::SafeView converts
+        the underlying JSString to a StringView via get(), and then uses the StringView
+        without first checking if an exception was thrown during the conversion.  This is
+        unsafe because the conversion may have failed.
+        
+        Instead, we should remove these 3 convenience methods, and make the caller
+        explicitly call get() and do the appropriate exception checks before using the
+        StringView.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::toStringView):
+        (JSC::encode):
+        (JSC::decode):
+        (JSC::globalFuncParseInt):
+        (JSC::globalFuncEscape):
+        (JSC::globalFuncUnescape):
+        (JSC::toSafeView): Deleted.
+        * runtime/JSONObject.cpp:
+        (JSC::JSONProtoFuncParse):
+        * runtime/JSString.h:
+        (JSC::JSString::SafeView::length):
+        (JSC::JSString::SafeView::characters8): Deleted.
+        (JSC::JSString::SafeView::characters16): Deleted.
+        (JSC::JSString::SafeView::operator[]): Deleted.
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncRepeatCharacter):
+        (JSC::stringProtoFuncCharAt):
+        (JSC::stringProtoFuncCharCodeAt):
+        (JSC::stringProtoFuncNormalize):
+
 2016-11-14  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -58 +58 @@
 
 template<typename CallbackWhenNoException>
-static ALWAYS_INLINE typename std::result_of<CallbackWhenNoException(JSString::SafeView&)>::type toSafeView(ExecState* exec, JSValue value, CallbackWhenNoException callback)
-{
+static ALWAYS_INLINE typename std::result_of<CallbackWhenNoException(StringView)>::type toStringView(ExecState* exec, JSValue value, CallbackWhenNoException callback)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSString* string = value.toStringOrNull(exec);
     if (UNLIKELY(!string))
         return { };
     JSString::SafeView view = string->view(exec);
-    return callback(view);
+    StringView stringView = view.get();
+    RETURN_IF_EXCEPTION(scope, { });
+    return callback(stringView);
 }
 
@@ -159 +163 @@
 static JSValue encode(ExecState* exec, const Bitmap<256>& doNotEscape)
 {
-    return toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
+    return toStringView(exec, exec->argument(0), [&] (StringView view) {
         if (view.is8Bit())
             return encode(exec, doNotEscape, view.characters8(), view.length());
@@ -237 +241 @@
 static JSValue decode(ExecState* exec, const Bitmap<256>& doNotUnescape, bool strict)
 {
-    return toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
+    return toStringView(exec, exec->argument(0), [&] (StringView view) {
         if (view.is8Bit())
             return decode(exec, view.characters8(), view.length(), doNotUnescape, strict);
@@ -708 +712 @@
 
     // If ToString throws, we shouldn't call ToInt32.
-    return toSafeView(exec, value, [&] (JSString::SafeView& view) {
-        return JSValue::encode(jsNumber(parseInt(view.get(), radixValue.toInt32(exec))));
+    return toStringView(exec, value, [&] (StringView view) {
+        return JSValue::encode(jsNumber(parseInt(view, radixValue.toInt32(exec))));
     });
 }
@@ -766 +770 @@
     );
 
-    return JSValue::encode(toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
+    return JSValue::encode(toStringView(exec, exec->argument(0), [&] (StringView view) {
         JSStringBuilder builder;
         if (view.is8Bit()) {
@@ -805 +809 @@
 EncodedJSValue JSC_HOST_CALL globalFuncUnescape(ExecState* exec)
 {
-    return JSValue::encode(toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
+    return JSValue::encode(toStringView(exec, exec->argument(0), [&] (StringView view) {
         StringBuilder builder;
         int k = 0;

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -764 +764 @@
     JSString::SafeView source = exec->uncheckedArgument(0).toString(exec)->view(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    StringView view = source.get();
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     JSValue unfiltered;
     LocalScope localScope(vm);
-    if (source.is8Bit()) {
-        LiteralParser<LChar> jsonParser(exec, source.characters8(), source.length(), StrictJSON);
+    if (view.is8Bit()) {
+        LiteralParser<LChar> jsonParser(exec, view.characters8(), view.length(), StrictJSON);
         unfiltered = jsonParser.tryLiteralParse();
         if (!unfiltered)
             return throwVMError(exec, scope, createSyntaxError(exec, jsonParser.getErrorMessage()));
     } else {
-        LiteralParser<UChar> jsonParser(exec, source.characters16(), source.length(), StrictJSON);
+        LiteralParser<UChar> jsonParser(exec, view.characters16(), view.length(), StrictJSON);
         unfiltered = jsonParser.tryLiteralParse();
         if (!unfiltered)

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -483 +483 @@
     bool is8Bit() const { return m_string->is8Bit(); }
     unsigned length() const { return m_string->length(); }
-    const LChar* characters8() const { return get().characters8(); }
-    const UChar* characters16() const { return get().characters16(); }
-    UChar operator[](unsigned index) const { return get()[index]; }
 
 private:

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -792 +792 @@
 EncodedJSValue JSC_HOST_CALL stringProtoFuncRepeatCharacter(ExecState* exec)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     // For a string which length is single, instead of creating ropes,
     // allocating a sequential buffer and fill with the repeated string for efficiency.
@@ -803 +806 @@
     RELEASE_ASSERT(repeatCountValue.isNumber());
     int32_t repeatCount;
-    {
-        VM& vm = exec->vm();
-        auto scope = DECLARE_THROW_SCOPE(vm);
-        double value = repeatCountValue.asNumber();
-        if (value > JSString::MaxLength)
-            return JSValue::encode(throwOutOfMemoryError(exec, scope));
-        repeatCount = static_cast<int32_t>(value);
-    }
+    double value = repeatCountValue.asNumber();
+    if (value > JSString::MaxLength)
+        return JSValue::encode(throwOutOfMemoryError(exec, scope));
+    repeatCount = static_cast<int32_t>(value);
     ASSERT(repeatCount >= 0);
     ASSERT(!repeatCountValue.isDouble() || repeatCountValue.asDouble() == repeatCount);
 
-    UChar character = string->view(exec)[0];
+    JSString::SafeView safeView = string->view(exec);
+    StringView view = safeView.get();
+    ASSERT(view.length() == 1 && !scope.exception());
+    UChar character = view[0];
+    scope.release();
     if (!(character & ~0xff))
         return JSValue::encode(repeatCharacter(*exec, static_cast<LChar>(character), repeatCount));
@@ -905 +908 @@
         return throwVMTypeError(exec, scope);
     JSString::SafeView string = thisValue.toString(exec)->view(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    StringView view = string.get();
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue a0 = exec->argument(0);
     if (a0.isUInt32()) {
         uint32_t i = a0.asUInt32();
-        if (i < string.length())
-            return JSValue::encode(jsSingleCharacterString(exec, string[i]));
+        if (i < view.length())
+            return JSValue::encode(jsSingleCharacterString(exec, view[i]));
         return JSValue::encode(jsEmptyString(exec));
     }
     double dpos = a0.toInteger(exec);
-    if (dpos >= 0 && dpos < string.length())
-        return JSValue::encode(jsSingleCharacterString(exec, string[static_cast<unsigned>(dpos)]));
+    if (dpos >= 0 && dpos < view.length())
+        return JSValue::encode(jsSingleCharacterString(exec, view[static_cast<unsigned>(dpos)]));
     return JSValue::encode(jsEmptyString(exec));
 }
@@ -926 +932 @@
     if (!checkObjectCoercible(thisValue))
         return throwVMTypeError(exec, scope);
-    JSString::SafeView string = thisValue.toString(exec)->view(exec);
+    JSString* jsString = thisValue.toString(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSString::SafeView string = jsString->view(exec);
+    StringView view = string.get();
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue a0 = exec->argument(0);
     if (a0.isUInt32()) {
         uint32_t i = a0.asUInt32();
-        if (i < string.length())
-            return JSValue::encode(jsNumber(string[i]));
+        if (i < view.length())
+            return JSValue::encode(jsNumber(view[i]));
         return JSValue::encode(jsNaN());
     }
     double dpos = a0.toInteger(exec);
-    if (dpos >= 0 && dpos < string.length())
-        return JSValue::encode(jsNumber(string[static_cast<int>(dpos)]));
+    if (dpos >= 0 && dpos < view.length())
+        return JSValue::encode(jsNumber(view[static_cast<int>(dpos)]));
     return JSValue::encode(jsNaN());
 }
@@ -2009 +2019 @@
     JSString::SafeView source = thisValue.toString(exec)->view(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    StringView view = source.get();
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     UNormalizationMode form = UNORM_NFC;
@@ -2028 +2040 @@
     }
 
-    return JSValue::encode(normalize(exec, source.get().upconvertedCharacters(), source.length(), form));
+    return JSValue::encode(normalize(exec, view.upconvertedCharacters(), view.length(), form));
 }