Changeset 207849 in webkit

Timestamp:

Oct 25, 2016 3:19:37 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
​https://bugs.webkit.org/show_bug.cgi?id=163937
<rdar://problem/28642990>

Reviewed by Geoffrey Garen.

JSTests:

• stress/joined-strings-should-not-exceed-max-string-length.js: Added.

Source/JavaScriptCore:

JSStringJoiner::joinedLength() was previously limiting it to UINT_MAX. This is
inconsistent with other parts of string code which expects a max length of INT_MAX.
This is now fixed.

Also fixed jsMakeNontrivialString() to ensure that the resultant string length
is valid. It was previously allowing lengths greater than INT_MAX. This was
caught by the new assertion in JSString::setLength().

There are already pre-existing assertions in various JSString::finishCreation()
which do RELEASE_ASSERTs on the string length. To be consistent, I'm making the
assertion in JSString::setLength() a RELEASE_ASSERT. If this proves to be a
performance issue, I'll change this to a debug ASSERT later.

• runtime/JSString.cpp:

(JSC::JSRopeString::resolveRopeInternal8):
(JSC::JSRopeString::resolveRopeInternal8NoSubstring):
(JSC::JSRopeString::resolveRopeInternal16):
(JSC::JSRopeString::resolveRopeInternal16NoSubstring):
(JSC::JSRopeString::resolveRopeToAtomicString):
(JSC::JSRopeString::resolveRopeToExistingAtomicString):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::JSString::finishCreation):
(JSC::JSString::length):
(JSC::JSString::isValidLength):
(JSC::JSString::toBoolean):
(JSC::JSString::canGetIndex):
(JSC::JSString::setLength):
(JSC::JSString::getStringPropertySlot):
(JSC::JSRopeString::unsafeView):
(JSC::JSRopeString::viewWithUnderlyingString):

• runtime/JSStringBuilder.h:

(JSC::jsMakeNontrivialString):

• runtime/JSStringJoiner.cpp:

(JSC::JSStringJoiner::joinedLength):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/joined-strings-should-not-exceed-max-string-length.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (14 diffs)
• Source/JavaScriptCore/runtime/JSString.h (modified) (17 diffs)
• Source/JavaScriptCore/runtime/JSStringBuilder.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSStringJoiner.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-10-25  Mark Lam  <mark.lam@apple.com>
+
+        JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=163937
+        <rdar://problem/28642990>
+
+        Reviewed by Geoffrey Garen.
+
+        * stress/joined-strings-should-not-exceed-max-string-length.js: Added.
+
 2016-10-25  JF Bastien  <jfbastien@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-25  Mark Lam  <mark.lam@apple.com>
+
+        JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=163937
+        <rdar://problem/28642990>
+
+        Reviewed by Geoffrey Garen.
+
+        JSStringJoiner::joinedLength() was previously limiting it to UINT_MAX.  This is
+        inconsistent with other parts of string code which expects a max length of INT_MAX.
+        This is now fixed.
+
+        Also fixed jsMakeNontrivialString() to ensure that the resultant string length
+        is valid.  It was previously allowing lengths greater than INT_MAX.  This was
+        caught by the new assertion in JSString::setLength().
+
+        There are already pre-existing assertions in various JSString::finishCreation()
+        which do RELEASE_ASSERTs on the string length.  To be consistent, I'm making the
+        assertion in JSString::setLength() a RELEASE_ASSERT.  If this proves to be a
+        performance issue, I'll change this to a debug ASSERT later.
+
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeInternal8):
+        (JSC::JSRopeString::resolveRopeInternal8NoSubstring):
+        (JSC::JSRopeString::resolveRopeInternal16):
+        (JSC::JSRopeString::resolveRopeInternal16NoSubstring):
+        (JSC::JSRopeString::resolveRopeToAtomicString):
+        (JSC::JSRopeString::resolveRopeToExistingAtomicString):
+        (JSC::JSRopeString::resolveRope):
+        (JSC::JSRopeString::resolveRopeSlowCase8):
+        (JSC::JSRopeString::resolveRopeSlowCase):
+        (JSC::JSString::getStringPropertyDescriptor):
+        * runtime/JSString.h:
+        (JSC::JSString::finishCreation):
+        (JSC::JSString::length):
+        (JSC::JSString::isValidLength):
+        (JSC::JSString::toBoolean):
+        (JSC::JSString::canGetIndex):
+        (JSC::JSString::setLength):
+        (JSC::JSString::getStringPropertySlot):
+        (JSC::JSRopeString::unsafeView):
+        (JSC::JSRopeString::viewWithUnderlyingString):
+        * runtime/JSStringBuilder.h:
+        (JSC::jsMakeNontrivialString):
+        * runtime/JSStringJoiner.cpp:
+        (JSC::JSStringJoiner::joinedLength):
+
 2016-10-25  JF Bastien  <jfbastien@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -121 +121 @@
     if (isSubstring()) {
         StringImpl::copyChars(
-            buffer, substringBase()->m_value.characters8() + substringOffset(), m_length);
+            buffer, substringBase()->m_value.characters8() + substringOffset(), length());
         return;
     }
@@ -144 +144 @@
         position += length;
     }
-    ASSERT((buffer + m_length) == position);
+    ASSERT((buffer + length()) == position);
 }
 
@@ -151 +151 @@
     if (isSubstring()) {
         StringImpl::copyChars(
-            buffer, substringBase()->m_value.characters16() + substringOffset(), m_length);
+            buffer, substringBase()->m_value.characters16() + substringOffset(), length());
         return;
     }
@@ -177 +177 @@
         position += length;
     }
-    ASSERT((buffer + m_length) == position);
+    ASSERT((buffer + length()) == position);
 }
 
 void JSRopeString::resolveRopeToAtomicString(ExecState* exec) const
 {
-    if (m_length > maxLengthForOnStackResolve) {
+    if (length() > maxLengthForOnStackResolve) {
         resolveRope(exec);
         m_value = AtomicString(m_value);
@@ -192 +192 @@
         LChar buffer[maxLengthForOnStackResolve];
         resolveRopeInternal8(buffer);
-        m_value = AtomicString(buffer, m_length);
+        m_value = AtomicString(buffer, length());
         setIs8Bit(m_value.impl()->is8Bit());
     } else {
         UChar buffer[maxLengthForOnStackResolve];
         resolveRopeInternal16(buffer);
-        m_value = AtomicString(buffer, m_length);
+        m_value = AtomicString(buffer, length());
         setIs8Bit(m_value.impl()->is8Bit());
     }
@@ -216 +216 @@
 RefPtr<AtomicStringImpl> JSRopeString::resolveRopeToExistingAtomicString(ExecState* exec) const
 {
-    if (m_length > maxLengthForOnStackResolve) {
+    if (length() > maxLengthForOnStackResolve) {
         resolveRope(exec);
         if (RefPtr<AtomicStringImpl> existingAtomicString = AtomicStringImpl::lookUp(m_value.impl())) {
@@ -230 +230 @@
         LChar buffer[maxLengthForOnStackResolve];
         resolveRopeInternal8(buffer);
-        if (RefPtr<AtomicStringImpl> existingAtomicString = AtomicStringImpl::lookUp(buffer, m_length)) {
+        if (RefPtr<AtomicStringImpl> existingAtomicString = AtomicStringImpl::lookUp(buffer, length())) {
             m_value = *existingAtomicString;
             setIs8Bit(m_value.impl()->is8Bit());
@@ -239 +239 @@
         UChar buffer[maxLengthForOnStackResolve];
         resolveRopeInternal16(buffer);
-        if (RefPtr<AtomicStringImpl> existingAtomicString = AtomicStringImpl::lookUp(buffer, m_length)) {
+        if (RefPtr<AtomicStringImpl> existingAtomicString = AtomicStringImpl::lookUp(buffer, length())) {
             m_value = *existingAtomicString;
             setIs8Bit(m_value.impl()->is8Bit());
@@ -256 +256 @@
     if (isSubstring()) {
         ASSERT(!substringBase()->isRope());
-        m_value = substringBase()->m_value.substringSharingImpl(substringOffset(), m_length);
+        m_value = substringBase()->m_value.substringSharingImpl(substringOffset(), length());
         substringBase().clear();
         return;
@@ -263 +263 @@
     if (is8Bit()) {
         LChar* buffer;
-        if (auto newImpl = StringImpl::tryCreateUninitialized(m_length, buffer)) {
+        if (auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer)) {
             Heap::heap(this)->reportExtraMemoryAllocated(newImpl->cost());
             m_value = WTFMove(newImpl);
@@ -277 +277 @@
 
     UChar* buffer;
-    if (auto newImpl = StringImpl::tryCreateUninitialized(m_length, buffer)) {
+    if (auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer)) {
         Heap::heap(this)->reportExtraMemoryAllocated(newImpl->cost());
         m_value = WTFMove(newImpl);
@@ -302 +302 @@
 void JSRopeString::resolveRopeSlowCase8(LChar* buffer) const
 {
-    LChar* position = buffer + m_length; // We will be working backwards over the rope.
+    LChar* position = buffer + length(); // We will be working backwards over the rope.
     Vector<JSString*, 32, UnsafeVectorOverflow> workQueue; // Putting strings into a Vector is only OK because there are no GC points in this method.
     
@@ -338 +338 @@
 void JSRopeString::resolveRopeSlowCase(UChar* buffer) const
 {
-    UChar* position = buffer + m_length; // We will be working backwards over the rope.
+    UChar* position = buffer + length(); // We will be working backwards over the rope.
     Vector<JSString*, 32, UnsafeVectorOverflow> workQueue; // These strings are kept alive by the parent rope, so using a Vector is OK.
 
@@ -431 +431 @@
 {
     if (propertyName == exec->propertyNames().length) {
-        descriptor.setDescriptor(jsNumber(m_length), DontEnum | DontDelete | ReadOnly);
+        descriptor.setDescriptor(jsNumber(length()), DontEnum | DontDelete | ReadOnly);
         return true;
     }
     
     Optional<uint32_t> index = parseIndex(propertyName);
-    if (index && index.value() < m_length) {
+    if (index && index.value() < length()) {
         descriptor.setDescriptor(getIndex(exec, index.value()), DontDelete | ReadOnly);
         return true;

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -107 +107 @@
         ASSERT(!m_value.isNull());
         Base::finishCreation(vm);
-        m_length = length;
+        setLength(length);
         setIs8Bit(m_value.impl()->is8Bit());
     }
@@ -115 +115 @@
         ASSERT(!m_value.isNull());
         Base::finishCreation(vm);
-        m_length = length;
+        setLength(length);
         setIs8Bit(m_value.impl()->is8Bit());
         Heap::heap(this)->reportExtraMemoryAllocated(cost);
@@ -124 +124 @@
     {
         Base::finishCreation(vm);
-        m_length = 0;
+        setLength(0);
         setIs8Bit(true);
     }
@@ -159 +159 @@
     const String& tryGetValue() const;
     const StringImpl* tryGetValueImpl() const;
-    unsigned length() const { return m_length; }
+    ALWAYS_INLINE unsigned length() const { return m_length; }
+    ALWAYS_INLINE static bool isValidLength(size_t length)
+    {
+        // While length is of type unsigned, the runtime and compilers are all
+        // expecting that m_length is a positive value <= INT_MAX.
+        // FIXME: Look into making the max length UINT_MAX to match StringImpl's max length.
+        // https://bugs.webkit.org/show_bug.cgi?id=163955
+        return length <= std::numeric_limits<int32_t>::max();
+    }
 
     JSValue toPrimitive(ExecState*, PreferredPrimitiveType) const;
-    bool toBoolean() const { return !!m_length; }
+    bool toBoolean() const { return !!length(); }
     bool getPrimitiveNumber(ExecState*, double& number, JSValue&) const;
     JSObject* toObject(ExecState*, JSGlobalObject*) const;
@@ -171 +179 @@
     bool getStringPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
 
-    bool canGetIndex(unsigned i) { return i < m_length; }
+    bool canGetIndex(unsigned i) { return i < length(); }
     JSString* getIndex(ExecState*, unsigned);
 
@@ -205 +213 @@
     }
 
+    ALWAYS_INLINE void setLength(unsigned length)
+    {
+        RELEASE_ASSERT(isValidLength(length));
+        m_length = length;
+    }
+
+private:
     mutable unsigned m_flags;
 
@@ -211 +226 @@
     mutable String m_value;
 
-private:
     friend class LLIntOffsetsExtractor;
 
@@ -258 +272 @@
         }
 
-        unsigned length() const { return m_jsString->m_length; }
+        unsigned length() const { return m_jsString->length(); }
 
     private:
@@ -278 +292 @@
         Base::finishCreation(vm);
         ASSERT(!sumOverflows<int32_t>(s1->length(), s2->length()));
-        m_length = s1->length() + s2->length();
+        setLength(s1->length() + s2->length());
         setIs8Bit(s1->is8Bit() && s2->is8Bit());
         setIsSubstring(false);
@@ -290 +304 @@
         Base::finishCreation(vm);
         ASSERT(!sumOverflows<int32_t>(s1->length(), s2->length(), s3->length()));
-        m_length = s1->length() + s2->length() + s3->length();
+        setLength(s1->length() + s2->length() + s3->length());
         setIs8Bit(s1->is8Bit() && s2->is8Bit() &&  s3->is8Bit());
         setIsSubstring(false);
@@ -303 +317 @@
         RELEASE_ASSERT(!sumOverflows<int32_t>(offset, length));
         RELEASE_ASSERT(offset + length <= base->length());
-        m_length = length;
+        setLength(length);
         setIs8Bit(base->is8Bit());
         setIsSubstring(true);
@@ -327 +341 @@
         RELEASE_ASSERT(!sumOverflows<int32_t>(offset, length));
         RELEASE_ASSERT(offset + length <= base->length());
-        m_length = length;
+        setLength(length);
         setIs8Bit(base->is8Bit());
         setIsSubstring(true);
@@ -346 +360 @@
     {
         fiber(index).set(vm, this, jsString);
-        m_length += jsString->m_length;
-        RELEASE_ASSERT(static_cast<int32_t>(m_length) >= 0);
+        setLength(length() + jsString->length());
         setIs8Bit(is8Bit() && jsString->is8Bit());
     }
@@ -675 +688 @@
 {
     if (propertyName == exec->propertyNames().length) {
-        slot.setValue(this, DontEnum | DontDelete | ReadOnly, jsNumber(m_length));
+        slot.setValue(this, DontEnum | DontDelete | ReadOnly, jsNumber(length()));
         return true;
     }
 
     Optional<uint32_t> index = parseIndex(propertyName);
-    if (index && index.value() < m_length) {
+    if (index && index.value() < length()) {
         slot.setValue(this, DontDelete | ReadOnly, getIndex(exec, index.value()));
         return true;
@@ -690 +703 @@
 ALWAYS_INLINE bool JSString::getStringPropertySlot(ExecState* exec, unsigned propertyName, PropertySlot& slot)
 {
-    if (propertyName < m_length) {
+    if (propertyName < length()) {
         slot.setValue(this, DontDelete | ReadOnly, getIndex(exec, propertyName));
         return true;
@@ -712 +725 @@
     if (isSubstring()) {
         if (is8Bit())
-            return StringView(substringBase()->m_value.characters8() + substringOffset(), m_length);
-        return StringView(substringBase()->m_value.characters16() + substringOffset(), m_length);
+            return StringView(substringBase()->m_value.characters8() + substringOffset(), length());
+        return StringView(substringBase()->m_value.characters16() + substringOffset(), length());
     }
     resolveRope(&state);
@@ -724 +737 @@
         auto& base = substringBase()->m_value;
         if (is8Bit())
-            return { { base.characters8() + substringOffset(), m_length }, base };
-        return { { base.characters16() + substringOffset(), m_length }, base };
+            return { { base.characters8() + substringOffset(), length() }, base };
+        return { { base.characters16() + substringOffset(), length() }, base };
     }
     resolveRope(&state);

trunk/Source/JavaScriptCore/runtime/JSStringBuilder.h

@@ -132 +132 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     String result = WTF::tryMakeString(string, strings...);
-    if (!result)
+    if (UNLIKELY(!result || !JSString::isValidLength(result.length())))
         return throwOutOfMemoryError(exec, scope);
     return jsNontrivialString(exec, WTFMove(result));

trunk/Source/JavaScriptCore/runtime/JSStringJoiner.cpp

@@ -89 +89 @@
         return 0;
 
-    Checked<unsigned, RecordOverflow> separatorLength = m_separator.length();
-    Checked<unsigned, RecordOverflow> totalSeparatorsLength = separatorLength * (numberOfStrings - 1);
-    Checked<unsigned, RecordOverflow> totalLength = totalSeparatorsLength + m_accumulatedStringsLength;
+    Checked<int32_t, RecordOverflow> separatorLength = m_separator.length();
+    Checked<int32_t, RecordOverflow> totalSeparatorsLength = separatorLength * (numberOfStrings - 1);
+    Checked<int32_t, RecordOverflow> totalLength = totalSeparatorsLength + m_accumulatedStringsLength;
 
-    unsigned result;
+    int32_t result;
     if (totalLength.safeGet(result) == CheckedState::DidOverflow) {
         throwOutOfMemoryError(&state, scope);