Changeset 236804 in webkit

Timestamp:

Oct 3, 2018 11:28:55 AM (6 years ago)

Author:

mark.lam@apple.com

Message:

Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
​https://bugs.webkit.org/show_bug.cgi?id=190187
<rdar://problem/42512909>

Reviewed by Michael Saboff.

JSTests:

• stress/regress-190187.js: Added.

Source/JavaScriptCore:

Allowing different max string lengths at each level opens up opportunities for
bugs to creep in. With 2 different max length values, it is more difficult to
keep the story straight on how we do overflow / bounds checks at each place in
the code. It's also difficult to tell if a seemingly valid check at the WTF level
will have bad ramifications at the JSC level. Also, it's also not meaningful to
support a max length > INT_MAX. To eliminate this class of bugs, we'll
standardize on a MaxLength of INT_MAX at all levels.

We'll also standardize the way we do length overflow checks on using
CheckedArithmetic, and add some asserts to document the assumptions of the code.

• runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

• Fix OOM error handling which crashed a test after the new MaxLength was applied.
• runtime/JSString.h:

(JSC::JSString::finishCreation):
(JSC::JSString::createHasOtherOwner):
(JSC::JSString::setLength):

• runtime/JSStringInlines.h:

(JSC::jsMakeNontrivialString):

• runtime/Operations.h:

(JSC::jsString):

Source/WTF:

• wtf/text/StringConcatenate.h:

(WTF::tryMakeStringFromAdapters):
(WTF::sumWithOverflow): Deleted.

• wtf/text/StringImpl.h:
• wtf/text/WTFString.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regress-190187.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSStringInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Operations.h (modified) (5 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/text/StringConcatenate.h (modified) (5 diffs)
• Source/WTF/wtf/text/StringImpl.h (modified) (3 diffs)
• Source/WTF/wtf/text/WTFString.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-10-03  Mark Lam  <mark.lam@apple.com>
+
+        Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=190187
+        <rdar://problem/42512909>
+
+        Reviewed by Michael Saboff.
+
+        * stress/regress-190187.js: Added.
+
 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-10-03  Mark Lam  <mark.lam@apple.com>
+
+        Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=190187
+        <rdar://problem/42512909>
+
+        Reviewed by Michael Saboff.
+
+        Allowing different max string lengths at each level opens up opportunities for
+        bugs to creep in.  With 2 different max length values, it is more difficult to
+        keep the story straight on how we do overflow / bounds checks at each place in
+        the code.  It's also difficult to tell if a seemingly valid check at the WTF level
+        will have bad ramifications at the JSC level.  Also, it's also not meaningful to
+        support a max length > INT_MAX.  To eliminate this class of bugs, we'll
+        standardize on a MaxLength of INT_MAX at all levels.
+
+        We'll also standardize the way we do length overflow checks on using
+        CheckedArithmetic, and add some asserts to document the assumptions of the code.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        - Fix OOM error handling which crashed a test after the new MaxLength was applied.
+        * runtime/JSString.h:
+        (JSC::JSString::finishCreation):
+        (JSC::JSString::createHasOtherOwner):
+        (JSC::JSString::setLength):
+        * runtime/JSStringInlines.h:
+        (JSC::jsMakeNontrivialString):
+        * runtime/Operations.h:
+        (JSC::jsString):
+
 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
 

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

@@ -145 +145 @@
             // The spec mandates that the parameters parse as a valid parameter list
             // independent of the function body.
-            String program = makeString("(", prefix, "(", parameterBuilder.toString(), "){\n\n})");
+            String program = tryMakeString("(", prefix, "(", parameterBuilder.toString(), "){\n\n})");
+            if (UNLIKELY(!program)) {
+                throwOutOfMemoryError(exec, scope);
+                return nullptr;
+            }
             SourceCode source = makeSource(program, sourceOrigin, sourceURL, position);
             JSValue exception;

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -96 +96 @@
     }
     
-    static const unsigned MaxLength = std::numeric_limits<int32_t>::max();
-    
+    // We employ overflow checks in many places with the assumption that MaxLength
+    // is INT_MAX. Hence, it cannot be changed into another length value without
+    // breaking all the bounds and overflow checks that assume this.
+    static constexpr unsigned MaxLength = std::numeric_limits<int32_t>::max();
+    static_assert(MaxLength == String::MaxLength, "");
+
 private:
     JSString(VM& vm, Ref<StringImpl>&& value)
@@ -110 +114 @@
     }
 
-    void finishCreation(VM& vm, size_t length)
+    void finishCreation(VM& vm, unsigned length)
     {
         ASSERT(!m_value.isNull());
@@ -118 +122 @@
     }
 
-    void finishCreation(VM& vm, size_t length, size_t cost)
+    void finishCreation(VM& vm, unsigned length, size_t cost)
     {
         ASSERT(!m_value.isNull());
@@ -146 +150 @@
     static JSString* createHasOtherOwner(VM& vm, Ref<StringImpl>&& value)
     {
-        size_t length = value->length();
+        unsigned length = value->length();
         JSString* newString = new (NotNull, allocateCell<JSString>(vm.heap)) JSString(vm, WTFMove(value));
         newString->finishCreation(vm, length);
@@ -210 +214 @@
     ALWAYS_INLINE void setLength(unsigned length)
     {
+        ASSERT(length <= MaxLength);
         m_length = length;
     }
@@ -256 +261 @@
             if (m_index == JSRopeString::s_maxInternalRopeLength)
                 expand();
-            if (static_cast<int32_t>(m_jsString->length() + jsString->length()) < 0) {
+
+            static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
+            auto sum = checkedSum<int32_t>(m_jsString->length(), jsString->length());
+            if (sum.hasOverflowed()) {
                 this->overflowed();
                 return false;
             }
+            ASSERT(static_cast<unsigned>(sum.unsafeGet()) <= MaxLength);
             m_jsString->append(m_vm, m_index++, jsString);
             return true;

trunk/Source/JavaScriptCore/runtime/JSStringInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -51 +51 @@
     if (UNLIKELY(!result))
         return throwOutOfMemoryError(exec, scope);
+    ASSERT(result.length() <= JSString::MaxLength);
     return jsNontrivialString(exec, WTFMove(result));
 }

trunk/Source/JavaScriptCore/runtime/Operations.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2002-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2002-2018 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -43 +43 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    int32_t length1 = s1->length();
+    unsigned length1 = s1->length();
     if (!length1)
         return s2;
-    int32_t length2 = s2->length();
+    unsigned length2 = s2->length();
     if (!length2)
         return s1;
+    static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
     if (sumOverflows<int32_t>(length1, length2)) {
         throwOutOfMemoryError(exec, scope);
@@ -62 +63 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    int32_t length1 = s1->length();
+    unsigned length1 = s1->length();
     if (!length1)
         RELEASE_AND_RETURN(scope, jsString(exec, s2, s3));
 
-    int32_t length2 = s2->length();
+    unsigned length2 = s2->length();
     if (!length2)
         RELEASE_AND_RETURN(scope, jsString(exec, s1, s3));
 
-    int32_t length3 = s3->length();
+    unsigned length3 = s3->length();
     if (!length3)
         RELEASE_AND_RETURN(scope, jsString(exec, s1, s2));
 
-
+    static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
     if (sumOverflows<int32_t>(length1, length2, length3)) {
         throwOutOfMemoryError(exec, scope);
@@ -87 +88 @@
     auto scope = DECLARE_THROW_SCOPE(*vm);
 
-    int32_t length1 = u1.length();
-    int32_t length2 = u2.length();
-    int32_t length3 = u3.length();
-    
-    if (length1 < 0 || length2 < 0 || length3 < 0) {
-        throwOutOfMemoryError(exec, scope);
-        return nullptr;
-    }
-    
+    unsigned length1 = u1.length();
+    unsigned length2 = u2.length();
+    unsigned length3 = u3.length();
+    ASSERT(length1 <= JSString::MaxLength);
+    ASSERT(length2 <= JSString::MaxLength);
+    ASSERT(length3 <= JSString::MaxLength);
+
     if (!length1)
         RELEASE_AND_RETURN(scope, jsString(exec, jsString(vm, u2), jsString(vm, u3)));
@@ -105 +104 @@
         RELEASE_AND_RETURN(scope, jsString(exec, jsString(vm, u1), jsString(vm, u2)));
 
+    static_assert(JSString::MaxLength == std::numeric_limits<int32_t>::max(), "");
     if (sumOverflows<int32_t>(length1, length2, length3)) {
         throwOutOfMemoryError(exec, scope);

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2018-10-03  Mark Lam  <mark.lam@apple.com>
+
+        Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=190187
+        <rdar://problem/42512909>
+
+        Reviewed by Michael Saboff.
+
+        * wtf/text/StringConcatenate.h:
+        (WTF::tryMakeStringFromAdapters):
+        (WTF::sumWithOverflow): Deleted.
+        * wtf/text/StringImpl.h:
+        * wtf/text/WTFString.h:
+
 2018-10-03  Michael Catanzaro  <mcatanzaro@igalia.com>
 

trunk/Source/WTF/wtf/text/StringConcatenate.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 
 #include <string.h>
+#include <wtf/CheckedArithmetic.h>
 
 #ifndef AtomicString_h
@@ -142 +143 @@
             ++length;
 
-        if (length > std::numeric_limits<unsigned>::max()) // FIXME this is silly https://bugs.webkit.org/show_bug.cgi?id=165790
-            CRASH();
-
+        RELEASE_ASSERT(length <= String::MaxLength);
         m_length = length;
     }
@@ -260 +259 @@
 };
 
-inline void sumWithOverflow(bool& overflow, unsigned& total, unsigned addend)
-{
-    unsigned oldTotal = total;
-    total = oldTotal + addend;
-    if (total < oldTotal)
-        overflow = true;
-}
-
-template<typename... Unsigned>
-inline void sumWithOverflow(bool& overflow, unsigned& total, unsigned addend, Unsigned ...addends)
-{
-    unsigned oldTotal = total;
-    total = oldTotal + addend;
-    if (total < oldTotal)
-        overflow = true;
-    sumWithOverflow(overflow, total, addends...);
-}
-
 template<typename Adapter>
 inline bool are8Bit(Adapter adapter)
@@ -306 +287 @@
 String tryMakeStringFromAdapters(StringTypeAdapter adapter, StringTypeAdapters ...adapters)
 {
-    bool overflow = false;
-    unsigned length = adapter.length();
-    sumWithOverflow(overflow, length, adapters.length()...);
-    if (overflow)
+    static_assert(String::MaxLength == std::numeric_limits<int32_t>::max(), "");
+    auto sum = checkedSum<int32_t>(adapter.length(), adapters.length()...);
+    if (sum.hasOverflowed())
         return String();
 
+    unsigned length = sum.unsafeGet();
+    ASSERT(length <= String::MaxLength);
     if (are8Bit(adapter, adapters...)) {
         LChar* buffer;

trunk/Source/WTF/wtf/text/StringImpl.h

@@ -1 +1 @@
 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
- * Copyright (C) 2005-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
@@ -131 +131 @@
 class StringImplShape {
     WTF_MAKE_NONCOPYABLE(StringImplShape);
+public:
+    static constexpr unsigned MaxLength = std::numeric_limits<int32_t>::max();
+
 protected:
     StringImplShape(unsigned refCount, unsigned length, const LChar*, unsigned hashAndFlags);
@@ -180 +183 @@
 public:
     enum BufferOwnership { BufferInternal, BufferOwned, BufferSubstring, BufferExternal };
+
+    static constexpr unsigned MaxLength = StringImplShape::MaxLength;
 
     // The bottom 6 bits in the hash are flags.

trunk/Source/WTF/wtf/text/WTFString.h

@@ -365 +365 @@
     // This is useful for clearing String-based caches.
     void clearImplIfNotShared();
+
+    static constexpr unsigned MaxLength = StringImpl::MaxLength;
 
 private: