Changeset 241991 in webkit

Timestamp:

Feb 23, 2019 10:15:41 AM (5 years ago)

Author:

mark.lam@apple.com

Message:

Add an exception check and some assertions in StringPrototype.cpp.
​https://bugs.webkit.org/show_bug.cgi?id=194962
<rdar://problem/48013416>

Reviewed by Yusuke Suzuki and Saam Barati.

Source/JavaScriptCore:

• runtime/StringPrototype.cpp:

(JSC::jsSpliceSubstrings):
(JSC::jsSpliceSubstringsWithSeparators):
(JSC::operationStringProtoFuncReplaceRegExpEmptyStr):

Source/WTF:

Add an AssertNoOverflow overflow handler which allows us to do CheckedArithmetic
for assertion purpose only on debug builds but sacrifices no performance on
release builds.

• wtf/CheckedArithmetic.h:

(WTF::AssertNoOverflow::overflowed):
(WTF::AssertNoOverflow::clearOverflow):
(WTF::AssertNoOverflow::crash):
(WTF::AssertNoOverflow::hasOverflowed const):
(WTF::observesOverflow):
(WTF::observesOverflow<AssertNoOverflow>):
(WTF::safeAdd):
(WTF::safeSub):
(WTF::safeMultiply):
(WTF::Checked::operator+=):
(WTF::Checked::operator-=):
(WTF::Checked::operator*=):
(WTF::operator+):
(WTF::operator-):
(WTF::operator*):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/runtime/StringPrototype.cpp (modified) (11 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/CheckedArithmetic.h (modified) (11 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-23  Mark Lam  <mark.lam@apple.com>
+
+        Add an exception check and some assertions in StringPrototype.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=194962
+        <rdar://problem/48013416>
+
+        Reviewed by Yusuke Suzuki and Saam Barati.
+
+        * runtime/StringPrototype.cpp:
+        (JSC::jsSpliceSubstrings):
+        (JSC::jsSpliceSubstringsWithSeparators):
+        (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
+
 2019-02-23  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  *  Copyright (C) 2009 Torch Mobile, Inc.
  *  Copyright (C) 2015 Jordan Harband (ljharb@gmail.com)
@@ -325 +325 @@
     }
 
-    int totalLength = 0;
+    // We know that the sum of substringRanges lengths cannot exceed length of
+    // source because the substringRanges were computed from the source string
+    // in removeUsingRegExpSearch(). Hence, totalLength cannot exceed
+    // String::MaxLength, and therefore, cannot overflow.
+    Checked<int, AssertNoOverflow> totalLength = 0;
     for (int i = 0; i < rangeCount; i++)
         totalLength += substringRanges[i].length;
+    ASSERT(totalLength <= String::MaxLength);
 
     if (!totalLength)
@@ -335 +340 @@
         LChar* buffer;
         const LChar* sourceData = source.characters8();
-        auto impl = StringImpl::tryCreateUninitialized(totalLength, buffer);
+        auto impl = StringImpl::tryCreateUninitialized(totalLength.unsafeGet(), buffer);
         if (!impl) {
             throwOutOfMemoryError(exec, scope);
@@ -341 +346 @@
         }
 
-        int bufferPos = 0;
+        Checked<int, AssertNoOverflow> bufferPos = 0;
         for (int i = 0; i < rangeCount; i++) {
             if (int srcLen = substringRanges[i].length) {
-                StringImpl::copyCharacters(buffer + bufferPos, sourceData + substringRanges[i].position, srcLen);
+                StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), sourceData + substringRanges[i].position, srcLen);
                 bufferPos += srcLen;
             }
@@ -355 +360 @@
     const UChar* sourceData = source.characters16();
 
-    auto impl = StringImpl::tryCreateUninitialized(totalLength, buffer);
+    auto impl = StringImpl::tryCreateUninitialized(totalLength.unsafeGet(), buffer);
     if (!impl) {
         throwOutOfMemoryError(exec, scope);
@@ -361 +366 @@
     }
 
-    int bufferPos = 0;
+    Checked<int, AssertNoOverflow> bufferPos = 0;
     for (int i = 0; i < rangeCount; i++) {
         if (int srcLen = substringRanges[i].length) {
-            StringImpl::copyCharacters(buffer + bufferPos, sourceData + substringRanges[i].position, srcLen);
+            StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), sourceData + substringRanges[i].position, srcLen);
             bufferPos += srcLen;
         }
@@ -415 +420 @@
 
         int maxCount = std::max(rangeCount, separatorCount);
-        int bufferPos = 0;
+        Checked<int, AssertNoOverflow> bufferPos = 0;
         for (int i = 0; i < maxCount; i++) {
             if (i < rangeCount) {
                 if (int srcLen = substringRanges[i].length) {
-                    StringImpl::copyCharacters(buffer + bufferPos, sourceData + substringRanges[i].position, srcLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), sourceData + substringRanges[i].position, srcLen);
                     bufferPos += srcLen;
                 }
@@ -425 +430 @@
             if (i < separatorCount) {
                 if (int sepLen = separators[i].length()) {
-                    StringImpl::copyCharacters(buffer + bufferPos, separators[i].characters8(), sepLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), separators[i].characters8(), sepLen);
                     bufferPos += sepLen;
                 }
@@ -442 +447 @@
 
     int maxCount = std::max(rangeCount, separatorCount);
-    int bufferPos = 0;
+    Checked<int, AssertNoOverflow> bufferPos = 0;
     for (int i = 0; i < maxCount; i++) {
         if (i < rangeCount) {
             if (int srcLen = substringRanges[i].length) {
                 if (source.is8Bit())
-                    StringImpl::copyCharacters(buffer + bufferPos, source.characters8() + substringRanges[i].position, srcLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), source.characters8() + substringRanges[i].position, srcLen);
                 else
-                    StringImpl::copyCharacters(buffer + bufferPos, source.characters16() + substringRanges[i].position, srcLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), source.characters16() + substringRanges[i].position, srcLen);
                 bufferPos += srcLen;
             }
@@ -456 +461 @@
             if (int sepLen = separators[i].length()) {
                 if (separators[i].is8Bit())
-                    StringImpl::copyCharacters(buffer + bufferPos, separators[i].characters8(), sepLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), separators[i].characters8(), sepLen);
                 else
-                    StringImpl::copyCharacters(buffer + bufferPos, separators[i].characters16(), sepLen);
+                    StringImpl::copyCharacters(buffer + bufferPos.unsafeGet(), separators[i].characters16(), sepLen);
                 bufferPos += sepLen;
             }
@@ -730 +735 @@
         searchValue->setLastIndex(exec, 0);
         RETURN_IF_EXCEPTION(scope, nullptr);
-        RELEASE_AND_RETURN(scope, removeUsingRegExpSearch(vm, exec, thisValue, thisValue->value(exec), regExp));
+        const String& source = thisValue->value(exec);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        RELEASE_AND_RETURN(scope, removeUsingRegExpSearch(vm, exec, thisValue, source, regExp));
     }
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2019-02-23  Mark Lam  <mark.lam@apple.com>
+
+        Add an exception check and some assertions in StringPrototype.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=194962
+        <rdar://problem/48013416>
+
+        Reviewed by Yusuke Suzuki and Saam Barati.
+
+        Add an AssertNoOverflow overflow handler which allows us to do CheckedArithmetic
+        for assertion purpose only on debug builds but sacrifices no performance on
+        release builds.
+
+        * wtf/CheckedArithmetic.h:
+        (WTF::AssertNoOverflow::overflowed):
+        (WTF::AssertNoOverflow::clearOverflow):
+        (WTF::AssertNoOverflow::crash):
+        (WTF::AssertNoOverflow::hasOverflowed const):
+        (WTF::observesOverflow):
+        (WTF::observesOverflow<AssertNoOverflow>):
+        (WTF::safeAdd):
+        (WTF::safeSub):
+        (WTF::safeMultiply):
+        (WTF::Checked::operator+=):
+        (WTF::Checked::operator-=):
+        (WTF::Checked::operator*=):
+        (WTF::operator+):
+        (WTF::operator-):
+        (WTF::operator*):
+
 2019-02-23  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/WTF/wtf/CheckedArithmetic.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -71 +71 @@
 };
 
+class AssertNoOverflow {
+public:
+    static NO_RETURN_DUE_TO_ASSERT void overflowed()
+    {
+        ASSERT_NOT_REACHED();
+    }
+
+    void clearOverflow() { }
+
+    static NO_RETURN_DUE_TO_CRASH void crash()
+    {
+        CRASH();
+    }
+
+public:
+    constexpr bool hasOverflowed() const { return false; }
+};
+
 class ConditionalCrashOnOverflow {
 public:
@@ -524 +542 @@
 };
 
+template <class OverflowHandler, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
+inline constexpr bool observesOverflow() { return true; }
+
+template <>
+inline constexpr bool observesOverflow<AssertNoOverflow>() { return !ASSERT_DISABLED; }
+
 template <typename U, typename V, typename R> static inline bool safeAdd(U lhs, V rhs, R& result)
 {
     return ArithmeticOperations<U, V, R>::add(lhs, rhs, result);
+    return true;
+}
+
+template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
+static inline bool safeAdd(U lhs, V rhs, R& result)
+{
+    if (observesOverflow<OverflowHandler>())
+        return safeAdd(lhs, rhs, result);
+    result = lhs + rhs;
+    return true;
 }
 
@@ -534 +568 @@
 }
 
+template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
+static inline bool safeSub(U lhs, V rhs, R& result)
+{
+    if (observesOverflow<OverflowHandler>())
+        return safeSub(lhs, rhs, result);
+    result = lhs - rhs;
+    return true;
+}
+
 template <typename U, typename V, typename R> static inline bool safeMultiply(U lhs, V rhs, R& result)
 {
     return ArithmeticOperations<U, V, R>::multiply(lhs, rhs, result);
+}
+
+template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
+static inline bool safeMultiply(U lhs, V rhs, R& result)
+{
+    if (observesOverflow<OverflowHandler>())
+        return safeMultiply(lhs, rhs, result);
+    result = lhs * rhs;
+    return true;
 }
 
@@ -677 +729 @@
     template <typename U> const Checked operator+=(U rhs)
     {
-        if (!safeAdd(m_value, rhs, m_value))
+        if (!safeAdd<OverflowHandler>(m_value, rhs, m_value))
             this->overflowed();
         return *this;
@@ -684 +736 @@
     template <typename U> const Checked operator-=(U rhs)
     {
-        if (!safeSub(m_value, rhs, m_value))
+        if (!safeSub<OverflowHandler>(m_value, rhs, m_value))
             this->overflowed();
         return *this;
@@ -691 +743 @@
     template <typename U> const Checked operator*=(U rhs)
     {
-        if (!safeMultiply(m_value, rhs, m_value))
+        if (!safeMultiply<OverflowHandler>(m_value, rhs, m_value))
             this->overflowed();
         return *this;
@@ -815 +867 @@
     bool overflowed = lhs.safeGet(x) == CheckedState::DidOverflow || rhs.safeGet(y) == CheckedState::DidOverflow;
     typename Result<U, V>::ResultType result = 0;
-    overflowed |= !safeAdd(x, y, result);
+    overflowed |= !safeAdd<OverflowHandler>(x, y, result);
     if (overflowed)
         return ResultOverflowed;
@@ -827 +879 @@
     bool overflowed = lhs.safeGet(x) == CheckedState::DidOverflow || rhs.safeGet(y) == CheckedState::DidOverflow;
     typename Result<U, V>::ResultType result = 0;
-    overflowed |= !safeSub(x, y, result);
+    overflowed |= !safeSub<OverflowHandler>(x, y, result);
     if (overflowed)
         return ResultOverflowed;
@@ -839 +891 @@
     bool overflowed = lhs.safeGet(x) == CheckedState::DidOverflow || rhs.safeGet(y) == CheckedState::DidOverflow;
     typename Result<U, V>::ResultType result = 0;
-    overflowed |= !safeMultiply(x, y, result);
+    overflowed |= !safeMultiply<OverflowHandler>(x, y, result);
     if (overflowed)
         return ResultOverflowed;
@@ -931 +983 @@
 }
 
+using WTF::AssertNoOverflow;
 using WTF::Checked;
 using WTF::CheckedState;