RESOLVED FIXED163937
JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX. 
https://bugs.webkit.org/show_bug.cgi?id=163937
Summary JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
Mark Lam
Reported 2016-10-24 23:45:46 PDT
It was previously limiting it to UINT_MAX. This is inconsistent with other parts of string code which expects a max length of INT_MAX.
Attachments
proposed patch. (4.72 KB, patch)
2016-10-24 23:53 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (4.74 KB, patch)
2016-10-24 23:59 PDT, Mark Lam 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews112 for mac-yosemite (1.80 MB, application/zip)
2016-10-25 01:38 PDT, Build Bot 		no flags
Details
proposed patch: with improvements. (19.37 KB, patch)
2016-10-25 13:47 PDT, Mark Lam 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-10-24 23:46:26 PDT
<rdar://problem/28828676>
Mark Lam
Comment 2 2016-10-24 23:47:26 PDT
(In reply to comment #1) > <rdar://problem/28828676> Wrong radar.
Mark Lam
Comment 3 2016-10-24 23:47:38 PDT
<rdar://problem/28642990>
Mark Lam
Comment 4 2016-10-24 23:53:37 PDT
Created attachment 292726 [details] proposed patch.
WebKit Commit Bot
Comment 5 2016-10-24 23:54:56 PDT
Attachment 292726 [details] did not pass style-queue: ERROR: JSTests/stress/joined-strings-should-not-exceed-max-string-length.js:16: Line contains tab character. [whitespace/tab] [5] ERROR: JSTests/stress/joined-strings-should-not-exceed-max-string-length.js:17: Line contains tab character. [whitespace/tab] [5] ERROR: JSTests/stress/joined-strings-should-not-exceed-max-string-length.js:19: Line contains tab character. [whitespace/tab] [5] ERROR: JSTests/stress/joined-strings-should-not-exceed-max-string-length.js:25: Line contains tab character. [whitespace/tab] [5] ERROR: JSTests/stress/joined-strings-should-not-exceed-max-string-length.js:27: Line contains tab character. [whitespace/tab] [5] Total errors found: 5 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Lam
Comment 6 2016-10-24 23:59:09 PDT
Created attachment 292727 [details] proposed patch.
Build Bot
Comment 7 2016-10-25 01:38:33 PDT
Comment on attachment 292727 [details] proposed patch. Attachment 292727 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2363652 New failing tests: js/stringimpl-to-jsstring-on-large-strings-2.html
Build Bot
Comment 8 2016-10-25 01:38:36 PDT
Created attachment 292734 [details] Archive of layout-test-results from ews112 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
JF Bastien
Comment 9 2016-10-25 08:29:09 PDT
Comment on attachment 292727 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=292727&action=review > Source/JavaScriptCore/runtime/JSString.h:108 > + ASSERT(static_cast<int32_t>(length) >= 0); Why not length <= std::numeric_limits<int32_t>::max() instead?
Saam Barati
Comment 10 2016-10-25 09:22:37 PDT
(In reply to comment #0) > It was previously limiting it to UINT_MAX. This is inconsistent with other > parts of string code which expects a max length of INT_MAX. Can we define a constant for like MAX_JSSTRING_LENGTH similar to some of the constants we have for array lengths?
Geoffrey Garen
Comment 11 2016-10-25 09:44:46 PDT
Comment on attachment 292727 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=292727&action=review >> Source/JavaScriptCore/runtime/JSString.h:108 >> + ASSERT(static_cast<int32_t>(length) >= 0); > > Why not length <= std::numeric_limits<int32_t>::max() instead? Yeah, this is better. > Source/JavaScriptCore/runtime/JSString.h:214 > + // While length is of type unsigned, the runtime and compilers are all > + // expecting that m_length is a positive value <= INT_MAX. > unsigned m_length; A better way to enforce this invariant is to make a helper function for setting m_length, make m_length private, and make the helper function ASSERT that the incoming length is <= std::numeric_limits<int32_t>::max(), with this comment.
Mark Lam
Comment 12 2016-10-25 13:47:55 PDT
Created attachment 292816 [details] proposed patch: with improvements.
Geoffrey Garen
Comment 13 2016-10-25 13:55:05 PDT
Comment on attachment 292816 [details] proposed patch: with improvements. r=me
Mark Lam
Comment 14 2016-10-25 15:23:12 PDT
Thanks for the reviews. Landed in r207849: <http://trac.webkit.org/r207849>.
Note You need to log in before you can comment on or make changes to this bug.