RESOLVED FIXED 210736
REGRESSION (r253987): StringImpl::adopt(Vector&&) copies only half of the characters in the Vector when copying across malloc zones 
https://bugs.webkit.org/show_bug.cgi?id=210736
Summary REGRESSION (r253987): StringImpl::adopt(Vector&&) copies only half of the cha...
Fujii Hironori
Reported 2020-04-20 00:06:48 PDT
StringImpl::adopt truncates the string by copying only half of the argument Vector r253987 (Bug 186422) added the following line: > memcpy(stringImplBuffer.get(), vectorBuffer.get(), size); But it should be the following for UChar string. > memcpy(stringImplBuffer.get(), vectorBuffer.get(), size * sizeof(CharacterType));
Attachments
Patch (3.95 KB, patch)
2020-04-20 09:48 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (4.06 KB, patch)
2020-04-20 09:53 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (5.90 KB, patch)
2020-04-20 10:04 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2020-04-20 00:09:27 PDT
Or, > return StringImpl::create(vector.data(), size);
Darin Adler
Comment 2 2020-04-20 09:33:54 PDT
(In reply to Fujii Hironori from comment #0) > StringImpl::adopt truncates the string by copying only half of the argument > Vector > > r253987 (Bug 186422) added the following line: > > > memcpy(stringImplBuffer.get(), vectorBuffer.get(), size); > > But it should be the following for UChar string. > > > memcpy(stringImplBuffer.get(), vectorBuffer.get(), size * sizeof(CharacterType)); StringImpl::copyCharacters(stringImplBuffer.get(), vectorBuffer.get(), size);
Darin Adler
Comment 3 2020-04-20 09:34:23 PDT
(In reply to Darin Adler from comment #2) > StringImpl::copyCharacters(stringImplBuffer.get(), vectorBuffer.get(), size); Since the code is inside StringImpl: copyCharacters(stringImplBuffer.get(), vectorBuffer.get(), size);
Darin Adler
Comment 4 2020-04-20 09:35:40 PDT
Should use copyCharacters instead of memcpy both in StringImpl::adopt and in StringImpl::replace.
Darin Adler
Comment 5 2020-04-20 09:37:18 PDT
And in StringImpl::StringImpl. copyCharacters(const_cast<LChar*>(m_data8), characters.get(), length); Let's just not use memcpy, which ignores the types of the pointers, except in copyCharacters, which respects the types of the pointers.
Darin Adler
Comment 6 2020-04-20 09:37:37 PDT
Hard part about this is adding an appropriate test case.
Yusuke Suzuki
Comment 7 2020-04-20 09:41:02 PDT
Oops, nice catch! I think this is hard to test without manual one, because this code is used when malloc_zone breakdown debugging feature is enabled.
Darin Adler
Comment 8 2020-04-20 09:48:35 PDT Comment hidden (obsolete)
Darin Adler
Comment 9 2020-04-20 09:48:59 PDT
I did not add a test. Maybe someone else wants to pick up my patch and add a test?
Darin Adler
Comment 10 2020-04-20 09:53:44 PDT Comment hidden (obsolete)
Darin Adler
Comment 11 2020-04-20 10:04:15 PDT
Created attachment 396983 [details] Patch
Darin Adler
Comment 12 2020-04-20 10:05:26 PDT
Comment on attachment 396983 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396983&action=review > Source/WTF/wtf/text/StringImpl.h:1044 > + return create(vector.data(), vector.size()); Could have this do vector.clear() after creating the StringImpl, but I don’t think that’s necessary.
Darin Adler
Comment 13 2020-04-20 10:27:03 PDT
Yusuke, as further cleanup maybe we could change the StringImpl(MallocPtr) constructor to not be a template, and only work with StringImplMalloc. Make it a caller responsibility to check. Is there any other caller?
Darin Adler
Comment 14 2020-04-20 10:29:54 PDT
(In reply to Darin Adler from comment #13) > Yusuke, as further cleanup maybe we could change the StringImpl(MallocPtr) > constructor to not be a template, and only work with StringImplMalloc. Make > it a caller responsibility to check. Is there any other caller? Hmm, no it seems that it can be called with StringBufferMalloc, so I guess we'll leave it alone for now.
Yusuke Suzuki
Comment 15 2020-04-20 11:48:51 PDT
Comment on attachment 396983 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396983&action=review r=me >> Source/WTF/wtf/text/StringImpl.h:1044 >> + return create(vector.data(), vector.size()); > > Could have this do vector.clear() after creating the StringImpl, but I don’t think that’s necessary. Yeah, I think either is OK.
EWS
Comment 16 2020-04-20 12:10:03 PDT
Committed r260383: <https://trac.webkit.org/changeset/260383> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396983 [details].
Radar WebKit Bug Importer
Comment 17 2020-04-20 12:11:13 PDT
<rdar://problem/62069530>
Note You need to log in before you can comment on or make changes to this bug.