[webkit-changes] [292484] trunk

[ysuzuki]

Title: [292484] trunk

Revision

292484

Author

ysuz...@apple.com

Date

2022-04-06 11:48:46 -0700 (Wed, 06 Apr 2022)

Log Message

[JSC] Substring resolving should check 8bit / 16bit again
https://bugs.webkit.org/show_bug.cgi?id=236775
<rdar://problem/89253391>

Reviewed by Saam Barati.

JSTests:

* stress/8bit-16bit-atomize-conversion.js: Added.
(main.v64):
(main):

Source/_javascript_Core:

Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
becomes different from substring JSString wrapper's bit. We should not assume they are the same.

* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeInternal const):
(JSC::JSRopeString::resolveRopeToAtomString const):
(JSC::JSRopeString::resolveRopeToExistingAtomString const):
(JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
(JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
* runtime/JSString.h:

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSString.cpp
• trunk/Source/_javascript_Core/runtime/JSString.h

Added Paths

• trunk/JSTests/stress/8bit-16bit-atomize-conversion.js

Diff

Modified: trunk/JSTests/ChangeLog (292483 => 292484)

--- trunk/JSTests/ChangeLog	2022-04-06 18:29:39 UTC (rev 292483)
+++ trunk/JSTests/ChangeLog	2022-04-06 18:48:46 UTC (rev 292484)
@@ -1,3 +1,15 @@
+2022-04-06  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Substring resolving should check 8bit / 16bit again
+        https://bugs.webkit.org/show_bug.cgi?id=236775
+        <rdar://problem/89253391>
+
+        Reviewed by Saam Barati.
+
+        * stress/8bit-16bit-atomize-conversion.js: Added.
+        (main.v64):
+        (main):
+
 2022-04-06  Alexey Shvayka  <ashva...@apple.com>
 
         ICU was recently updated to use type="long" format if there is {month: "long"}

Added: trunk/JSTests/stress/8bit-16bit-atomize-conversion.js (0 => 292484)

--- trunk/JSTests/stress/8bit-16bit-atomize-conversion.js	                        (rev 0)
+++ trunk/JSTests/stress/8bit-16bit-atomize-conversion.js	2022-04-06 18:48:46 UTC (rev 292484)
@@ -0,0 +1,18 @@
+function main() {
+    for (let v27 = 0; v27 < 100; v27++) {
+        const v44 = [0,0,1.1];
+        const v61 = v44.toLocaleString();
+        const v62 = eval(Math);
+        v63 = v61.substring(v62,v27);
+
+        function v64() {
+            if (v62) {
+                Math[v61] = [];
+            }
+            const v82 = (-1.0).__proto__;
+            delete v82[v63];
+        }
+        v64();
+    }
+}
+main();

Modified: trunk/Source/_javascript_Core/ChangeLog (292483 => 292484)

--- trunk/Source/_javascript_Core/ChangeLog	2022-04-06 18:29:39 UTC (rev 292483)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-04-06 18:48:46 UTC (rev 292484)
@@ -1,3 +1,22 @@
+2022-04-06  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Substring resolving should check 8bit / 16bit again
+        https://bugs.webkit.org/show_bug.cgi?id=236775
+        <rdar://problem/89253391>
+
+        Reviewed by Saam Barati.
+
+        Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
+        becomes different from substring JSString wrapper's bit. We should not assume they are the same.
+
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeInternal const):
+        (JSC::JSRopeString::resolveRopeToAtomString const):
+        (JSC::JSRopeString::resolveRopeToExistingAtomString const):
+        (JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
+        (JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
+        * runtime/JSString.h:
+
 2022-04-06  Chris Dumez  <cdu...@apple.com>
 
         Reduce number of conversions from StringView to String

Modified: trunk/Source/_javascript_Core/runtime/JSString.cpp (292483 => 292484)

--- trunk/Source/_javascript_Core/runtime/JSString.cpp	2022-04-06 18:29:39 UTC (rev 292483)
+++ trunk/Source/_javascript_Core/runtime/JSString.cpp	2022-04-06 18:48:46 UTC (rev 292484)
@@ -152,10 +152,17 @@
 
 static constexpr unsigned maxLengthForOnStackResolve = 2048;
 
-void JSRopeString::resolveRopeInternal8(LChar* buffer) const
+template<typename CharacterType>
+void JSRopeString::resolveRopeInternal(CharacterType* buffer) const
 {
     if (isSubstring()) {
-        StringImpl::copyCharacters(buffer, substringBase()->valueInternal().characters8() + substringOffset(), length());
+        // It is possible that underlying string becomes 8bit/16bit while wrapper substring is saying it is 16bit/8bit.
+        // But It is definitely true that substring part can be represented as its parent's status 8bit/16bit, which is described as CharacterType.
+        auto& string = substringBase()->valueInternal();
+        if (string.is8Bit())
+            StringImpl::copyCharacters(buffer, string.characters8() + substringOffset(), length());
+        else
+            StringImpl::copyCharacters(buffer, string.characters16() + substringOffset(), length());
         return;
     }
     
@@ -162,17 +169,6 @@
     resolveRopeInternalNoSubstring(buffer);
 }
 
-void JSRopeString::resolveRopeInternal16(UChar* buffer) const
-{
-    if (isSubstring()) {
-        StringImpl::copyCharacters(
-            buffer, substringBase()->valueInternal().characters16() + substringOffset(), length());
-        return;
-    }
-    
-    resolveRopeInternalNoSubstring(buffer);
-}
-
 template<typename CharacterType>
 void JSRopeString::resolveRopeInternalNoSubstring(CharacterType* buffer) const
 {
@@ -210,11 +206,11 @@
 
     if (is8Bit()) {
         LChar buffer[maxLengthForOnStackResolve];
-        resolveRopeInternal8(buffer);
+        resolveRopeInternal(buffer);
         convertToNonRope(AtomStringImpl::add(buffer, length()));
     } else {
         UChar buffer[maxLengthForOnStackResolve];
-        resolveRopeInternal16(buffer);
+        resolveRopeInternal(buffer);
         convertToNonRope(AtomStringImpl::add(buffer, length()));
     }
 
@@ -255,7 +251,7 @@
     
     if (is8Bit()) {
         LChar buffer[maxLengthForOnStackResolve];
-        resolveRopeInternal8(buffer);
+        resolveRopeInternal(buffer);
         if (RefPtr<AtomStringImpl> existingAtomString = AtomStringImpl::lookUp(buffer, length())) {
             convertToNonRope(*existingAtomString);
             return existingAtomString;
@@ -262,7 +258,7 @@
         }
     } else {
         UChar buffer[maxLengthForOnStackResolve];
-        resolveRopeInternal16(buffer);
+        resolveRopeInternal(buffer);
         if (RefPtr<AtomStringImpl> existingAtomString = AtomStringImpl::lookUp(buffer, length())) {
             convertToNonRope(*existingAtomString);
             return existingAtomString;

Modified: trunk/Source/_javascript_Core/runtime/JSString.h (292483 => 292484)

--- trunk/Source/_javascript_Core/runtime/JSString.h	2022-04-06 18:29:39 UTC (rev 292483)
+++ trunk/Source/_javascript_Core/runtime/JSString.h	2022-04-06 18:48:46 UTC (rev 292484)
@@ -608,8 +608,7 @@
     template<typename CharacterType> void resolveRopeInternalNoSubstring(CharacterType*) const;
     Identifier toIdentifier(JSGlobalObject*) const;
     void outOfMemory(JSGlobalObject* nullOrGlobalObjectForOOM) const;
-    void resolveRopeInternal8(LChar*) const;
-    void resolveRopeInternal16(UChar*) const;
+    template<typename CharacterType> void resolveRopeInternal(CharacterType*) const;
     StringView unsafeView(JSGlobalObject*) const;
     StringViewWithUnderlyingString viewWithUnderlyingString(JSGlobalObject*) const;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes