1825675 - Flattening rope with multiple references to an initial string leaves part of the result uninitialized

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Steve Fink [:sfink] [:s:]]

If you do:

     s = ...;
     r = newRope(s, newRope(s, "!"));
     ensureLinearString(r);

where s is an extensible string with capacity >= s.length * 2 + 1, then the resulting flattened string will have a s-sized chunk of uninitialized characters in it.

Currently this bug appears to be unreachable: the only way to create an extensible string is via flattening, which sets the capacity to at most the needed length rounded up to the next power of 2. Hitting this bug requires the string to appear more than once in the DAG, the minimum length of rope required is s.length * 2.

The most "extra" space there will ever be in an extensible string is when its length is 1 more than a power of 2, so the extra space will be just less than its length, and the total capacity is less than s.length * 2.

However, there are a couple of changes I have experimented with that produce extensible strings in more situations and with more possible capacities. (It's how I ran into it; I was adding an extra 3 bytes to extensible strings' capacities.)

Comment 1

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1825675 - Fix string flattening when reusing an extensible string buffer that appears at more than one place in the DAG.

Includes a test using a new option to the newString() testing function: newString("...", { capacity: 1000 }) will create an extensible string with 1000-character capacity.

Comment 2

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7944153dd2d1
Fix string flattening when reusing an extensible string buffer that appears at more than one place in the DAG. r=jandem

Comment 3

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/7944153dd2d1