ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSTokenizer::detectAtToken

ASSERTION FAILED: name[0] == '@' && length >= 2 in
WebCore::CSSTokenizer::detectAtToken

At-rules have to contain 2 or more characters: one '@' character and at
least one more identifier character. This condition is checked in the
failing assertion.

Currently, the length of an at-rule is determined by doing pointer
arithmetic on the 'result' pointer, which is expected to be set to the
end of the at-rule identifier by the
WebCore::*CSSTokenizer::parseIdentifier method. If the at-rule token
is a sequence of 8-bit-only characters then 'result' will point correctly
at the end of the identifier. However, if the at-rule contains a 16-bit
Unicode escape then 'result' will not be updated correctly anymore, hence
it cannot be used for length calculation. On the other hand,
'resultString' always contains the whole at-rule identifier (without the
'@'' character), so taking its length + 1 will give the correct length
for any at-rule.

R=jchaffraix@chromium.org
BUG=364492
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=174853

[reni, 2014-04-17 14:40:09]

Could someone enable the try-bots for this patch set, pls?

[Julien - ping for review, 2014-04-18 16:56:42]

Wouldn't it make sense to fix |result| to point to the right location instead of
just doing a different computation?

[reni, 2014-04-23 23:32:14]

On 2014/04/18 16:56:42, Julien Chaffraix - PST wrote:
> Wouldn't it make sense to fix |result| to point to the right location instead
of
> just doing a different computation?

In the current case when the assert fires, the parsed string (pointed to by
currentCharacter<SrcCharacterType>() and result as well) is of 8-bit characters.
But the problem is that we run into an escape sequence that can only be
represented with a 16-bit character. This is why parseIdentifier and
parseIdentifierInternal stop updating result and create a copy of what has been
recognized into the local variable result16 and return the identifier correctly
in resultString only. So, in short, it would be hard to define what would be the
right location for result.

Having the correct identifier in resultString only could cause problems in
detectAtToken<SrcCharacterType>(), which does not match the list of known
at-rule identifiers against resultString (since it is not passed as a parameter)
but against the parsed (and potentially only partially "de-escaped") string
(starting at tokenStart<>()). However, the standard only allows a few
identifiers to contain escape sequences (explicitly listed in the comment of
detectAtToken) and all their characters can be represented on 8-bits. That is,
if an identifier contains escapes but all escapes are in the 8-bit range, result
will be updated correctly and detectAtToken will recognise it. If the identifier
contains a 16-bit escape, however, then there will be nothing to recognise,
because the standard contains nothing similar. So, until the standard does not
define some keywords with characters above 0xff, we are good.

[reni, 2014-04-29 07:00:55]

How does it look?

[reni, 2014-05-07 06:54:22]

On 2014/04/29 07:00:55, renata.hodovan wrote:
> How does it look?

Could somebody take a look at this?

[Julien - ping for review, 2014-05-08 15:26:28]

Sorry for the delay!

https://codereview.chromium.org/241053002/diff/1/LayoutTests/fast/css/atrule-...
File LayoutTests/fast/css/atrule-with-escape-character-crash.html (right):

https://codereview.chromium.org/241053002/diff/1/LayoutTests/fast/css/atrule-...
LayoutTests/fast/css/atrule-with-escape-character-crash.html:1: <html>
The test is missing a <!DOCTYPE html>

https://codereview.chromium.org/241053002/diff/1/LayoutTests/fast/css/atrule-...
LayoutTests/fast/css/atrule-with-escape-character-crash.html:15: <p>This test
passes if it does not crash.</p>
I would like a description of what we test for posterity.

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
File Source/core/css/CSSTokenizer-in.cpp (right):

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
Source/core/css/CSSTokenizer-in.cpp:1484:
detectAtToken<SrcCharacterType>(resultString.length() + 1, hasEscape);
This seems like a big footgun that you are neutering in one case, which is good
but IMO falls too short as we will fight this problem again in the future.

Looking at the rest of the code, there are other callers to parseIdentifier (and
other code paths that could follow when tokenizing) that are also doing pointer
arithmetic. Are they not also open to a similar bug? Shouldn't we be consistent
to avoid copying and pasting some bad pattern? Isn't there something we could do
to avoid more of these bugs?

I have little experience with this code so maybe my questions don't make sense,
so please bear with me.

[reni, 2014-05-22 22:04:38]

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
File Source/core/css/CSSTokenizer-in.cpp (right):

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
Source/core/css/CSSTokenizer-in.cpp:1484:
detectAtToken<SrcCharacterType>(resultString.length() + 1, hasEscape);
This is (was) the only place where the pointer arithmetic on result could be
faulty, because the arithmetic can give wrong length only if the identifier
contains a unicode escape. However, everywhere else the pointer arithmetic is
guarded by "if (!hasEscape)" constructs. It is specific to the at-rules that the
standard enables unicode escapes at some places. This is why we don't have such
a guard around the call to detectAtToken() and why we have to replace the
arithmetic.

[Julien - ping for review, 2014-05-23 10:42:09]

lgtm.

We prefer descriptions that are below 80 characters (ideally below 72
characters, see
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/rqGhY7PfkYY) so
let's fix it before landing.

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
File Source/core/css/CSSTokenizer-in.cpp (right):

https://codereview.chromium.org/241053002/diff/1/Source/core/css/CSSTokenizer...
Source/core/css/CSSTokenizer-in.cpp:1484:
detectAtToken<SrcCharacterType>(resultString.length() + 1, hasEscape);
On 2014/05/22 22:04:38, renata.hodovan wrote:
> This is (was) the only place where the pointer arithmetic on result could be
> faulty, because the arithmetic can give wrong length only if the identifier
> contains a unicode escape. However, everywhere else the pointer arithmetic is
> guarded by "if (!hasEscape)" constructs. It is specific to the at-rules that
the
> standard enables unicode escapes at some places. This is why we don't have
such
> a guard around the call to detectAtToken() and why we have to replace the
> arithmetic.

OK, it seems worth a comment here so that people are careful.

[reni, 2014-05-26 14:00:11]

Updated patch based on the comments.

[Julien - ping for review, 2014-05-27 09:23:58]

The CQ bit was checked by jchaffraix@chromium.org

[commit-bot: I haz the power, 2014-05-27 09:24:04]

CQ is trying da patch. Follow status at

https://chromium-status.appspot.com/cq/rhodovan.u-szeged@partner.samsung.com/...

[commit-bot: I haz the power, 2014-05-27 10:21:45]

Change committed as 174853