6187113: DefaultListSelectionModel.removeIndexInterval(0, Integer.MAX_VALUE) fails

[prsadhuk]

DefaultListSelectionModel.removeIndexInterva accepts int value which allows it to take in Integer.MAX_VALUE theoratically but it does calculation with that value which can results in IOOBE.
Fix is to make sure the calculation stays within bounds.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8295329 to be approved

Issues

• JDK-6187113: DefaultListSelectionModel.removeIndexInterval(0, Integer.MAX_VALUE) fails
• JDK-8295329: DefaultListSelectionModel.removeIndexInterval(0, Integer.MAX_VALUE) fails (CSR)

Reviewers

• Alexey Ivanov (@aivanov-jdk - Reviewer) ⚠️ Review applies to b1857d3c

Contributors

• Alexey Ivanov <aivanov@openjdk.org>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10409/head:pull/10409
$ git checkout pull/10409

Update a local copy of the PR:
$ git checkout pull/10409
$ git pull https://git.openjdk.org/jdk pull/10409/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 10409

View PR using the GUI difftool:
$ git pr show -t 10409

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10409.diff

[bridgekeeper]

👋 Welcome back psadhukhan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@prsadhuk The following label will be automatically applied to this pull request:

• client

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 11: Full - Incremental (eb99ea3b)
• 10: Full - Incremental (da05d20e)
• 09: Full - Incremental (b1857d3c)
• 08: Full - Incremental (fce8c56b)
• 07: Full - Incremental (89b9e86c)
• 06: Full - Incremental (ee02dc45)
• 05: Full - Incremental (0c4b2846)
• 04: Full - Incremental (ee43bd8d)
• 03: Full - Incremental (23d59222)
• 02: Full - Incremental (b70c6ad7)
• 01: Full - Incremental (e42f2afd)
• 00: Full (94fdf905)

[prsadhuk]

CSR raised..https://bugs.openjdk.org/browse/JDK-8295329...please review

[aivanov-jdk]

I was wrong, disallowing Integer.MAX_VALUE for setSelectionInterval is not enough. Moreover, if Integer.MAX_VALUE isn't accepted for setSelectionInterval and removeIndexInterval, it should be rejected in other places too. Otherwise, selectionModel.isSelectedIndex(Integer.MAX_VALUE)) being valid looks inconsistent.

Even when the gapLength remains positive, the following loop could throw IOOBE because a negative index being accessed. The following code

        selectionModel.setSelectionInterval(Integer.MAX_VALUE - 2, Integer.MAX_VALUE - 1);
        selectionModel.removeIndexInterval(0, Integer.MAX_VALUE - 1);

throws

Exception in thread "main" java.lang.IndexOutOfBoundsException: bitIndex < 0: -2147483648
	at java.base/java.util.BitSet.get(BitSet.java:626)
	at java.desktop/javax.swing.DefaultListSelectionModel.removeIndexInterval(DefaultListSelectionModel.java:713)
	at SelectionModelTest.main(SelectionModelTest.java)

where line 713

jdk/src/java.desktop/share/classes/javax/swing/DefaultListSelectionModel.java

Line 713 in ee43bd8

setState(i, value.get(i + gapLength));

I suggested the code to fix that problem.

Then the infinite loop in changeSelection

jdk/src/java.desktop/share/classes/javax/swing/DefaultListSelectionModel.java

Line 432 in ee43bd8

for(int i = Math.min(setMin, clearMin); i <= Math.max(setMax, clearMax); i++) {

for MAX_VALUE is resolved by reversing it:

-        for(int i = Math.min(setMin, clearMin); i <= Math.max(setMax, clearMax); i++) {
+        for(int i = Math.max(setMax, clearMax); i >= Math.min(setMin, clearMin); i--) {

The proposed changes will resolve the bug.

[aivanov-jdk]

The for-loop should look like this:

        for(int i = rmMinIndex; i >= 0 && i <= maxIndex; i++) {
            setState(i, (i <= Integer.MAX_VALUE - gapLength)
                        && (i + gapLength >= minIndex)
                        && value.get(i + gapLength));
        }

It breaks if i becomes negative. In the body, the first condition (i <= Integer.MAX_VALUE - gapLength) prevents accessing indexes greater than Integer.MAX_VALUE, the second condition (i + gapLength >= minIndex) is an optimisation, the values for indexes below minIndex are false, so the call to value.get is skipped. (The second condition is not required.)

[aivanov-jdk]

There exists at least one other problem because of integer overflow in insertIndexInterval.

This code

        selectionModel.setSelectionInterval(Integer.MAX_VALUE - 1, Integer.MAX_VALUE);
        selectionModel.insertIndexInterval(Integer.MAX_VALUE - 1, Integer.MAX_VALUE, true);

throws

Exception in thread "main" java.lang.IndexOutOfBoundsException: bitIndex < 0: -2
	at java.base/java.util.BitSet.get(BitSet.java:626)
	at java.desktop/javax.swing.DefaultListSelectionModel.set(DefaultListSelectionModel.java:311)
	at java.desktop/javax.swing.DefaultListSelectionModel.setState(DefaultListSelectionModel.java:629)
	at java.desktop/javax.swing.DefaultListSelectionModel.insertIndexInterval(DefaultListSelectionModel.java:657)
	at SelectionModelTest.main(SelectionModelTest.java)

Would you like to include it as part of this fix? Shall I submit a new bug for this?

[prsadhuk]

Thanks for your suggestive code..
I guess you are now ok with handling Integer.MAX_VALUE in the code rather than only in javadoc.

BTW, your code change resulted in JCK failure so I have used a mix of what I had in previous iterations and your code and this satisfied JCK as well as the unit tests.
Regarding insertIndexInterval I guess it's better to address in this PR as it has same issue in same file, so I have added a fix for it also in this PR.

[aivanov-jdk]

This is tough. The number of test cases has grown to 25. There are many failures.

[aivanov-jdk]

This operation in the else block doesn't make sense, you can just skip it.

[aivanov-jdk]

I suggest using i <= Integer.MAX_VALUE - length. Yet I'm still unsure it's enough and correct.

[aivanov-jdk]

insertIndexInterval doesn't verify its parameters: negative index, negative length should be rejected right away.

[aivanov-jdk]

This does not work. It must not break. With this code, 5 of my tests fail.

For example,

        selectionModel.setSelectionInterval(0, Integer.MAX_VALUE);
        selectionModel.removeIndexInterval(0, Integer.MAX_VALUE);

must result in empty selection. All the possible indexes were selected, you removed all the possible indexes (so that “the list” contains no elements at all). This test case fails either way, unfortunately: selectionModel.isSelectedIndex(0) still returns true.

This edge case where rmMinIndex = 0 and rmMaxIndex = Integer.MAX_VALUE should probably be short-circuited: setState(i, false) for all the elements. Other values are handled correctly by my suggested code, as far as I can see.

This test case:

        selectionModel.setSelectionInterval(0, Integer.MAX_VALUE);
        selectionModel.removeIndexInterval(1, Integer.MAX_VALUE);

passed before and now it fails again. Here, selectionModel.isSelectedIndex(0) must be true.

[aivanov-jdk]

If we handle the edge case separately, it looks better and the first test case as well as other tests for remove pass successfully:

    public void removeIndexInterval(int index0, int index1)
    {
        if (index0 < 0 || index1 < 0) {
            throw new IndexOutOfBoundsException("index is negative");
        }

        int rmMinIndex = Math.min(index0, index1);
        int rmMaxIndex = Math.max(index0, index1);

        if (rmMinIndex == 0 && rmMaxIndex == Integer.MAX_VALUE) {
            for (int i = Integer.MAX_VALUE; i >= 0; i--) {
                setState(i, false);
            }
            // min and max are updated automatically by the for-loop

            // TODO Update anchor and lead
            return;
        }

        int gapLength = (rmMaxIndex - rmMinIndex) + 1;

        /* Shift the entire bitset to the left to close the index0, index1
         * gap.
         */
        for(int i = rmMinIndex; i >= 0 && i <= maxIndex; i++) {
            setState(i, (i <= Integer.MAX_VALUE - gapLength)
                        && (i + gapLength >= minIndex)
                        && value.get(i + gapLength));
        }

        // The rest of the method
    }

[aivanov-jdk]

I think testing that it does not throw an exception is not enough. You should verify that the data selection model holds is correct.

According to the spec, the interval from Integer.MAX_VALUE - 1 to Integer.MAX_VALUE should remain selected.

[aivanov-jdk]

Throw IOOBE as it's done in other methods. Silently ignoring bad parameters isn't good, likely it means an error in the calling code.

[aivanov-jdk]

Other methods, like removeIndexInterval, accept parameters which result in integer overflow, I think this should allow it too. Yet you have to ensure index + length isn't greater than Integer.MAX_VALUE. I mean length should be normalized in such a case, so that it doesn't cause the overflow.

Something like length = Integer.MAX_VALUE - index, it's off the top of my head, I haven't verified it's correct, it's just an idea on how this should be handled.

[aivanov-jdk]

You must not change maxIndex this way — you just broke the class invariant: maxIndex points to the highest selected index. Now it doesn't.

You have to make sure i + length <= Integer.MAX_VALUE but you must not modify maxIndex directly. This would probably be handled automatically if you normalize length. If not, the body of if may need a condition. Alternatively, a better way, the start value of i should be reduced so that is always i + length <= Integer.MAX_VALUE and doesn't cause integer overflow.

[aivanov-jdk]

I would prefer if the && operators are aligned to the opening parenthesis of the first condition, it makes it clearer that the condition is part of the second parameter. I don't insist on this one, the wrapping style is not agreed on.

[aivanov-jdk]

I already mentioned that I wrote a comprehensive unit-test to test the changes to removeIndexInterval and insertIndexInterval. The latest version of my test SelectionModelTest.java.

With the current code in the PR, six (6) test cases still fail. The changes I've suggested should resolve those failures. (I've been testing and proposing fixes to resolve test failures since the start of this code review.)

The test can be run as a jtreg test or as a standalone app. Depending on the hardware, it may take up to 10 minutes; the more cores the system has, the faster the test completes as all the test cases are run in parallel. (The minimum time I've ever seen is around 2–3 minutes.)

I can contribute the test to OpenJDK if deemed useful. I believe such a fix can't be done without extensive testing which verifies all the values in the object remain correct.

[aivanov-jdk]

I propose resolving an IDE warning and simplifying this condition:

Suggested change

	boolean setInsertedValues = ((getSelectionMode() == SINGLE_SELECTION) ?
	false : value.get(index));
	boolean setInsertedValues = (getSelectionMode() != SINGLE_SELECTION
	&& value.get(index));

Although this change is unrelated.

[aivanov-jdk]

Suggested change

	if (i + 1 < i) {
	if (i == Integer.MAX_VALUE) {

Will it be clearer this way? (And one less operation: no addition.)

As I mentioned before, I would prefer reversing the loop and iterating from max to min instead. But it causes a failure in JCK which I can't explain because the effective result is the same. Moreover, I believe iterating from max to min is more efficient as touching the maximum index will ensure the internal storage in the underlying BitSet is allocated right away to fit all the bits whereas the storage gets continuously re-allocated and copied as the accessed indexes grow.

[aivanov-jdk]

I propose moving this test to JList folder which already contains several tests which use ListSelectionModel via JList.

[aivanov-jdk]

With the current code in the PR, six (6) test cases still fail.

The failure of test10 is expected: you adjust the value of length so that insMaxIndex can't be greater than Integer.MAX_VALUE. It is a valid failure, the test needs changing: lead should be become Integer.MAX_VALUE + 1 = -2147483648 (0x80000000).

Other five failures are valid ones, minIndex and maxIndex in the object don't have the expected values.

[aivanov-jdk]

Let's keep it open. CSR review has stalled.

[bridgekeeper]

@prsadhuk This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[aivanov-jdk]

The CSR was approved two days ago, yet the bots didn't update the status of the issue. It should be ready for integration.

[prsadhuk]

/label add csr

[openjdk]

@prsadhuk
The label csr is not a valid label.
These labels are valid:

• serviceability
• hotspot
• hotspot-compiler
• ide-support
• kulla
• i18n
• shenandoah
• jdk
• javadoc
• security
• hotspot-runtime
• jmx
• build
• nio
• client
• core-libs
• compiler
• net
• hotspot-gc
• hotspot-jfr

[prsadhuk]

/csr

[openjdk]

@prsadhuk an approved CSR request is already required for this pull request.

[prsadhuk]

/csr JDK-8295329

[openjdk]

@prsadhuk usage: /csr [needed|unneeded], requires that the issue the pull request refers to links to an approved CSR request.

[prsadhuk]

/csr unneeded

[openjdk]

@prsadhuk determined that a CSR request is not needed for this pull request.

[openjdk]

@prsadhuk This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

6187113: DefaultListSelectionModel.removeIndexInterval(0, Integer.MAX_VALUE) fails

Co-authored-by: Alexey Ivanov <aivanov@openjdk.org>
Reviewed-by: aivanov

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[prsadhuk]

/csr needed

[openjdk]

@prsadhuk has indicated that a compatibility and specification (CSR) request is needed for this pull request.

@prsadhuk please create a CSR request for issue JDK-6187113 with the correct fix version. This pull request cannot be integrated until the CSR request is approved.

[prsadhuk]

/integrate

[openjdk]

Going to push as commit c2ebd17.

[openjdk]

@prsadhuk Pushed as commit c2ebd17.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.