8311906: Improve robustness of String constructors with mutable array inputs #16425
Conversation
… arguments Ensure that mutations of input arguments to constructors can not invalidate the latin1 vs non-latin1 coding. 8313982: Non-conforming CharSequence implementation can break StringBuilder Increase AbstractStringBuilder/StringBuilder robustness when appending a CharSequence that may throw exceptions while returning characters from the sequence.
|
/csr |
|
👋 Welcome back rriggs! A progress list of the required criteria for merging this PR into |
|
@RogerRiggs has indicated that a compatibility and specification (CSR) request is needed for this pull request. @RogerRiggs this pull request must refer to an issue in JBS to be able to link it to a CSR request. To refer this pull request to an issue in JBS, please update the title of this pull request to just the issue ID. |
|
@RogerRiggs The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
openjdk
bot
added
hotspot
…mpress to return the index of the first non-latin1 character or the length if none. Not yet built or tested on RiscV. The test StringRacyConstructor verifies the behavior of the compress intrinsic. Updated comments on intrinsic implementations of char_array_compress to reflect the change in the behavior of StringUTF16.compress. Damon Fenacci (@damon_fenacci) authored the changes to macroAssembler_aarch64.cpp and macroAssembler_aarch64.cpp.
RogerRiggs
changed the title
| */ | ||
| @ForceInline | ||
| public static byte[] compress(final char[] val, final int off, final int count) { | ||
| byte[] latin1 = new byte[count]; |
There was a problem hiding this comment.
Will this redundant array allocation be costly if we are working with mostly-utf16 strings, such as CJK strings with no latin characters?
I suggest we can use a heuristic to read the initial char; if it's utf16 then we skip the latin-1 process altogether (and we can assign the utf16 value to the initial index to ensure it's non-latin-1 compressible.
There was a problem hiding this comment.
We can reconsider this design as a separate PR.
Every additional check has a performance impact and in this bug the goal is to avoid any regression.
We'll need to gain some insight into the distribution of strings when used in a non-latin1 application.
How many of the strings are latin1 vs non-latin1, what is the distribution of string lengths and which APIs are in use in the applications. The implementation is already pretty good about working with strings of different coders
but there may be some different choices when converting between char arrays and int arrays and strings.
There was a problem hiding this comment.
Just curious, how does benchmark StringConstructor.newStringFromCharsMixedBegin change before and after this patch? If we can see how much of an impact this has on CJK strings it would be appreciated.
There was a problem hiding this comment.
Just curious, how does benchmark StringConstructor.newStringFromCharsMixedBegin change before and after this patch? If we can see how much of an impact this has on CJK strings it would be appreciated.
You may have better insights from doing your own runs on your own systems.
Here's a sample from a recent run. Mostly small improvements and a few small negatives.
Benchmark Linux aarch64 | Linux x64 | MacOSX aarch64 | MacOSX x64
newStringFromCharsMixedBegin-size:64 | 1.22% | 0.91% | -0.81% | 1.08%
newStringFromCharsMixedBegin-size:7 | 4.40% | 0.26% | -1.88% | 4.60%
|
Hello Roger, it looks like there are some whitespace related issues in the changes which jcheck has caught https://github.com/openjdk/jdk/pull/16425/checks?check_run_id=18357062638 and thus hasn't created a RFR for this yet. |
Webrevs
|
|
This PR includes changes to the |
|
/author set dfenacci Damon Fenacci authored the updates to the hotspot intrinsics. |
|
@RogerRiggs |
|
/author set rriggs |
|
@RogerRiggs |
|
@RogerRiggs |
|
/author remove Remove the override. |
|
@RogerRiggs |
|
It would also be good to have the aarch64 and x64 intrinsics properly reviewed. @theRealAph could I ask you to have a look at aarch64 and @TobiHartmann at x64 please? (you seem to be the last ones that made major changes in the intrinsics) |
Extra checking on maximum string lengths when calling toBytes().
openjdk
bot
added
csr
…6.compress and normalize calling sequence
…ingBuilder, and Appendable methods in the case where the input arguments are modified during construction or a StringBuilder or Appendable method call.
Simplified and slightly optimized x86 char_array_compress
Verified by manual tests with "-XX:AVX3Threshold=0" And test in the PR test/hotspot/jtreg/compiler/intrinsics/string/TestStringConstructionIntrinsics.java
openjdk
bot
added
ready
|
/integrate |
|
Going to push as commit 155abc5.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
@RogerRiggs Pushed as commit 155abc5. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Strings, after construction, are immutable but may be constructed from mutable arrays of bytes, characters, or integers.
The string constructors should guard against the effects of mutating the arrays during construction that might invalidate internal invariants for the correct behavior of operations on the resulting strings. In particular, a number of operations have optimizations for operations on pairs of latin1 strings and pairs of non-latin1 strings, while operations between latin1 and non-latin1 strings use a more general implementation.
The changes include:
Adding a warning to each constructor with an array as an argument to indicate that the results are indeterminate
if the input array is modified before the constructor returns.
The resulting string may contain any combination of characters sampled from the input array.
Ensure that strings that are represented as non-latin1 contain at least one non-latin1 character.
For latin1 inputs, whether the arrays contain ASCII, ISO-8859-1, UTF8, or another encoding decoded to latin1 the scanning and compression is unchanged.
If a non-latin1 character is found, the string is represented as non-latin1 with the added verification that a non-latin1 character is present at the same index.
If that character is found to be latin1, then the input array has been modified and the result of the scan may be incorrect.
Though a ConcurrentModificationException could be thrown, the risk to an existing application of an unexpected exception should be avoided.
Instead, the non-latin1 copy of the input is re-scanned and compressed; that scan determines whether the latin1 or the non-latin1 representation is returned.
The methods that scan for non-latin1 characters and their intrinsic implementations are updated to return the index of the non-latin1 character.
String construction from StringBuilder and CharSequence must also be guarded as their contents may be modified during construction.
Progress
Issues
Reviewers
Contributors
<dfenacci@openjdk.org><redestad@openjdk.org><amitkumar@openjdk.org><mdoerr@openjdk.org>Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/16425/head:pull/16425$ git checkout pull/16425Update a local copy of the PR:
$ git checkout pull/16425$ git pull https://git.openjdk.org/jdk.git pull/16425/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 16425View PR using the GUI difftool:
$ git pr show -t 16425Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/16425.diff
Webrev
Link to Webrev Comment