Skip to content

Commit

Permalink
encoding/json: revert "avoid work when unquoting strings, take 2"
Browse files Browse the repository at this point in the history
This reverts golang.org/cl/190659 and golang.org/cl/226218, minus the
regression tests in the latter.

The original work happened in golang.org/cl/151157, which was reverted
in golang.org/cl/190909 due to a crash found by fuzzing.

We tried a second time in golang.org/cl/190659, which shipped with Go
1.14. A bug was found, where strings would be mangled in certain edge
cases. The fix for that was golang.org/cl/226218, which was backported
into Go 1.14.4.

Unfortunately, a second regression was just reported in golang#39555, which is
a similar case of strings getting mangled when decoding under certain
conditions. It would be possible to come up with another small patch to
fix that edge case, but instead, let's just revert the entire
optimization, as it has proved to do more harm than good. Moreover, it's
hard to argue or prove that there will be no more such regressions.

However, all the work wasn't for nothing. First, we learned that the way
the decoder unquotes tokenized strings isn't simple; initially, we had
wrongly assumed that each string was unquoted exactly once and in order.
Second, we have gained a number of regression tests which will be useful
to prevent the same mistakes in the future, including the test cases we
add in this CL.

Fixes golang#39555.

Change-Id: I66a6919c2dd6d9789232482ba6cf3814eaa70f61
Reviewed-on: https://go-review.googlesource.com/c/go/+/237838
Run-TryBot: Daniel Martí <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Andrew Bonventre <[email protected]>
  • Loading branch information
mvdan committed Jun 15, 2020
1 parent 9340bd6 commit 11389ba
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 42 deletions.
74 changes: 32 additions & 42 deletions src/encoding/json/decode.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,9 +212,6 @@ type decodeState struct {
savedError error
useNumber bool
disallowUnknownFields bool
// safeUnquote is the number of current string literal bytes that don't
// need to be unquoted. When negative, no bytes need unquoting.
safeUnquote int
}

// readIndex returns the position of the last byte read.
Expand Down Expand Up @@ -316,27 +313,13 @@ func (d *decodeState) rescanLiteral() {
Switch:
switch data[i-1] {
case '"': // string
// safeUnquote is initialized at -1, which means that all bytes
// checked so far can be unquoted at a later time with no work
// at all. When reaching the closing '"', if safeUnquote is
// still -1, all bytes can be unquoted with no work. Otherwise,
// only those bytes up until the first '\\' or non-ascii rune
// can be safely unquoted.
safeUnquote := -1
for ; i < len(data); i++ {
if c := data[i]; c == '\\' {
if safeUnquote < 0 { // first unsafe byte
safeUnquote = int(i - d.off)
}
switch data[i] {
case '\\':
i++ // escaped char
} else if c == '"' {
d.safeUnquote = safeUnquote
case '"':
i++ // tokenize the closing quote too
break Switch
} else if c >= utf8.RuneSelf {
if safeUnquote < 0 { // first unsafe byte
safeUnquote = int(i - d.off)
}
}
}
case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-': // number
Expand Down Expand Up @@ -695,7 +678,7 @@ func (d *decodeState) object(v reflect.Value) error {
start := d.readIndex()
d.rescanLiteral()
item := d.data[start:d.readIndex()]
key, ok := d.unquoteBytes(item)
key, ok := unquoteBytes(item)
if !ok {
panic(phasePanicMsg)
}
Expand Down Expand Up @@ -896,7 +879,7 @@ func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool
d.saveError(&UnmarshalTypeError{Value: val, Type: v.Type(), Offset: int64(d.readIndex())})
return nil
}
s, ok := d.unquoteBytes(item)
s, ok := unquoteBytes(item)
if !ok {
if fromQuoted {
return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())
Expand Down Expand Up @@ -947,7 +930,7 @@ func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool
}

case '"': // string
s, ok := d.unquoteBytes(item)
s, ok := unquoteBytes(item)
if !ok {
if fromQuoted {
return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())
Expand Down Expand Up @@ -1107,7 +1090,7 @@ func (d *decodeState) objectInterface() map[string]interface{} {
start := d.readIndex()
d.rescanLiteral()
item := d.data[start:d.readIndex()]
key, ok := d.unquote(item)
key, ok := unquote(item)
if !ok {
panic(phasePanicMsg)
}
Expand Down Expand Up @@ -1156,7 +1139,7 @@ func (d *decodeState) literalInterface() interface{} {
return c == 't'

case '"': // string
s, ok := d.unquote(item)
s, ok := unquote(item)
if !ok {
panic(phasePanicMsg)
}
Expand Down Expand Up @@ -1199,33 +1182,40 @@ func getu4(s []byte) rune {

// unquote converts a quoted JSON string literal s into an actual string t.
// The rules are different than for Go, so cannot use strconv.Unquote.
// The first byte in s must be '"'.
func (d *decodeState) unquote(s []byte) (t string, ok bool) {
s, ok = d.unquoteBytes(s)
func unquote(s []byte) (t string, ok bool) {
s, ok = unquoteBytes(s)
t = string(s)
return
}

func (d *decodeState) unquoteBytes(s []byte) (t []byte, ok bool) {
// We already know that s[0] == '"'. However, we don't know that the
// closing quote exists in all cases, such as when the string is nested
// via the ",string" option.
if len(s) < 2 || s[len(s)-1] != '"' {
func unquoteBytes(s []byte) (t []byte, ok bool) {
if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
return
}
s = s[1 : len(s)-1]

// If there are no unusual characters, no unquoting is needed, so return
// a slice of the original bytes.
r := d.safeUnquote
if r == -1 {
// Check for unusual characters. If there are none,
// then no unquoting is needed, so return a slice of the
// original bytes.
r := 0
for r < len(s) {
c := s[r]
if c == '\\' || c == '"' || c < ' ' {
break
}
if c < utf8.RuneSelf {
r++
continue
}
rr, size := utf8.DecodeRune(s[r:])
if rr == utf8.RuneError && size == 1 {
break
}
r += size
}
if r == len(s) {
return s, true
}
// Only perform up to one safe unquote for each re-scanned string
// literal. In some edge cases, the decoder unquotes a literal a second
// time, even after another literal has been re-scanned. Thus, only the
// first unquote can safely use safeUnquote.
d.safeUnquote = 0

b := make([]byte, len(s)+2*utf8.UTFMax)
w := copy(b, s[0:r])
Expand Down
16 changes: 16 additions & 0 deletions src/encoding/json/decode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2472,6 +2472,22 @@ func TestUnmarshalRescanLiteralMangledUnquote(t *testing.T) {
if t1 != t2 {
t.Errorf("Marshal and Unmarshal roundtrip mismatch: want %q got %q", t1, t2)
}

// See golang.org/issues/39555.
input := map[textUnmarshalerString]string{"FOO": "", `"`: ""}

encoded, err := Marshal(input)
if err != nil {
t.Fatalf("Marshal unexpected error: %v", err)
}
var got map[textUnmarshalerString]string
if err := Unmarshal(encoded, &got); err != nil {
t.Fatalf("Unmarshal unexpected error: %v", err)
}
want := map[textUnmarshalerString]string{"foo": "", `"`: ""}
if !reflect.DeepEqual(want, got) {
t.Fatalf("Unexpected roundtrip result:\nwant: %q\ngot: %q", want, got)
}
}

func TestUnmarshalMaxDepth(t *testing.T) {
Expand Down

0 comments on commit 11389ba

Please sign in to comment.