string_decoder: fix bad utf8 character handling

[mscdex]

Checklist

• make -j4 test (UNIX) or vcbuild test nosign (Windows) passes
• a test and/or benchmark is included
• the commit message follows commit guidelines

Affected core subsystem(s)

• string_decoder

Description of change

This commit fixes an issue when extra utf8 continuation bytes appear at the end of a chunk of data, causing miscalculations to be made when checking how many bytes are needed to decode a complete
character.

Fixes: #7308

[mscdex]

/cc @gagern

[cjihrig]

Could you make these two assignments on separate lines here and below.

[mscdex]

I find this way describes the intention more succinctly.

[indutny]

This is against the code style though, not sure why we don't lint it.

[silverwind]

@indutny I'm not aware of a fitting rule in ESLint. Filed eslint/eslint#6424 for a rule proposal.

[cjihrig]

LGTM pending CI and a style fix.

[mscdex]

CI: https://ci.nodejs.org/job/node-test-pull-request/3004/

[Trott]

Why this change? And if needed, maybe leave the old test too?

[mscdex]

It's just making capitalization consistent with all of the other hex buffers.

[Trott]

I'd be inclined to leave it just to make sure that lower-case is tested. (I'm sure that under the hood, string_decoder delegates to buffer or whatever. So it's probably far-fetched that we'd be in a situation where lower-case was broken but upper-case still worked. But it doesn't cost anything to have that tiny bit of extra coverage and the change seems aesthetic only.)

While I have an opinion, I don't feel strongly enough about this to protest or anything. If you do feel strongly, feel free to leave it as you have it.

[mscdex]

I don't understand. The hex string is being passed to the Buffer creation function (Buffer.from()), not to the StringDecoder functions. That function has plenty of lowercase and uppercase hex string tests in the appropriate test-buffer* test files.

[Trott]

@mscdex Argh! You're right, of course. Ignore me.

[mscdex]

CI is green. /cc @nodejs/collaborators

[indutny]

One comment, otherwise LGTM.

[gagern]

I did some more tests in gagern/node@f3d4f2a. Observations:

• Input EC41 decodes incorrectly if decoded in two chunks. In that case, the ASCII byte gets turned into an U+FFFD as well. This is a regression compared to 6.2.0, too.
• (At some point I had thought that EDA0B5EDB08D, which is CESU-8 for U+1D40D, were behaving incorrectly as well. But I guess I got this wrong, the result is six U+FFFD consistently.)

[gagern]

I tried some more systematic testing in gagern/node@2e4bff1: using the bytes 00 41 b8 cc e2 f0 f1 fb as a hopefully representative set of input bytes likely to cause different behavior, I tried all byte sequences of length up to four and checked whether chunking had any effect. For the following byte sequences it had:

(e2|f0|f1)(00|41)
ccccb8
f[01](b8|cc)(00|41)
f[01]ccb8
f[01]fb(00|41)
(cc|e2)e2b8b8
e2(b8|e2)ccb8
e2fbcc(01|b8)

I'm not sure how much of this can be attributed to the same bug. I'm also not sure how much of this is a regression compared to 6.2.0. If you can afford the time, it might make sense to include some variant of this systematic testing code. If not, then at least try out the indicated problematic cases, and perhaps add them to the suite to guard against regressions. Is there some special test suite where lengthy tests can be placed, to be run occasionally without slowing down the main test suite?

I'm also somewhat concerned about the use of Buffer.allocUnsafe in there. Is there some machinery to check whether some given code reads some buffer content without writing it first, so that it could be affected by the random data potentially included in such a buffer?

[gagern]

@mscdex would you care to have a look at #7318? The fact that even after your fix there are so many possible breakages here made me have a closer look at the code, and come up with an alternate solution. I'd value your opinion on that.

[mscdex]

I've now included fixes for the other test cases that @gagern had created, which I have now included.

CI: https://ci.nodejs.org/job/node-test-pull-request/3025/

CI is green except for an unrelated test failure on Windows.

[jasnell]

LGTM

[mscdex]

@cjihrig @indutny Does this still LGTY after the additional changes?

[cjihrig]

Yea, LGTM. CI seemed happy.

[indutny]

Couldn't it still go negative here?

[mscdex]

No, because if execution has reached here, nb would have to be a 2, 3, or 4-byte character indicator. So self.lastNeed would range from 0 to 2.

[indutny]

Oh right, nb can't be 1.

[mscdex]

One last CI before landing, just in case: https://ci.nodejs.org/job/node-test-pull-request/3064/

EDIT: CI is green, but a few CI nodes are offline at the moment. Still enough coverage IMHO.

[MylesBorins]

@mscdex lts?

[mscdex]

@thealphanerd This PR is only relevant if #6777 is also landed, however that PR is currently marked as dont-land-on-v4.x to give the rewrite some time in non-LTS. If others are comfortable with the original StringDecoder rewrite now landing on LTS, then this would need to land also.

[MylesBorins]

@mscdex I'm going to mark this as dont-land for now as well. Would you like us to keep an issue in @nodejs/lts to keep track of the commits neccessary to backport the string_decoder changes?

[mscdex]

@thealphanerd Sure.

[gagern]

Will the 6.3.1 release be derived from current master, and hence contain this fix here? Or is the fix scheduled for 6.4.0?

[targos]

@gagern 6.3.0 already has the fix.

[gagern]

Ah thanks, @targos. I apparently only searched the changelog for #7308 and the 5e8cbd7 in master, so I missed the 962ac37 for #7310 that is listed. Sorry.