[41/56] json: Nicer recovery from invalid leading zero

Message ID	20180808120334.10970-42-armbru@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Markus Armbruster <armbru@redhat.com> To: qemu-devel@nongnu.org Date: Wed, 8 Aug 2018 14:03:19 +0200 Message-Id: <20180808120334.10970-42-armbru@redhat.com> In-Reply-To: <20180808120334.10970-1-armbru@redhat.com> References: <20180808120334.10970-1-armbru@redhat.com> Subject: [Qemu-devel] [PATCH 41/56] json: Nicer recovery from invalid leading zero Precedence: list Cc: marcandre.lureau@redhat.com, mdroth@linux.vnet.ibm.com Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	json: Fixes, error reporting improvements, cleanups \| expand [00/56] json: Fixes, error reporting improvements, cleanups [01/56] check-qjson: Cover multiple JSON objects in same string [02/56] check-qjson: Cover blank and lexically erroneous input [03/56] check-qjson: Cover whitespace more thoroughly [04/56] qmp-cmd-test: Split off qmp-test [05/56] qmp-test: Cover syntax and lexical errors [06/56] test-qga: Clean up how we test QGA synchronization [07/56] check-qjson: Cover escaped characters more thoroughly, part 1 [08/56] check-qjson: Streamline escaped_string()'s test strings [09/56] check-qjson: Cover escaped characters more thoroughly, part 2 [10/56] check-qjson: Drop redundant string tests [11/56] check-qjson: Cover UTF-8 in single quoted strings [12/56] check-qjson: Simplify utf8_string() [13/56] check-qjson: Fix utf8_string() to test all invalid sequences [14/56] check-qjson qmp-test: Cover control characters more thoroughly [15/56] check-qjson: Cover interpolation more thoroughly [16/56] json: Fix lexer to include the bad character in JSON_ERROR token [17/56] json: Reject unescaped control characters [18/56] json: Revamp lexer documentation [19/56] json: Tighten and simplify qstring_from_escaped_str()'s loop [20/56] check-qjson: Document we expect invalid UTF-8 to be rejected [21/56] json: Reject invalid UTF-8 sequences [22/56] json: Report first rather than last parse error [23/56] json: Leave rejecting invalid UTF-8 to parser [24/56] json: Accept overlong \xC0\x80 as U+0000 ("modified UTF-8") [25/56] json: Leave rejecting invalid escape sequences to parser [26/56] json: Simplify parse_string() [27/56] json: Reject invalid \uXXXX, fix \u0000 [28/56] json: Fix \uXXXX for surrogate pairs [29/56] check-qjson: Fix and enable utf8_string()'s disabled part [30/56] json: remove useless return value from lexer/parser [31/56] json-parser: simplify and avoid JSONParserContext allocation [32/56] json: Have lexer call streamer directly [33/56] json: Redesign the callback to consume JSON values [34/56] json: Don't pass null @tokens to json_parser_parse() [35/56] json: Don't create JSON_ERROR tokens that won't be used [36/56] json: Rename token JSON_ESCAPE & friends to JSON_INTERPOL [37/56] json: Treat unwanted interpolation as lexical error [38/56] json: Pass lexical errors and limit violations to callback [39/56] json: Leave rejecting invalid interpolation to parser [40/56] json: Replace %I64d, %I64u by %PRId64, %PRIu64 [41/56] json: Nicer recovery from invalid leading zero [42/56] json: Improve names of lexer states related to numbers [43/56] qjson: Fix qobject_from_json() & friends for multiple values [44/56] json: Fix latent parser aborts at end of input [45/56] json: Fix streamer not to ignore trailing unterminated structures [46/56] json: Assert json_parser_parse() consumes all tokens on success [47/56] qjson: Have qobject_from_json() & friends reject empty and blank [48/56] json: Enforce token count and size limits more tightly [49/56] json: Streamline json_message_process_token() [50/56] json: Unbox tokens queue in JSONMessageParser [51/56] json: Eliminate lexer state IN_ERROR and pseudo-token JSON_MIN [52/56] json: Eliminate lexer state IN_WHITESPACE, pseudo-token JSON_SKIP [53/56] json: Make JSONToken opaque outside json-parser.c [54/56] qobject: Drop superfluous includes of qemu-common.h [55/56] json: Clean up headers [56/56] docs/interop/qmp-spec: How to force known good parser state

Message ID

20180808120334.10970-42-armbru@redhat.com

State

New

Headers

From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Date: Wed,  8 Aug 2018 14:03:19 +0200
Message-Id: <20180808120334.10970-42-armbru@redhat.com>
In-Reply-To: <20180808120334.10970-1-armbru@redhat.com>
References: <20180808120334.10970-1-armbru@redhat.com>
Subject: [Qemu-devel] [PATCH 41/56] json: Nicer recovery from invalid
	leading zero
Precedence: list
Cc: marcandre.lureau@redhat.com, mdroth@linux.vnet.ibm.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

json: Fixes, error reporting improvements, cleanups | expand

Commit Message

Markus Armbruster Aug. 8, 2018, 12:03 p.m. UTC

For input 0123, the lexer produces the tokens

    JSON_ERROR    01
    JSON_INTEGER  23

Reporting an error is correct; 0123 is invalid according to RFC 7159.
But the error recovery isn't nice.

Make the finite state machine eat digits before going into the error
state.  The lexer now produces

    JSON_ERROR    0123

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 qobject/json-lexer.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Eric Blake Aug. 13, 2018, 4:33 p.m. UTC | #1

On 08/08/2018 07:03 AM, Markus Armbruster wrote:
> For input 0123, the lexer produces the tokens
> 
>      JSON_ERROR    01
>      JSON_INTEGER  23
> 
> Reporting an error is correct; 0123 is invalid according to RFC 7159.
> But the error recovery isn't nice.
> 
> Make the finite state machine eat digits before going into the error
> state.  The lexer now produces
> 
>      JSON_ERROR    0123
> 
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>   qobject/json-lexer.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 

> @@ -158,10 +159,14 @@ static const uint8_t json_lexer[][256] =  {
>       /* Zero */
>       [IN_ZERO] = {
>           TERMINAL(JSON_INTEGER),
> -        ['0' ... '9'] = IN_ERROR,
> +        ['0' ... '9'] = IN_BAD_ZERO,
>           ['.'] = IN_MANTISSA,
>       },
>   
> +    [IN_BAD_ZERO] = {
> +        ['0' ... '9'] = IN_BAD_ZERO,
> +    },
> +

Should IN_BAD_ZERO also consume '.' and/or 'e' (after all, '01e2 is a 
valid C constant, but not a valid JSON literal)?  But I think your 
choice here is fine (again, add too much, and then the lexer has to 
track a lot of state; whereas this minimal addition catches the most 
obvious things with little effort).

Reviewed-by: Eric Blake <eblake@redhat.com>

Markus Armbruster Aug. 14, 2018, 8:24 a.m. UTC | #2

Eric Blake <eblake@redhat.com> writes:

> On 08/08/2018 07:03 AM, Markus Armbruster wrote:
>> For input 0123, the lexer produces the tokens
>>
>>      JSON_ERROR    01
>>      JSON_INTEGER  23
>>
>> Reporting an error is correct; 0123 is invalid according to RFC 7159.
>> But the error recovery isn't nice.
>>
>> Make the finite state machine eat digits before going into the error
>> state.  The lexer now produces
>>
>>      JSON_ERROR    0123
>>
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>> ---
>>   qobject/json-lexer.c | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>
>> @@ -158,10 +159,14 @@ static const uint8_t json_lexer[][256] =  {
>>       /* Zero */
>>       [IN_ZERO] = {
>>           TERMINAL(JSON_INTEGER),
>> -        ['0' ... '9'] = IN_ERROR,
>> +        ['0' ... '9'] = IN_BAD_ZERO,
>>           ['.'] = IN_MANTISSA,
>>       },
>>   +    [IN_BAD_ZERO] = {
>> +        ['0' ... '9'] = IN_BAD_ZERO,
>> +    },
>> +
>
> Should IN_BAD_ZERO also consume '.' and/or 'e' (after all, '01e2 is a
> valid C constant, but not a valid JSON literal)?  But I think your
> choice here is fine (again, add too much, and then the lexer has to
> track a lot of state; whereas this minimal addition catches the most
> obvious things with little effort).

My patch is of marginal value to begin with.  It improves error recovery
only for the "integer with redundant leading zero" case.  I guess that's
more common than "floating-point with redundant leading zero".

An obvious way to extend it to "number with redundant leading zero"
would be cloning the lexer states related to numbers.  Clean, but six
more states.  Meh.

Another way is to dumb down the lexer not to care about leading zero,
and catch it in parse_literal() instead.  Basically duplicates the lexer
state machine up to where leading zero is recognized.  Not much code,
but meh.

Yet another way is to have the lexer eat "digit salad" after redundant
leading zero:

    [IN_BAD_ZERO] = {
        ['0' ... '9'] = IN_BAD_ZERO,
        ['.'] = IN_BAD_ZERO,
        ['e'] = IN_BAD_ZERO,
        ['-'] = IN_BAD_ZERO,
        ['+'] = IN_BAD_ZERO,
    },

Eats even crap like 01e...  But then the same crap without leading zero
should also be eaten.  We'd have to add state transitions to IN_BAD_ZERO
to the six states related to numbers.  Perhaps clever use of gcc's range
initialization lets us do this compactly.  Otherwise, meh again.

Opinions?

I'd also be fine with dropping this patch.

> Reviewed-by: Eric Blake <eblake@redhat.com>

Thanks!

Eric Blake Aug. 14, 2018, 1:14 p.m. UTC | #3

On 08/14/2018 03:24 AM, Markus Armbruster wrote:
>> Should IN_BAD_ZERO also consume '.' and/or 'e' (after all, '01e2 is a
>> valid C constant, but not a valid JSON literal)?  But I think your
>> choice here is fine (again, add too much, and then the lexer has to
>> track a lot of state; whereas this minimal addition catches the most
>> obvious things with little effort).
> 
> My patch is of marginal value to begin with.  It improves error recovery
> only for the "integer with redundant leading zero" case.  I guess that's
> more common than "floating-point with redundant leading zero".

Yes, that was my thought.

> 
> An obvious way to extend it to "number with redundant leading zero"
> would be cloning the lexer states related to numbers.  Clean, but six
> more states.  Meh.
> 
> Another way is to dumb down the lexer not to care about leading zero,
> and catch it in parse_literal() instead.  Basically duplicates the lexer
> state machine up to where leading zero is recognized.  Not much code,
> but meh.
> 
> Yet another way is to have the lexer eat "digit salad" after redundant
> leading zero:
> 
>      [IN_BAD_ZERO] = {
>          ['0' ... '9'] = IN_BAD_ZERO,
>          ['.'] = IN_BAD_ZERO,
>          ['e'] = IN_BAD_ZERO,
>          ['-'] = IN_BAD_ZERO,
>          ['+'] = IN_BAD_ZERO,
>      },
> 
> Eats even crap like 01e...  But then the same crap without leading zero
> should also be eaten.  We'd have to add state transitions to IN_BAD_ZERO
> to the six states related to numbers.  Perhaps clever use of gcc's range
> initialization lets us do this compactly.  Otherwise, meh again.
> 
> Opinions?

Of the various options, the patch as written seems to be the most 
minimal. Maybe tweak the commit message to call out other cases that we 
discussed as not worth doing, because the likelihood of such input is 
dramatically less.

About the only other improvement that might be worth making is adding:

[IN_BAD_ZERO] = {
   ['x'] = IN_BAD_ZERO,
   ['X'] = IN_BAD_ZERO,
   ['a' ... 'f'] = IN_BAD_ZERO,
   ['A' ... 'F'] = IN_BAD_ZERO,
}

to catch people typing JSON by hand and thinking that a hex constant 
will work.  That way, '0x1a' gets parsed as a single JSON_ERROR token, 
rather than four separate tokens of JSON_INTEGER, JSON_KEYWORD, 
JSON_INTEGER, JSON_KEYWORD (where you get the semantic error due to 
JSON_KEYWORD unexpected).

> 
> I'd also be fine with dropping this patch.

No, I like it, especially if you also like my suggestion to make error 
reporting on hex numbers resemble error reporting on octal numbers.

> 
>> Reviewed-by: Eric Blake <eblake@redhat.com>
> 
> Thanks!
>

diff --git a/qobject/json-lexer.c b/qobject/json-lexer.c
index 7a82aab88b..f600cc732e 100644
--- a/qobject/json-lexer.c
+++ b/qobject/json-lexer.c
@@ -108,6 +108,7 @@  enum json_lexer_state {
     IN_SQ_STRING_ESCAPE,
     IN_SQ_STRING,
     IN_ZERO,
+    IN_BAD_ZERO,
     IN_DIGITS,
     IN_DIGIT,
     IN_EXP_E,
@@ -158,10 +159,14 @@  static const uint8_t json_lexer[][256] =  {
     /* Zero */
     [IN_ZERO] = {
         TERMINAL(JSON_INTEGER),
-        ['0' ... '9'] = IN_ERROR,
+        ['0' ... '9'] = IN_BAD_ZERO,
         ['.'] = IN_MANTISSA,
     },
 
+    [IN_BAD_ZERO] = {
+        ['0' ... '9'] = IN_BAD_ZERO,
+    },
+
     /* Float */
     [IN_DIGITS] = {
         TERMINAL(JSON_FLOAT),

[41/56] json: Nicer recovery from invalid leading zero

Commit Message

Comments

Patch