Bug 129746

Summary:

JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	fpizlo: review+

Michael Saboff

Reported 2014-03-05 10:54:35 PST

In runtime/JSDataViewPrototype.cpp getData() and setData() us reinterpret_cast from uint8_t* to the various native data types needed to implement the various get*() and set*() DataView methods. For platforms that don't allow aligned accesses, this will cause a crash.

Attachments
Patch (20.57 KB, patch) 2014-03-05 11:18 PST, Michael Saboff	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2014-03-05 11:18:08 PST

Created attachment 225894 [details] Patch

Filip Pizlo

Comment 2 2014-03-05 11:40:43 PST

Comment on attachment 225894 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=225894&action=review R=me if you add some squigles. > Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp:181 > if (needToFlipBytesIfLittleEndian(littleEndian)) > - value = flipBytes(value); > - > - *reinterpret_cast<typename Adaptor::Type*>(static_cast<uint8_t*>(dataView->vector()) + byteOffset) = value; > - > + for (unsigned i = dataSize; i--;) > + *dataPtr++ = u.rawBytes[i]; > + else > + for (unsigned i = 0; i < dataSize; i++) > + *dataPtr++ = u.rawBytes[i]; You need some squigly braces {} here.

Michael Saboff

Comment 3 2014-03-05 12:55:57 PST

Committed r165121: <http://trac.webkit.org/changeset/165121>

Note You need to log in before you can comment on or make changes to this bug.