Bug 129746

Summary:

JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	fpizlo: review+

Description Michael Saboff 2014-03-05 10:54:35 PST

In runtime/JSDataViewPrototype.cpp getData() and setData() us reinterpret_cast from uint8_t* to the various native data types needed to implement the various get*() and set*() DataView methods.  For platforms that don't allow aligned accesses, this will cause a crash.

Comment 1 Michael Saboff 2014-03-05 11:18:08 PST

Created attachment 225894 [details]
Patch

Comment 2 Filip Pizlo 2014-03-05 11:40:43 PST

Comment on attachment 225894 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=225894&action=review

R=me if you add some squigles.

> Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp:181
>      if (needToFlipBytesIfLittleEndian(littleEndian))
> -        value = flipBytes(value);
> -    
> -    *reinterpret_cast<typename Adaptor::Type*>(static_cast<uint8_t*>(dataView->vector()) + byteOffset) = value;
> -    
> +        for (unsigned i = dataSize; i--;)
> +            *dataPtr++ = u.rawBytes[i];
> +    else
> +        for (unsigned i = 0; i < dataSize; i++)
> +            *dataPtr++ = u.rawBytes[i];

You need some squigly braces {} here.

Comment 3 Michael Saboff 2014-03-05 12:55:57 PST

Committed r165121: <http://trac.webkit.org/changeset/165121>