Bug 314529
| Summary: | codePointCompare dereferences pointer to unaligned ChunkType | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Xi Ruoyao <xry111> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Xi Ruoyao
The code reads:
#if CPU(REGISTER64) && !CPU(NEEDS_ALIGNED_ACCESS) && CPU(LITTLE_ENDIAN)
if constexpr (sizeof(CharacterType1) == sizeof(CharacterType2) && (sizeof(CharacterType1) == 1 || sizeof(CharacterType1) == 2)) {
using ChunkType = std::conditional_t<sizeof(CharacterType1) == 1, uint32_t, uint64_t>;
constexpr size_t stride = sizeof(ChunkType) / sizeof(CharacterType1);
for (; position + (stride - 1) < commonLength;) {
auto lhs = *std::bit_cast<const ChunkType*>(characters1Ptr);
auto rhs = *std::bit_cast<const ChunkType*>(characters2Ptr);
... ...
Despite it's only applied for CPUs not requiring aligned access, dereferencing const ChunkType* causes the compiler to assume the address is naturally aligned for ChunkType and make optimizations based on this assumption. For example, with GCC 16 and -mavx, the loop is optimized to use a 256-bit vmovdqa after handling 0-3 64-bit scalars, causing a segfault.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
EWS
Committed 313136@main (54862905a65e): <https://commits.webkit.org/313136@main>
Reviewed commits have been landed. Closing PR #64655 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/176952645>