RESOLVED FIXED314529
codePointCompare dereferences pointer to unaligned ChunkType 
https://bugs.webkit.org/show_bug.cgi?id=314529
Summary codePointCompare dereferences pointer to unaligned ChunkType
Xi Ruoyao
Reported 2026-05-10 22:15:28 PDT
The code reads: #if CPU(REGISTER64) && !CPU(NEEDS_ALIGNED_ACCESS) && CPU(LITTLE_ENDIAN) if constexpr (sizeof(CharacterType1) == sizeof(CharacterType2) && (sizeof(CharacterType1) == 1 || sizeof(CharacterType1) == 2)) { using ChunkType = std::conditional_t<sizeof(CharacterType1) == 1, uint32_t, uint64_t>; constexpr size_t stride = sizeof(ChunkType) / sizeof(CharacterType1); for (; position + (stride - 1) < commonLength;) { auto lhs = *std::bit_cast<const ChunkType*>(characters1Ptr); auto rhs = *std::bit_cast<const ChunkType*>(characters2Ptr); ... ... Despite it's only applied for CPUs not requiring aligned access, dereferencing const ChunkType* causes the compiler to assume the address is naturally aligned for ChunkType and make optimizations based on this assumption. For example, with GCC 16 and -mavx, the loop is optimized to use a 256-bit vmovdqa after handling 0-3 64-bit scalars, causing a segfault.
Attachments
Add attachment proposed patch, testcase, etc.
EWS
Comment 1 2026-05-12 23:43:30 PDT
Committed 313136@main (54862905a65e): <https://commits.webkit.org/313136@main> Reviewed commits have been landed. Closing PR #64655 and removing active labels.
Radar WebKit Bug Importer
Comment 2 2026-05-12 23:44:12 PDT
<rdar://problem/176952645>
Note You need to log in before you can comment on or make changes to this bug.