[webkit-reviews] review denied: [Bug 226503] Fix inadvertent tag corruption in functionAddressOf : [Attachment 430274] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 1 14:25:35 PDT 2021
Darin Adler <darin at apple.com> has denied Mikhail R. Gadelha
<mikhail at igalia.com>'s request for review:
Bug 226503: Fix inadvertent tag corruption in functionAddressOf
https://bugs.webkit.org/show_bug.cgi?id=226503
Attachment 430274: Patch
https://bugs.webkit.org/attachment.cgi?id=430274&action=review
--- Comment #3 from Darin Adler <darin at apple.com> ---
Comment on attachment 430274
--> https://bugs.webkit.org/attachment.cgi?id=430274
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=430274&action=review
> Source/JavaScriptCore/jsc.cpp:1493
> +#if USE(JSVALUE32_64)
> + // In 32 bits, asCell() returns a pointer to the payload and using
reinterpret_cast
> + // will sign extend asNumber to FFFF FFFF + <value-address>, which will
fail the
> + // isImpureNaN check in jsNumber. To prevent that, first
reinterpret_cast the address
> + // to uint32_t then cast it to uint64_t. AddressOf in 32 bits will
return the same
> + // address returned by describe() but in double
> + uint64_t asNumber =
static_cast<uint64_t>(reinterpret_cast<uint32_t>(value.asCell()));
> +#else
> // Need to cast to uint64_t so bitwise_cast will play along.
> uint64_t asNumber = reinterpret_cast<uint64_t>(value.asCell());
> +#endif
Better fix is to just replace the incorrect <uint64_t> with the correct
<uintptr_t> instead of adding code and comments. No need to use static_cast to
expand a 32-bit unsigned int to 64-bit.
More information about the webkit-reviews
mailing list