[webkit-reviews] review denied: [Bug 226503] Fix inadvertent tag corruption in functionAddressOf : [Attachment 430274] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 1 14:25:35 PDT 2021

Darin Adler <darin at apple.com> has denied Mikhail R. Gadelha
<mikhail at igalia.com>'s request for review:
Bug 226503: Fix inadvertent tag corruption in functionAddressOf

Attachment 430274: Patch


--- Comment #3 from Darin Adler <darin at apple.com> ---
Comment on attachment 430274
  --> https://bugs.webkit.org/attachment.cgi?id=430274

View in context: https://bugs.webkit.org/attachment.cgi?id=430274&action=review

> Source/JavaScriptCore/jsc.cpp:1493
> +#if USE(JSVALUE32_64)
> +    // In 32 bits, asCell() returns a pointer to the payload and using
> +    // will sign extend asNumber to FFFF FFFF + <value-address>, which will
fail the
> +    // isImpureNaN check in jsNumber. To prevent that, first
reinterpret_cast the address 
> +    // to uint32_t then cast it to uint64_t. AddressOf in 32 bits will
return the same 
> +    // address returned by describe() but in double
> +    uint64_t asNumber =
> +#else
>      // Need to cast to uint64_t so bitwise_cast will play along.
>      uint64_t asNumber = reinterpret_cast<uint64_t>(value.asCell());
> +#endif

Better fix is to just replace the incorrect <uint64_t> with the correct
<uintptr_t> instead of adding code and comments. No need to use static_cast to
expand a 32-bit unsigned int to 64-bit.

More information about the webkit-reviews mailing list