[Webkit-unassigned] [Bug 226503] Fix inadvertent tag corruption in functionAddressOf
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 1 14:25:35 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=226503
Darin Adler <darin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |darin at apple.com
Attachment #430274|review? |review-
Flags| |
--- Comment #3 from Darin Adler <darin at apple.com> ---
Comment on attachment 430274
--> https://bugs.webkit.org/attachment.cgi?id=430274
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=430274&action=review
> Source/JavaScriptCore/jsc.cpp:1493
> +#if USE(JSVALUE32_64)
> + // In 32 bits, asCell() returns a pointer to the payload and using reinterpret_cast
> + // will sign extend asNumber to FFFF FFFF + <value-address>, which will fail the
> + // isImpureNaN check in jsNumber. To prevent that, first reinterpret_cast the address
> + // to uint32_t then cast it to uint64_t. AddressOf in 32 bits will return the same
> + // address returned by describe() but in double
> + uint64_t asNumber = static_cast<uint64_t>(reinterpret_cast<uint32_t>(value.asCell()));
> +#else
> // Need to cast to uint64_t so bitwise_cast will play along.
> uint64_t asNumber = reinterpret_cast<uint64_t>(value.asCell());
> +#endif
Better fix is to just replace the incorrect <uint64_t> with the correct <uintptr_t> instead of adding code and comments. No need to use static_cast to expand a 32-bit unsigned int to 64-bit.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210601/e65ab2ed/attachment.htm>
More information about the webkit-unassigned
mailing list