Fix unsafe memory load/store from the argument encoder/decoder affecting ARM

https://bugs.webkit.org/show_bug.cgi?id=125674 Patch by Benjamin Poulain <bpoulain@apple.com> on 2013-12-12 Reviewed by Darin Adler. Depending on the CPU and CPU config, load and store may have to be aligned. The argument buffer has no particular alignment which can cause problems. In this case, on ARMv7, strd and ldrd can have alignment restriction on 16 bytes. The code encoding double and 64 bits integers was causing bugs. To avoid problems, the encoders/decoders are modified to just use memcpy. The compiler optimizes it away for the right instructions (clang uses two ldr/str in the case of 64bits values on ARMv7). * Platform/CoreIPC/ArgumentDecoder.cpp: (CoreIPC::decodeValueFromBuffer): (CoreIPC::ArgumentDecoder::decode): * Platform/CoreIPC/ArgumentEncoder.cpp: (CoreIPC::copyValueToBuffer): (CoreIPC::ArgumentEncoder::encode): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160529 268f45cc-cd09-0410-ab3c-d52691b4dbfc Task-number: QTBUG-44740 Change-Id: I9bd448cbfc524c62bdf4bfaad52fa194d8159726 Reviewed-by: Julien Brianceau <jbriance@cisco.com> Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
author: Benjamin Poulain <bpoulain@apple.com> 2015-03-02 11:53:13 +0100
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-03-03 10:16:23 +0000
commit: 3f0f7b59582197ca651b8aaeea17fd76b9a35b9c (patch)
tree: 5f74b5a989e25a1127a1a973a8e1b272d00bcc0c
parent: 9c37660832d74ac696b5238640193646485664f8 (diff)
2 files changed, 34 insertions, 39 deletions
diff --git a/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index e23d28a2c..73da9c914 100644
--- a/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -129,13 +129,19 @@ bool ArgumentDecoder::decodeVariableLengthByteArray(DataReference& dataReference
     return true;
 }
 
+template<typename Type>
+static void decodeValueFromBuffer(Type& value, uint8_t*& bufferPosition)
+{
+    memcpy(&value, bufferPosition, sizeof(value));
+    bufferPosition += sizeof(Type);
+}
+
 bool ArgumentDecoder::decode(bool& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast<bool*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -144,8 +150,7 @@ bool ArgumentDecoder::decode(uint8_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
 
-    result = *reinterpret_cast<uint8_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -154,8 +159,7 @@ bool ArgumentDecoder::decode(uint16_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
 
-    result = *reinterpret_cast_ptr<uint16_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -163,9 +167,8 @@ bool ArgumentDecoder::decode(uint32_t& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<uint32_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -174,8 +177,7 @@ bool ArgumentDecoder::decode(uint64_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<uint64_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -184,8 +186,7 @@ bool ArgumentDecoder::decode(int32_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<uint32_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -193,9 +194,8 @@ bool ArgumentDecoder::decode(int64_t& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<uint64_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -203,9 +203,8 @@ bool ArgumentDecoder::decode(float& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<float*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -214,8 +213,7 @@ bool ArgumentDecoder::decode(double& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<double*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
diff --git a/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp b/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp
index 43246f4b5..f6a065b60 100644
--- a/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp
+++ b/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp
@@ -128,67 +128,64 @@ void ArgumentEncoder::encodeVariableLengthByteArray(const DataReference& dataRef
     encodeFixedLengthData(dataReference.data(), dataReference.size(), 1);
 }
 
+template<typename Type>
+static void copyValueToBuffer(Type value, uint8_t* bufferPosition)
+{
+    memcpy(bufferPosition, &value, sizeof(Type));
+}
+
 void ArgumentEncoder::encode(bool n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast<bool*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint8_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast<uint8_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint16_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<uint16_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint32_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<uint32_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint64_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<uint64_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(int32_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<int32_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(int64_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<int64_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(float n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<float*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(double n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<double*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::addAttachment(const Attachment& attachment)
author	Benjamin Poulain <bpoulain@apple.com>	2015-03-02 11:53:13 +0100
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-03-03 10:16:23 +0000
commit	3f0f7b59582197ca651b8aaeea17fd76b9a35b9c (patch)
tree	5f74b5a989e25a1127a1a973a8e1b272d00bcc0c
parent	9c37660832d74ac696b5238640193646485664f8 (diff)