Fix unsafe memory load/store from the argument encoder/decoder affecting ARM

Benjamin Poulain · BenjaminPoulain · commit aada9c476364 · 2013-12-13T07:04:42.000Z
https://bugs.webkit.org/show_bug.cgi?id=125674 Patch by Benjamin Poulain <bpoulain@apple.com> on 2013-12-12 Reviewed by Darin Adler. Depending on the CPU and CPU config, load and store may have to be aligned. The argument buffer has no particular alignment which can cause problems. In this case, on ARMv7, strd and ldrd can have alignment restriction on 16 bytes. The code encoding double and 64 bits integers was causing bugs. To avoid problems, the encoders/decoders are modified to just use memcpy. The compiler optimizes it away for the right instructions (clang uses two ldr/str in the case of 64bits values on ARMv7). * Platform/CoreIPC/ArgumentDecoder.cpp: (CoreIPC::decodeValueFromBuffer): (CoreIPC::ArgumentDecoder::decode): * Platform/CoreIPC/ArgumentEncoder.cpp: (CoreIPC::copyValueToBuffer): (CoreIPC::ArgumentEncoder::encode): Canonical link: https://commits.webkit.org/143699@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@160529 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
@@ -1,3 +1,26 @@
+2013-12-12  Benjamin Poulain  <bpoulain@apple.com>
+
+        Fix unsafe memory load/store from the argument encoder/decoder affecting ARM
+        https://bugs.webkit.org/show_bug.cgi?id=125674
+
+        Reviewed by Darin Adler.
+
+        Depending on the CPU and CPU config, load and store may have to be aligned.
+        The argument buffer has no particular alignment which can cause problems.
+
+        In this case, on ARMv7, strd and ldrd can have alignment restriction on 16 bytes.
+        The code encoding double and 64 bits integers was causing bugs.
+
+        To avoid problems, the encoders/decoders are modified to just use memcpy. The compiler optimizes
+        it away for the right instructions (clang uses two ldr/str in the case of 64bits values on ARMv7).
+
+        * Platform/CoreIPC/ArgumentDecoder.cpp:
+        (CoreIPC::decodeValueFromBuffer):
+        (CoreIPC::ArgumentDecoder::decode):
+        * Platform/CoreIPC/ArgumentEncoder.cpp:
+        (CoreIPC::copyValueToBuffer):
+        (CoreIPC::ArgumentEncoder::encode):
+
 2013-12-12  Tim Horton  <timothy_horton@apple.com>
 
         Build fix for 32-bit.
diff --git a/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -126,13 +126,19 @@ bool ArgumentDecoder::decodeVariableLengthByteArray(DataReference& dataReference
     return true;
 }
 
+template<typename Type>
+static void decodeValueFromBuffer(Type& value, uint8_t*& bufferPosition)
+{
+    memcpy(&value, bufferPosition, sizeof(value));
+    bufferPosition += sizeof(Type);
+}
+
 bool ArgumentDecoder::decode(bool& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast<bool*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -141,8 +147,7 @@ bool ArgumentDecoder::decode(uint8_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
 
-    result = *reinterpret_cast<uint8_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -151,18 +156,16 @@ bool ArgumentDecoder::decode(uint16_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
 
-    result = *reinterpret_cast_ptr<uint16_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
 bool ArgumentDecoder::decode(uint32_t& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<uint32_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -171,8 +174,7 @@ bool ArgumentDecoder::decode(uint64_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<uint64_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -181,28 +183,25 @@ bool ArgumentDecoder::decode(int32_t& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<uint32_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
 bool ArgumentDecoder::decode(int64_t& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<uint64_t*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
 bool ArgumentDecoder::decode(float& result)
 {
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
-    
-    result = *reinterpret_cast_ptr<float*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
@@ -211,8 +210,7 @@ bool ArgumentDecoder::decode(double& result)
     if (!alignBufferPosition(sizeof(result), sizeof(result)))
         return false;
     
-    result = *reinterpret_cast_ptr<double*>(m_bufferPos);
-    m_bufferPos += sizeof(result);
+    decodeValueFromBuffer(result, m_bufferPos);
     return true;
 }
 
diff --git a/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp b/Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.cpp
@@ -123,67 +123,64 @@ void ArgumentEncoder::encodeVariableLengthByteArray(const DataReference& dataRef
     encodeFixedLengthData(dataReference.data(), dataReference.size(), 1);
 }
 
+template<typename Type>
+static void copyValueToBuffer(Type value, uint8_t* bufferPosition)
+{
+    memcpy(bufferPosition, &value, sizeof(Type));
+}
+
 void ArgumentEncoder::encode(bool n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast<bool*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint8_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast<uint8_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint16_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<uint16_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint32_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<uint32_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(uint64_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<uint64_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(int32_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<int32_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(int64_t n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-    
-    *reinterpret_cast_ptr<int64_t*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(float n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<float*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::encode(double n)
 {
     uint8_t* buffer = grow(sizeof(n), sizeof(n));
-
-    *reinterpret_cast_ptr<double*>(buffer) = n;
+    copyValueToBuffer(n, buffer);
 }
 
 void ArgumentEncoder::addAttachment(const Attachment& attachment)

Original file line number	Diff line number	Diff line change
`@@ -123,67 +123,64 @@ void ArgumentEncoder::encodeVariableLengthByteArray(const DataReference& dataRef`
`123`	`123`	`encodeFixedLengthData(dataReference.data(), dataReference.size(), 1);`
`124`	`124`	`}`
`125`	`125`
	`126`	`+template<typename Type>`
	`127`	`+static void copyValueToBuffer(Type value, uint8_t* bufferPosition)`
	`128`	`+{`
	`129`	`+ memcpy(bufferPosition, &value, sizeof(Type));`
	`130`	`+}`
	`131`	`+`
`126`	`132`	`void ArgumentEncoder::encode(bool n)`
`127`	`133`	`{`
`128`	`134`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`129`		`-`
`130`		`- reinterpret_cast<bool>(buffer) = n;`
	`135`	`+ copyValueToBuffer(n, buffer);`
`131`	`136`	`}`
`132`	`137`
`133`	`138`	`void ArgumentEncoder::encode(uint8_t n)`
`134`	`139`	`{`
`135`	`140`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`136`		`-`
`137`		`- reinterpret_cast<uint8_t>(buffer) = n;`
	`141`	`+ copyValueToBuffer(n, buffer);`
`138`	`142`	`}`
`139`	`143`
`140`	`144`	`void ArgumentEncoder::encode(uint16_t n)`
`141`	`145`	`{`
`142`	`146`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`143`		`-`
`144`		`- reinterpret_cast_ptr<uint16_t>(buffer) = n;`
	`147`	`+ copyValueToBuffer(n, buffer);`
`145`	`148`	`}`
`146`	`149`
`147`	`150`	`void ArgumentEncoder::encode(uint32_t n)`
`148`	`151`	`{`
`149`	`152`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`150`		`-`
`151`		`- reinterpret_cast_ptr<uint32_t>(buffer) = n;`
	`153`	`+ copyValueToBuffer(n, buffer);`
`152`	`154`	`}`
`153`	`155`
`154`	`156`	`void ArgumentEncoder::encode(uint64_t n)`
`155`	`157`	`{`
`156`	`158`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`157`		`-`
`158`		`- reinterpret_cast_ptr<uint64_t>(buffer) = n;`
	`159`	`+ copyValueToBuffer(n, buffer);`
`159`	`160`	`}`
`160`	`161`
`161`	`162`	`void ArgumentEncoder::encode(int32_t n)`
`162`	`163`	`{`
`163`	`164`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`164`		`-`
`165`		`- reinterpret_cast_ptr<int32_t>(buffer) = n;`
	`165`	`+ copyValueToBuffer(n, buffer);`
`166`	`166`	`}`
`167`	`167`
`168`	`168`	`void ArgumentEncoder::encode(int64_t n)`
`169`	`169`	`{`
`170`	`170`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`171`		`-`
`172`		`- reinterpret_cast_ptr<int64_t>(buffer) = n;`
	`171`	`+ copyValueToBuffer(n, buffer);`
`173`	`172`	`}`
`174`	`173`
`175`	`174`	`void ArgumentEncoder::encode(float n)`
`176`	`175`	`{`
`177`	`176`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`178`		`-`
`179`		`- reinterpret_cast_ptr<float>(buffer) = n;`
	`177`	`+ copyValueToBuffer(n, buffer);`
`180`	`178`	`}`
`181`	`179`
`182`	`180`	`void ArgumentEncoder::encode(double n)`
`183`	`181`	`{`
`184`	`182`	`uint8_t* buffer = grow(sizeof(n), sizeof(n));`
`185`		`-`
`186`		`- reinterpret_cast_ptr<double>(buffer) = n;`
	`183`	`+ copyValueToBuffer(n, buffer);`
`187`	`184`	`}`
`188`	`185`
`189`	`186`	`void ArgumentEncoder::addAttachment(const Attachment& attachment)`