Remove type punning from QV4::Value.

The union in QV4::Value is used to do type punning. In C++, this is
compiler-defined behavior. For example, Clang and GCC will try to detect
it and try to do the proper thing. However, it can play havoc with Alias
Analysis, and it is not guaranteed that some Undefined Behavior (or
Compiler depenedent behavior) might occur.

The really problematic part is the struct inside the union: depending on
the calling convention and the register size, it results in some
exciting code. For example, the AMD64 ABI specifies that a struct of two
values of INTEGER class can be passed in separate registers when doing a
function call. Now, if the AA in the compiler looses track of the fact
that the tag overlaps with the double, you might get:

    ecx := someTag
    ... conditional jumps
double_case:
    rdx := xorredDoubleValue
    callq someWhere

If the someWhere function checks for the tag first, mayhem ensues: the
double value in rdx does not overwrite the tag that is passed in ecx.

Changing the code to do reinterpret_cast<>s might also give problems
on 32bit architectures, because there is a double, whose size is not the
same as the size of the tag, which could confuse AA.

So, to fix this, the following is changed:
- only have a quint64 field in the QV4::Value, which has the added
  benefit that it's very clear for the compiler that it's a POD
- as memcpy is the only approved way to ensure bit-by-bit "conversion"
  between types (esp. FP<->non-FP types), change all conversions to use
  memcpy. Use bitops (shift/and/or) for anything else.
- only use accessor functions for non-quint64 values

As any modern compiler has memcpy as an intrinsic, the call will be
replaced with one or a few move instructions. The accessor functions
also get inlined, the bitops get optimized, so in all cases the compiler
can generate the most compact code possible.

This patch obsoletes f558bc48585c69de36151248c969a484a969ebb4 (which had
the exact aliassing problem of the double and the tag as described
above).

Change-Id: I60a39d8564be5ce6106403a56a8de90943217006
Reviewed-by: Ulf Hermann <[email protected]>

1 files changed, 1 insertions, 1 deletions

diff --git a/src/qml/jsruntime/qv4debugging.cpp b/src/qml/jsruntime/qv4debugging.cpp
index 7bd5d49f3c..ab8cd629c5 100644
--- a/src/qml/jsruntime/qv4debugging.cpp
+++ b/src/qml/jsruntime/qv4debugging.cpp
@@ -800,7 +800,7 @@ void Debugger::Collector::collect(const QString &name, const ScopedValue &value)
             addObject(name, value);
         break;
     case Value::Integer_Type:
-        addInteger(name, value->int_32);
+        addInteger(name, value->int_32());
         break;
     default: // double
         addDouble(name, value->doubleValue());