[webkit-changes] [WebKit/WebKit] 2f56d3: Ensure that tagArrayPtr's size diversifier's top 1...
Commit Queue
noreply at github.com
Mon May 22 13:59:33 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2f56d3ddcc282e02236742bdd1a8e24e1c5f94e1
https://github.com/WebKit/WebKit/commit/2f56d3ddcc282e02236742bdd1a8e24e1c5f94e1
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
M Source/JavaScriptCore/assembler/testmasm.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
Ensure that tagArrayPtr's size diversifier's top 16 bits are always 0.
https://bugs.webkit.org/show_bug.cgi?id=255475
rdar://107724053
Reviewed by Justin Michaud.
On ARM64, sizes never exceed 48 bits anyway. This also ensures that the signed values
will not conflict with the namespace of other data pointers signed with the same PAC key.
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::zeroExtend48ToWord):
* Source/JavaScriptCore/assembler/testmasm.cpp:
(JSC::testZeroExtend48ToWord):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
* Source/WTF/wtf/PtrTag.h:
(WTF::tagArrayPtr):
(WTF::retagArrayPtr):
Originally-landed-as: 259548.636 at safari-7615-branch (a45dfa3dc3d4). rdar://107724053
Canonical link: https://commits.webkit.org/264373@main
More information about the webkit-changes
mailing list