Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1861973 - Signedness confusion in js::wasm::PackedTypeCode::pack.…
… r=rhunt. `PackedTypeCode::pack` stores a pointer in an unsigned 48-bit field, PackedRepr typeDef_ : TypeDefBits, where TypeDefbits == 48. This is problematic, although in release builds OK, on both 32- and 64-bit targets: * on an arm32 bit target (native, not simulator), the assertion `MOZ_ASSERT((uint64_t)typeDef <= ((uint64_t)1 << TypeDefBits) - 1)` has been observed to fail. The assertion assumes that `(uint64_t)typeDef` unsignedly widens typeDef to 64 bits; but that is implementation dependent and on this target it is signedly widened, which causes the assertion to fail if bit 31 of `typeDef` is 1. * on 64 bit targets, TypeDef::typeDef reconstitutes the pointer by unsignedly widening the 48 bit field back out to 64 bits. That works OK because, at least for "canonical addresses" on x86_64, only kernel addresses exist in the high-half canonical space. So we'll never encounter them. But it's conceptually confusing because existing literature, and our own practices (eg ds/PointerAndUint7) regard 64-bit canonical addresses as split equally high and low -- that is, as signed. This patch: * on 32 bit targets, removes the failing assertion (it is pointless) * on 64 bit targets, fixes up the assertion and also `PackedTypeCode::typeDef` to treat the stored value as a sighed 48 bit entity. Despite the presence of more code, this routine becomes cheaper on x86_64: previously it required 3 insns and 2 regs. Now it requires 3 insns and 1 reg. As a passing observation, if `PackedTypeCode::typeCodeAbstracted` is really as hot as its comment claims, it would be better -- at least on x86_64 - to place `typeCode_` either at the start or end of the union. Extracting bits from the middle of a 64-bit word requires 2 insns, a shift and a mask; but if the field is at the top or bottom it would require respectively only a shift (top) or a mask (bottom). Differential Revision: https://phabricator.services.mozilla.com/D192354 UltraBlame original commit: 6f3be95d65116af346971c9a559f77dbb8e9e14a
- Loading branch information