WebKit Bugzilla
Attachment 372887 Details for
Bug 199214
: CagedPtr doesn't merge PAC bits back into the resulting caged pointer.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-199214-20190625180359.patch (text/plain), 2.64 KB, created by
Keith Miller
on 2019-06-25 18:04:00 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-06-25 18:04:00 PDT
Size:
2.64 KB
patch
obsolete
>Subversion Revision: 246663 >diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog >index f87357dbf8d10f92880c6301fc026dfb2a653351..5473e96002662cc828e5cc5e92a84f4336fda263 100644 >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog >@@ -1,3 +1,20 @@ >+2019-06-25 Keith Miller <keith_miller@apple.com> >+ >+ CagedPtr doesn't merge PAC bits back into the resulting caged pointer. >+ https://bugs.webkit.org/show_bug.cgi?id=199214 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ The current code means that caging will just strip the any failed >+ authentication bits. Adding this code doesn't appear to be a >+ regression on iPhone Xs. >+ >+ * wtf/CagedPtr.h: >+ (WTF::CagedPtr::get const): >+ (WTF::CagedPtr::getMayBeNull const): >+ (WTF::CagedPtr::getUnsafe const): >+ (WTF::CagedPtr::mergePointers): >+ > 2019-06-18 Darin Adler <darin@apple.com> > > Tidy up the remaining bits of the AtomicString to AtomString rename >diff --git a/Source/WTF/wtf/CagedPtr.h b/Source/WTF/wtf/CagedPtr.h >index 71ec51e2947b5b2ca06ea2c4056dadceb938df6e..dae5cb008ffe2f1b71f676d3bfb82bc4a4731b1d 100644 >--- a/Source/WTF/wtf/CagedPtr.h >+++ b/Source/WTF/wtf/CagedPtr.h >@@ -52,24 +52,21 @@ public: > { > ASSERT(m_ptr); > T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = untagArrayPtr(ptr, size); >- return Gigacage::caged(kind, ptr); >+ T* untaggedPtr = shouldTag ? untagArrayPtr(ptr, size) : ptr; >+ return mergePointers(untaggedPtr, Gigacage::caged(kind, ptr)); > } > > T* getMayBeNull(unsigned size) const > { > T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = untagArrayPtr(ptr, size); >- return Gigacage::cagedMayBeNull(kind, ptr); >+ T* untaggedPtr = shouldTag ? untagArrayPtr(ptr, size) : ptr; >+ return mergePointers(untaggedPtr, Gigacage::cagedMayBeNull(kind, ptr)); > } > > T* getUnsafe() const > { > T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = removeArrayPtrTag(ptr); >+ ptr = shouldTag ? removeArrayPtrTag(ptr) : ptr; > return Gigacage::cagedMayBeNull(kind, ptr); > } > >@@ -125,6 +122,13 @@ public: > } > > protected: >+ static inline T* mergePointers(const T* untaggedPtr, const T* uncagedPtr) >+ { >+ constexpr unsigned numberOfPACBits = 25; >+ constexpr uintptr_t mask = (1ull << ((sizeof(T*) * CHAR_BIT) - numberOfPACBits)) - 1; >+ return reinterpret_cast<T*>((reinterpret_cast<uintptr_t>(untaggedPtr) & ~mask) | (reinterpret_cast<uintptr_t>(uncagedPtr) & mask)); >+ } >+ > typename PtrTraits::StorageType m_ptr; > }; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372887">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199214
:
372887
|
372888