Changeset 246827 in webkit


Ignore:
Timestamp:
Jun 25, 2019 7:25:19 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

CagedPtr doesn't merge PAC bits back into the resulting caged pointer.
https://bugs.webkit.org/show_bug.cgi?id=199214

Reviewed by Yusuke Suzuki.

The current code means that caging will just strip the any failed
authentication bits. Adding this code doesn't appear to be a
regression on iPhone Xs.

  • wtf/CagedPtr.h:

(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::getUnsafe const):
(WTF::CagedPtr::mergePointers):

Location:
trunk/Source/WTF
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WTF/ChangeLog

    r246826 r246827  
     12019-06-25  Keith Miller  <keith_miller@apple.com>
     2
     3        CagedPtr doesn't merge PAC bits back into the resulting caged pointer.
     4        https://bugs.webkit.org/show_bug.cgi?id=199214
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        The current code means that caging will just strip the any failed
     9        authentication bits. Adding this code doesn't appear to be a
     10        regression on iPhone Xs.
     11
     12        * wtf/CagedPtr.h:
     13        (WTF::CagedPtr::get const):
     14        (WTF::CagedPtr::getMayBeNull const):
     15        (WTF::CagedPtr::getUnsafe const):
     16        (WTF::CagedPtr::mergePointers):
     17
    1182019-06-25  Sam Weinig  <weinig@apple.com>
    219
  • trunk/Source/WTF/wtf/CagedPtr.h

    r246368 r246827  
    3030#include <wtf/PtrTag.h>
    3131
     32#include <climits>
     33
    3234namespace WTF {
    3335
     
    5355        ASSERT(m_ptr);
    5456        T* ptr = PtrTraits::unwrap(m_ptr);
    55         if (shouldTag)
    56             ptr = untagArrayPtr(ptr, size);
    57         return Gigacage::caged(kind, ptr);
     57        T* untaggedPtr = shouldTag ? untagArrayPtr(ptr, size) : ptr;
     58        return mergePointers(untaggedPtr, Gigacage::caged(kind, ptr));
    5859    }
    5960
     
    6162    {
    6263        T* ptr = PtrTraits::unwrap(m_ptr);
    63         if (shouldTag)
    64             ptr = untagArrayPtr(ptr, size);
    65         return Gigacage::cagedMayBeNull(kind, ptr);
     64        T* untaggedPtr = shouldTag ? untagArrayPtr(ptr, size) : ptr;
     65        return mergePointers(untaggedPtr, Gigacage::cagedMayBeNull(kind, ptr));
    6666    }
    6767
     
    6969    {
    7070        T* ptr = PtrTraits::unwrap(m_ptr);
    71         if (shouldTag)
    72             ptr = removeArrayPtrTag(ptr);
     71        ptr = shouldTag ? removeArrayPtrTag(ptr) : ptr;
    7372        return Gigacage::cagedMayBeNull(kind, ptr);
    7473    }
     
    126125   
    127126protected:
     127    static inline T* mergePointers(const T* untaggedPtr, const T* uncagedPtr)
     128    {
     129        constexpr unsigned numberOfPACBits = 25;
     130        constexpr uintptr_t mask = (1ull << ((sizeof(T*) * CHAR_BIT) - numberOfPACBits)) - 1;
     131        return reinterpret_cast<T*>((reinterpret_cast<uintptr_t>(untaggedPtr) & ~mask) | (reinterpret_cast<uintptr_t>(uncagedPtr) & mask));
     132    }
     133
    128134    typename PtrTraits::StorageType m_ptr;
    129135};
Note: See TracChangeset for help on using the changeset viewer.