From 46d45eed352a2c71106e729cb399564b659e5d5e Mon Sep 17 00:00:00 2001
From: Max Rottenkolber <maximilian@igalia.com>
Date: Thu, 17 Oct 2024 03:11:43 -0700
Subject: [PATCH] Fix DFG::AbstractHeap initialization from pointer on armv7
 https://bugs.webkit.org/show_bug.cgi?id=281378

Reviewed by Justin Michaud.

The previous incantation would cause 32 bit pointers to be
sign extended into a int64_t slot. We want to widen then
value without sign extension here, as the higher bits will
be used for a tag. (See encode())

* Source/JavaScriptCore/dfg/DFGAbstractHeap.h:
(JSC::DFG::AbstractHeap::Payload::Payload):

Canonical link: https://commits.webkit.org/285323@main
---
 Source/JavaScriptCore/dfg/DFGAbstractHeap.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractHeap.h b/Source/JavaScriptCore/dfg/DFGAbstractHeap.h
index ff84f6b7c0d90..23888ffb6c8b5 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractHeap.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractHeap.h
@@ -120,7 +120,7 @@ class AbstractHeap {
         
         Payload(const void* pointer)
             : m_isTop(false)
-            , m_value(bitwise_cast<intptr_t>(pointer))
+            , m_value(static_cast<int64_t>(reinterpret_cast<uintptr_t>(pointer)))
         {
         }