[ptr-compr] Fix Torque/CSA version of CreateTypedArray

There is a copy of the pointer decompression logic in TypedArrayBuiltinsAssembler::SetJSTypedArrayOnHeapDataPtr, which was not updated for the new ("smi-corrupting") pointer compression scheme: it erroneously used a sign-extending cast from compressed to full representation. This causes incorrect values to be computed when the heap size can grow beyond 2GB. Bug: v8:9706, chromium:1051005 Change-Id: I2220ce759df1147f255ffca93428888858929fd9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060494 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#66293}
2020-02-17 16:15:57 +01:00 · 2020-02-17 16:15:57 +01:00 · 4e2954ee57
commit 4e2954ee57
parent 56e5d6a266
1 changed files with 1 additions and 1 deletions
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@ -394,7 +394,7 @@ void TypedArrayBuiltinsAssembler::SetJSTypedArrayOnHeapDataPtr(
    TNode<Int32T> compressed_base = TruncateIntPtrToInt32(full_base);
    // TODO(v8:9706): Add a way to directly use kRootRegister value.
    TNode<IntPtrT> isolate_root =
-        IntPtrSub(full_base, ChangeInt32ToIntPtr(compressed_base));
+        IntPtrSub(full_base, Signed(ChangeUint32ToWord(compressed_base)));
    // Add JSTypedArray::ExternalPointerCompensationForOnHeapArray() to offset.
    DCHECK_EQ(
        isolate()->isolate_root(),