[JSC] Remove masking of tagbits in CalleeBits

https://bugs.webkit.org/show_bug.cgi?id=298699
rdar://160343969

Reviewed by Mark Lam.

BBQCallee is held in ThreadSafeWeakOrStrongPtr in CalleeGroup.
Old code was assuming that ThreadSafeWeakOrStrongPtr may produce a pointer without stripping a tag,
but that no longer happens after 289802@main.

* Source/JavaScriptCore/interpreter/CalleeBits.h:
(JSC::CalleeBits::boxNativeCallee):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::boxNativeCallee):

Canonical link: https://commits.webkit.org/300995@main

Author: Constellation

Source/JavaScriptCore/interpreter/CalleeBits.h

@@ -137,18 +137,10 @@ class CalleeBits {
         return nullptr;
     }
 
-#if CPU(ARM64)
-    // NativeCallees are sometimes stored in ThreadSafeWeakOrStrongPtr, which relies on top byte ignore, so we need to strip the top byte on ARM64.
-    static constexpr uintptr_t nativeCalleeTopByteMask = std::numeric_limits<uintptr_t>::max() >> CHAR_BIT;
-#endif
-
     static void* boxNativeCallee(NativeCallee* callee)
     {
 #if USE(JSVALUE64)
         auto bits = std::bit_cast<uintptr_t>(callee);
-#if CPU(ARM64)
-        bits &= nativeCalleeTopByteMask;
-#endif
         CalleeBits result { static_cast<int64_t>((bits - lowestAccessibleAddress()) | JSValue::NativeCalleeTag) };
         ASSERT(result.isNativeCallee());
         return result.rawPtr();

Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1709,10 +1709,6 @@ class AssemblyHelpers : public MacroAssembler {
     void boxNativeCallee(GPRReg calleeGPR, GPRReg boxedGPR)
     {
 #if USE(JSVALUE64)
-#if CPU(ARM64)
-        // NativeCallees are sometimes stored in ThreadSafeWeakOrStrongPtr, which relies on top byte ignore, so we need to strip the top byte on ARM64.
-        and64(TrustedImm64(CalleeBits::nativeCalleeTopByteMask), calleeGPR);
-#endif
         sub64(calleeGPR, TrustedImm64(lowestAccessibleAddress()), boxedGPR);
         or64(TrustedImm64(JSValue::NativeCalleeTag), boxedGPR);
 #else