Skip to content

Commit 4a6f151

Browse files
lizhengxingCommit bot
lizhengxing
authored and
Commit bot
committed
X87: [turbofan] Don't use the CompareIC in JSGenericLowering.
 port d00da47(r34335) original commit message: The CompareICStub produces an untagged raw word value, which has to be translated to true or false manually in the TurboFan code. But for lazy bailout after the CompareIC, we immediately go back to fullcodegen or Ignition with the raw value, to a location where both fullcodegen and Ignition expect a boolean value, which might crash or in the worst case (depending on the exact computation inside the CompareIC) could lead to arbitrary memory access. Short-term fix is to use the proper runtime functions (unified with the interpreter now) for comparisons. Next task is to provide optimized versions of these based on the CodeStubAssembler, which can then be used via code stubs in TurboFan or directly in handlers in the interpreter. BUG= Review URL: https://codereview.chromium.org/1744923002 Cr-Commit-Position: refs/heads/master@{#34372}
1 parent 0a287e2 commit 4a6f151

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/x87/code-stubs-x87.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1155,7 +1155,7 @@ void CompareICStub::GenerateGeneric(MacroAssembler* masm) {
11551155
FrameScope scope(masm, StackFrame::INTERNAL);
11561156
__ Push(edx);
11571157
__ Push(eax);
1158-
__ CallRuntime(strict() ? Runtime::kStrictEquals : Runtime::kEquals);
1158+
__ CallRuntime(strict() ? Runtime::kStrictEqual : Runtime::kEqual);
11591159
}
11601160
// Turn true into 0 and false into some non-zero value.
11611161
STATIC_ASSERT(EQUAL == 0);

0 commit comments

Comments
 (0)