Skip to content

Commit c1507e1

Browse files
mtbrandyCommit bot
mtbrandy
authored and
Commit bot
committed
PPC: [turbofan] Don't use the CompareIC in JSGenericLowering.
Port d00da47 Original commit message: The CompareICStub produces an untagged raw word value, which has to be translated to true or false manually in the TurboFan code. But for lazy bailout after the CompareIC, we immediately go back to fullcodegen or Ignition with the raw value, to a location where both fullcodegen and Ignition expect a boolean value, which might crash or in the worst case (depending on the exact computation inside the CompareIC) could lead to arbitrary memory access. Short-term fix is to use the proper runtime functions (unified with the interpreter now) for comparisons. Next task is to provide optimized versions of these based on the CodeStubAssembler, which can then be used via code stubs in TurboFan or directly in handlers in the interpreter. [email protected], [email protected], [email protected], [email protected] BUG=v8:4788 LOG=n Review URL: https://codereview.chromium.org/1745643002 Cr-Commit-Position: refs/heads/master@{#34341}
1 parent 76b6615 commit c1507e1

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/ppc/code-stubs-ppc.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -702,7 +702,7 @@ void CompareICStub::GenerateGeneric(MacroAssembler* masm) {
702702
{
703703
FrameAndConstantPoolScope scope(masm, StackFrame::INTERNAL);
704704
__ Push(lhs, rhs);
705-
__ CallRuntime(strict() ? Runtime::kStrictEquals : Runtime::kEquals);
705+
__ CallRuntime(strict() ? Runtime::kStrictEqual : Runtime::kEqual);
706706
}
707707
// Turn true into 0 and false into some non-zero value.
708708
STATIC_ASSERT(EQUAL == 0);

0 commit comments

Comments
 (0)