Commit 09bb401b authored by pcc's avatar pcc Committed by Commit bot

Do not attempt to read language mode from {,Strict}{,Not}Equal nodes.

We were previously reading a language mode from all comparison nodes
in JSGenericLowering::ReplaceWithCompareIC. This read was invalid for
{,Strict}{,Not}Equal nodes, as these nodes do not have a language mode, as they
derive from Operator rather than from Operator1<LanguageMode>. Because these
nodes are not language mode dependent, we arbitrarily pass Strength::WEAK
to CodeFactory::CompareIC.

Cleanup for cfi_vptr=1; see https://www.chromium.org/developers/testing/control-flow-integrity

BUG=chromium:457523
R=bmeurer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1319463003

Cr-Commit-Position: refs/heads/master@{#30491}
parent 8e78d55d
......@@ -86,21 +86,31 @@ REPLACE_BINARY_OP_IC_CALL(JSModulus, Token::MOD)
#undef REPLACE_BINARY_OP_IC_CALL
#define REPLACE_COMPARE_IC_CALL(op, token) \
void JSGenericLowering::Lower##op(Node* node) { \
ReplaceWithCompareIC(node, token); \
// These ops are not language mode dependent; we arbitrarily pass Strength::WEAK
// here.
#define REPLACE_COMPARE_IC_CALL(op, token) \
void JSGenericLowering::Lower##op(Node* node) { \
ReplaceWithCompareIC(node, token, Strength::WEAK); \
}
REPLACE_COMPARE_IC_CALL(JSEqual, Token::EQ)
REPLACE_COMPARE_IC_CALL(JSNotEqual, Token::NE)
REPLACE_COMPARE_IC_CALL(JSStrictEqual, Token::EQ_STRICT)
REPLACE_COMPARE_IC_CALL(JSStrictNotEqual, Token::NE_STRICT)
REPLACE_COMPARE_IC_CALL(JSLessThan, Token::LT)
REPLACE_COMPARE_IC_CALL(JSGreaterThan, Token::GT)
REPLACE_COMPARE_IC_CALL(JSLessThanOrEqual, Token::LTE)
REPLACE_COMPARE_IC_CALL(JSGreaterThanOrEqual, Token::GTE)
#undef REPLACE_COMPARE_IC_CALL
#define REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(op, token) \
void JSGenericLowering::Lower##op(Node* node) { \
ReplaceWithCompareIC(node, token, \
strength(OpParameter<LanguageMode>(node))); \
}
REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSLessThan, Token::LT)
REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSGreaterThan, Token::GT)
REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSLessThanOrEqual, Token::LTE)
REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSGreaterThanOrEqual, Token::GTE)
#undef REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE
#define REPLACE_RUNTIME_CALL(op, fun) \
void JSGenericLowering::Lower##op(Node* node) { \
ReplaceWithRuntimeCall(node, fun); \
......@@ -129,9 +139,9 @@ static CallDescriptor::Flags FlagsForNode(Node* node) {
}
void JSGenericLowering::ReplaceWithCompareIC(Node* node, Token::Value token) {
Callable callable = CodeFactory::CompareIC(
isolate(), token, strength(OpParameter<LanguageMode>(node)));
void JSGenericLowering::ReplaceWithCompareIC(Node* node, Token::Value token,
Strength str) {
Callable callable = CodeFactory::CompareIC(isolate(), token, str);
// Create a new call node asking a CompareIC for help.
NodeVector inputs(zone());
......
......@@ -36,7 +36,7 @@ class JSGenericLowering final : public Reducer {
#undef DECLARE_LOWER
// Helpers to replace existing nodes with a generic call.
void ReplaceWithCompareIC(Node* node, Token::Value token);
void ReplaceWithCompareIC(Node* node, Token::Value token, Strength strength);
void ReplaceWithStubCall(Node* node, Callable c, CallDescriptor::Flags flags);
void ReplaceWithBuiltinCall(Node* node, int context_index, int args);
void ReplaceWithRuntimeCall(Node* node, Runtime::FunctionId f, int args = -1);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment