1. 14 Jun, 2019 1 commit
  2. 26 Feb, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Don't use the CompareIC in JSGenericLowering. · d00da47b
      bmeurer authored
      The CompareICStub produces an untagged raw word value, which has to be
      translated to true or false manually in the TurboFan code. But for lazy
      bailout after the CompareIC, we immediately go back to fullcodegen or
      Ignition with the raw value, to a location where both fullcodegen and
      Ignition expect a boolean value, which might crash or in the worst case
      (depending on the exact computation inside the CompareIC) could lead to
      arbitrary memory access.
      
      Short-term fix is to use the proper runtime functions (unified with the
      interpreter now) for comparisons. Next task is to provide optimized
      versions of these based on the CodeStubAssembler, which can then be used
      via code stubs in TurboFan or directly in handlers in the interpreter.
      
      R=mstarzinger@chromium.org
      BUG=v8:4788
      LOG=n
      
      Review URL: https://codereview.chromium.org/1738153002
      
      Cr-Commit-Position: refs/heads/master@{#34335}
      d00da47b