[v8-dev] Do not attempt to read language mode from {,Strict}{,Not}Equal nodes. (issue 1319463003 by pcc@chromium.org)

[p...@chromium.org via codereview.chromium.org]

Reviewers: Benedikt Meurer,

Description:
Do not attempt to read language mode from {,Strict}{,Not}Equal nodes.
We were previously reading a language mode from all comparison nodes
in JSGenericLowering::ReplaceWithCompareIC. This read was invalid for
{,Strict}{,Not}Equal nodes, as these nodes do not have a language mode, as  
they
derive from Operator rather than from Operator1<LanguageMode>. Because these
nodes are not language mode dependent, we arbitrarily pass Strength::WEAK
to CodeFactory::CompareIC. (I am not familiar enough with this code to
know if the previous sentence is accurate.)

Cleanup for cfi_vptr=1; see
https://www.chromium.org/developers/testing/control-flow-integrity

BUG=chromium:457523
R=bmeu...@chromium.org

Please review this at https://codereview.chromium.org/1319463003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+21, -11 lines):
  M src/compiler/js-generic-lowering.h
  M src/compiler/js-generic-lowering.cc


Index: src/compiler/js-generic-lowering.cc
diff --git a/src/compiler/js-generic-lowering.cc  
b/src/compiler/js-generic-lowering.cc
index  
0c20ea067c489139844695562efbc89ee3238a83..b27e8349225a9fc2aecd18758a56620a7d8be49e  
100644
--- a/src/compiler/js-generic-lowering.cc
+++ b/src/compiler/js-generic-lowering.cc
@@ -86,21 +86,31 @@ REPLACE_BINARY_OP_IC_CALL(JSModulus, Token::MOD)
 #undef REPLACE_BINARY_OP_IC_CALL


-#define REPLACE_COMPARE_IC_CALL(op, token)        \
-  void JSGenericLowering::Lower##op(Node* node) { \
-    ReplaceWithCompareIC(node, token);            \
+// These ops are not language mode dependent; we arbitrarily pass  
Strength::WEAK
+// here.
+#define REPLACE_COMPARE_IC_CALL(op, token)             \
+  void JSGenericLowering::Lower##op(Node* node) {      \
+    ReplaceWithCompareIC(node, token, Strength::WEAK); \
   }
 REPLACE_COMPARE_IC_CALL(JSEqual, Token::EQ)
 REPLACE_COMPARE_IC_CALL(JSNotEqual, Token::NE)
 REPLACE_COMPARE_IC_CALL(JSStrictEqual, Token::EQ_STRICT)
 REPLACE_COMPARE_IC_CALL(JSStrictNotEqual, Token::NE_STRICT)
-REPLACE_COMPARE_IC_CALL(JSLessThan, Token::LT)
-REPLACE_COMPARE_IC_CALL(JSGreaterThan, Token::GT)
-REPLACE_COMPARE_IC_CALL(JSLessThanOrEqual, Token::LTE)
-REPLACE_COMPARE_IC_CALL(JSGreaterThanOrEqual, Token::GTE)
 #undef REPLACE_COMPARE_IC_CALL


+#define REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(op, token)        \
+  void JSGenericLowering::Lower##op(Node* node) {                    \
+    ReplaceWithCompareIC(node, token,                                \
+                         strength(OpParameter<LanguageMode>(node))); \
+  }
+REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSLessThan, Token::LT)
+REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSGreaterThan, Token::GT)
+REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSLessThanOrEqual, Token::LTE)
+REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE(JSGreaterThanOrEqual,  
Token::GTE)
+#undef REPLACE_COMPARE_IC_CALL_WITH_LANGUAGE_MODE
+
+
 #define REPLACE_RUNTIME_CALL(op, fun)             \
   void JSGenericLowering::Lower##op(Node* node) { \
     ReplaceWithRuntimeCall(node, fun);            \
@@ -129,9 +139,9 @@ static CallDescriptor::Flags FlagsForNode(Node* node) {
 }


-void JSGenericLowering::ReplaceWithCompareIC(Node* node, Token::Value  
token) {
-  Callable callable = CodeFactory::CompareIC(
-      isolate(), token, strength(OpParameter<LanguageMode>(node)));
+void JSGenericLowering::ReplaceWithCompareIC(Node* node, Token::Value  
token,
+                                             Strength str) {
+  Callable callable = CodeFactory::CompareIC(isolate(), token, str);

   // Create a new call node asking a CompareIC for help.
   NodeVector inputs(zone());
Index: src/compiler/js-generic-lowering.h
diff --git a/src/compiler/js-generic-lowering.h  
b/src/compiler/js-generic-lowering.h
index  
9811ba8451810ecceea2ed392b0b536cf6d5c5c2..d409b14e0ace0af84958316ec72a04d364cbd639  
100644
--- a/src/compiler/js-generic-lowering.h
+++ b/src/compiler/js-generic-lowering.h
@@ -36,7 +36,7 @@ class JSGenericLowering final : public Reducer {
 #undef DECLARE_LOWER

   // Helpers to replace existing nodes with a generic call.
-  void ReplaceWithCompareIC(Node* node, Token::Value token);
+  void ReplaceWithCompareIC(Node* node, Token::Value token, Strength  
strength);
   void ReplaceWithStubCall(Node* node, Callable c, CallDescriptor::Flags  
flags);
   void ReplaceWithBuiltinCall(Node* node, Builtins::JavaScript id, int  
args);
   void ReplaceWithRuntimeCall(Node* node, Runtime::FunctionId f, int args  
= -1);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.