[turbofan] Don't use the CompareIC in JSGenericLowering.

[turbofan] Don't use the CompareIC in JSGenericLowering.

The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n

Committed: https://crrev.com/d00da47b61462681b48e48bdff4a80a33da1a6d6
Cr-Commit-Position: refs/heads/master@{#34335}

[Benedikt Meurer, 2016-02-26 13:46:21]

Hey Michi,

Here's the quickfix we discussed for the CompareIC issues with TurboFan
(affecting both FCG and Ignition).
Please take a look.

Thanks,
Benedikt

Ross: FYI
Michael H: Needs back merging.

[Michael Starzinger, 2016-02-26 13:58:28]

LGTM.

[Benedikt Meurer, 2016-02-26 18:14:15]

The CQ bit was checked by bmeurer@chromium.org

[Benedikt Meurer, 2016-02-26 18:14:15]

The patchset sent to the CQ was uploaded after l-g-t-m from
mstarzinger@chromium.org
Link to the patchset: https://codereview.chromium.org/1738153002/#ps40001
(title: "Consistent SIMD.js equality")

[commit-bot: I haz the power, 2016-02-26 18:14:20]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1738153002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1738153002/40001

[commit-bot: I haz the power, 2016-02-26 18:40:47]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-02-26 18:41:40]

Description was changed from

==========
[turbofan] Don't use the CompareIC in JSGenericLowering.

The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n
==========

to

==========
[turbofan] Don't use the CompareIC in JSGenericLowering.

The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n

Committed: https://crrev.com/d00da47b61462681b48e48bdff4a80a33da1a6d6
Cr-Commit-Position: refs/heads/master@{#34335}
==========

[commit-bot: I haz the power, 2016-02-26 18:41:41]

Patchset 3 (id:??) landed as
https://crrev.com/d00da47b61462681b48e48bdff4a80a33da1a6d6
Cr-Commit-Position: refs/heads/master@{#34335}