X87: [turbofan] Don't use the CompareIC in JSGenericLowering.

X87: [turbofan] Don't use the CompareIC in JSGenericLowering.

  port d00da47b61462681b48e48bdff4a80a33da1a6d6(r34335)

  original commit message:
  The CompareICStub produces an untagged raw word value, which has to be
  translated to true or false manually in the TurboFan code. But for lazy
  bailout after the CompareIC, we immediately go back to fullcodegen or
  Ignition with the raw value, to a location where both fullcodegen and
  Ignition expect a boolean value, which might crash or in the worst case
  (depending on the exact computation inside the CompareIC) could lead to
  arbitrary memory access.

  Short-term fix is to use the proper runtime functions (unified with the
  interpreter now) for comparisons. Next task is to provide optimized
  versions of these based on the CodeStubAssembler, which can then be used
  via code stubs in TurboFan or directly in handlers in the interpreter.

BUG=

Committed: https://crrev.com/4a6f15124ff674e8732a342c87ee17731aa721ce
Cr-Commit-Position: refs/heads/master@{#34372}

[zhengxing.li, 2016-02-29 04:04:01]

zhengxing.li@intel.com changed reviewers:
+ bmeurer@chromium.org, chunyang.dai@intel.com, weiliang.lin@intel.com

[zhengxing.li, 2016-02-29 04:04:02]

PTAL, thanks!

[Weiliang, 2016-03-01 02:16:08]

lgtm

[zhengxing.li, 2016-03-01 02:18:18]

The CQ bit was checked by zhengxing.li@intel.com

[commit-bot: I haz the power, 2016-03-01 02:18:27]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1744923002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1744923002/1

[commit-bot: I haz the power, 2016-03-01 02:36:12]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-03-01 02:37:21]

Description was changed from

==========
X87: [turbofan] Don't use the CompareIC in JSGenericLowering.

  port d00da47b61462681b48e48bdff4a80a33da1a6d6(r34335)

  original commit message:
  The CompareICStub produces an untagged raw word value, which has to be
  translated to true or false manually in the TurboFan code. But for lazy
  bailout after the CompareIC, we immediately go back to fullcodegen or
  Ignition with the raw value, to a location where both fullcodegen and
  Ignition expect a boolean value, which might crash or in the worst case
  (depending on the exact computation inside the CompareIC) could lead to
  arbitrary memory access.

  Short-term fix is to use the proper runtime functions (unified with the
  interpreter now) for comparisons. Next task is to provide optimized
  versions of these based on the CodeStubAssembler, which can then be used
  via code stubs in TurboFan or directly in handlers in the interpreter.

BUG=
==========

to

==========
X87: [turbofan] Don't use the CompareIC in JSGenericLowering.

  port d00da47b61462681b48e48bdff4a80a33da1a6d6(r34335)

  original commit message:
  The CompareICStub produces an untagged raw word value, which has to be
  translated to true or false manually in the TurboFan code. But for lazy
  bailout after the CompareIC, we immediately go back to fullcodegen or
  Ignition with the raw value, to a location where both fullcodegen and
  Ignition expect a boolean value, which might crash or in the worst case
  (depending on the exact computation inside the CompareIC) could lead to
  arbitrary memory access.

  Short-term fix is to use the proper runtime functions (unified with the
  interpreter now) for comparisons. Next task is to provide optimized
  versions of these based on the CodeStubAssembler, which can then be used
  via code stubs in TurboFan or directly in handlers in the interpreter.

BUG=

Committed: https://crrev.com/4a6f15124ff674e8732a342c87ee17731aa721ce
Cr-Commit-Position: refs/heads/master@{#34372}
==========

[commit-bot: I haz the power, 2016-03-01 02:37:22]

Patchset 1 (id:??) landed as
https://crrev.com/4a6f15124ff674e8732a342c87ee17731aa721ce
Cr-Commit-Position: refs/heads/master@{#34372}