AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[ptr-compr] Decompress when doing map and equality checks

Browse Source 
Fixes the crash stated in the chromium bug.

We weren't decompressing before CheckMap which resulted in a crash.
Implemented the same for CompareMap.

Bug: chromium:963917
Change-Id: I1dcaf6845758c7266bbc7d9ecc9e43cf8d6b639a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617252
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61646}
This commit is contained in:
Santiago Aboy Solanes 2019-05-17 14:01:01 +01:00 committed by Commit Bot
parent 9850002401
commit 823ad57637
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/compiler/effect-control-linearizer.cc
View File

@ -1735,6 +1735,11 @@ Node* EffectControlLinearizer::LowerPoisonIndex(Node* node) {
void EffectControlLinearizer::LowerCheckMaps(Node* node, Node* frame_state) {
CheckMapsParameters const& p = CheckMapsParametersOf(node->op());
Node* value = node->InputAt(0);
// TODO(v8:8982): Eliminate this decompression when the lightweight map and
// equality checks of compressed values are in place
if (COMPRESS_POINTERS_BOOL) {
value = graph()->NewNode(machine()->ChangeCompressedToTagged(), value);
}
ZoneHandleSet<Map> const& maps = p.maps();
size_t const map_count = maps.size();
@ -1844,6 +1849,11 @@ Node* EffectControlLinearizer::LowerCompareMaps(Node* node) {
ZoneHandleSet<Map> const& maps = CompareMapsParametersOf(node->op());
size_t const map_count = maps.size();
Node* value = node->InputAt(0);
// TODO(v8:8982): Eliminate this decompression when the lightweight map and
// equality checks of compressed values are in place
if (COMPRESS_POINTERS_BOOL) {
value = graph()->NewNode(machine()->ChangeCompressedToTagged(), value);
}
auto done = __ MakeLabel(MachineRepresentation::kBit);