Revert "[ia32] Remove poisoning logic on ia32"

This reverts commit a31a6230. Reason for revert: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20nosnap%20-%20debug/21332 Original change's description: > [ia32] Remove poisoning logic on ia32 > > Poisoning has been disabled by default on ia32 a while ago. This CL > removes its logic from ia32 code generation, which will let us move > towards fuller (and unconditional) root register support. > > Bug: chromium:860429, v8:8254 > Change-Id: I8f672cf48a6ffc7bf21e7794c1b7463d7f8b9594 > Reviewed-on: https://chromium-review.googlesource.com/c/1296131 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#56978} TBR=mstarzinger@chromium.org,jarin@chromium.org,jgruber@chromium.org Change-Id: I305e9e1719fb4b3f8ef267c232723db9b52966e9 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:860429, v8:8254 Reviewed-on: https://chromium-review.googlesource.com/c/1299015Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#56980}

Revert "[ia32] Remove poisoning logic on ia32"
This reverts commit a31a6230. Reason for revert: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20nosnap%20-%20debug/21332 Original change's description: > [ia32] Remove poisoning logic on ia32 > > Poisoning has been disabled by default on ia32 a while ago. This CL > removes its logic from ia32 code generation, which will let us move > towards fuller (and unconditional) root register support. > > Bug: chromium:860429, v8:8254 > Change-Id: I8f672cf48a6ffc7bf21e7794c1b7463d7f8b9594 > Reviewed-on: https://chromium-review.googlesource.com/c/1296131 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#56978} TBR=mstarzinger@chromium.org,jarin@chromium.org,jgruber@chromium.org Change-Id: I305e9e1719fb4b3f8ef267c232723db9b52966e9 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:860429, v8:8254 Reviewed-on: https://chromium-review.googlesource.com/c/1299015Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#56980}
17f47d74 · Michael Achenbach · Commit Bot · 9cde8808 · 17f47d74 · 17f47d74
Commit 17f47d74 authored Oct 25, 2018 by Michael Achenbach Committed by Commit Bot Oct 25, 2018
10 changed files
--- a/src/builtins/ia32/builtins-ia32.cc
+++ b/src/builtins/ia32/builtins-ia32.cc
@@ -1334,8 +1334,13 @@ namespace {
 void Generate_ContinueToBuiltinHelper(MacroAssembler* masm,
                                      bool java_script_builtin,
                                      bool with_result) {
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Fold into Default config once root is fully supported.
  const RegisterConfiguration* config(
      RegisterConfiguration::PreserveRootIA32());
+#else
+  const RegisterConfiguration* config(RegisterConfiguration::Default());
+#endif
  int allocatable_register_count = config->num_allocatable_general_registers();
  if (with_result) {
    // Overwrite the hole inserted by the deoptimizer with the return value from
@@ -1365,20 +1370,32 @@ void Generate_ContinueToBuiltinHelper(MacroAssembler* masm,
 }  // namespace
 void Builtins::Generate_ContinueToCodeStubBuiltin(MacroAssembler* masm) {
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Remove the ifdef once root is preserved by default.
+#endif
  Generate_ContinueToBuiltinHelper(masm, false, false);
 }
 void Builtins::Generate_ContinueToCodeStubBuiltinWithResult(
    MacroAssembler* masm) {
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Remove the ifdef once root is preserved by default.
+#endif
  Generate_ContinueToBuiltinHelper(masm, false, true);
 }
 void Builtins::Generate_ContinueToJavaScriptBuiltin(MacroAssembler* masm) {
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Remove the ifdef once root is preserved by default.
+#endif
  Generate_ContinueToBuiltinHelper(masm, true, false);
 }
 void Builtins::Generate_ContinueToJavaScriptBuiltinWithResult(
    MacroAssembler* masm) {
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Remove the ifdef once root is preserved by default.
+#endif
  Generate_ContinueToBuiltinHelper(masm, true, true);
 }
@@ -2490,6 +2507,10 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  // If argv_mode == kArgvInRegister:
  // ecx: pointer to the first argument
+#ifdef V8_EMBEDDED_BUILTINS
+  // TODO(v8:6666): Remove the ifdef once branch load poisoning is removed.
+#endif
  STATIC_ASSERT(eax == kRuntimeCallArgCountRegister);
  STATIC_ASSERT(ecx == kRuntimeCallArgvRegister);
  STATIC_ASSERT(edx == kRuntimeCallFunctionRegister);
@@ -2611,6 +2632,17 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ mov(Operand(ebp, StandardFrameConstants::kContextOffset), esi);
  __ bind(&skip);
+#ifdef V8_EMBEDDED_BUILTINS
+  STATIC_ASSERT(kRootRegister == kSpeculationPoisonRegister);
+  CHECK(!FLAG_untrusted_code_mitigations);
+#else
+  // Reset the masking register. This is done independent of the underlying
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
+  // with both configurations. It is safe to always do this, because the
+  // underlying register is caller-saved and can be arbitrarily clobbered.
+  __ ResetSpeculationPoisonRegister();
+#endif
  // Compute the handler entry address and jump to it.
  __ mov(edi, __ ExternalReferenceAsOperand(pending_handler_entrypoint_address,
                                            edi));

--- a/src/compiler/ia32/code-generator-ia32.cc
+++ b/src/compiler/ia32/code-generator-ia32.cc
@@ -309,6 +309,30 @@ class OutOfLineRecordWrite final : public OutOfLineCode {
  Zone* zone_;
 };
+void MoveOperandIfAliasedWithPoisonRegister(Instruction* call_instruction,
+                                            CodeGenerator* gen) {
+  IA32OperandConverter i(gen, call_instruction);
+  int const poison_index = i.InputInt32(1);
+  if (poison_index == -1) {
+    // No aliasing -> nothing to move.
+    return;
+  }
+  i.MoveInstructionOperandToRegister(kSpeculationPoisonRegister,
+                                     call_instruction->InputAt(poison_index));
+}
+void EmitWordLoadPoisoningIfNeeded(CodeGenerator* codegen,
+                                   InstructionCode opcode, Instruction* instr,
+                                   IA32OperandConverter& i) {
+  const MemoryAccessMode access_mode =
+      static_cast<MemoryAccessMode>(MiscField::decode(opcode));
+  if (access_mode == kMemoryAccessPoisoned) {
+    Register value = i.OutputRegister();
+    codegen->tasm()->and_(value, kSpeculationPoisonRegister);
+  }
+}
 }  // namespace
 #define ASSEMBLE_COMPARE(asm_instr)                                   \
@@ -605,13 +629,23 @@ void CodeGenerator::BailoutIfDeoptimized() {
 }
 void CodeGenerator::GenerateSpeculationPoisonFromCodeStartRegister() {
-  // TODO(860429): Remove remaining poisoning infrastructure on ia32.
+  __ push(eax);  // Push eax so we can use it as a scratch register.
-  UNREACHABLE();
+  // Set a mask which has all bits set in the normal case, but has all
+  // bits cleared if we are speculatively executing the wrong PC.
+  __ ComputeCodeStartAddress(eax);
+  __ mov(kSpeculationPoisonRegister, Immediate(0));
+  __ cmp(kJavaScriptCallCodeStartRegister, eax);
+  __ mov(eax, Immediate(-1));
+  __ cmov(equal, kSpeculationPoisonRegister, eax);
+  __ pop(eax);  // Restore eax.
 }
 void CodeGenerator::AssembleRegisterArgumentPoisoning() {
-  // TODO(860429): Remove remaining poisoning infrastructure on ia32.
+  __ and_(kJSFunctionRegister, kSpeculationPoisonRegister);
-  UNREACHABLE();
+  __ and_(kContextRegister, kSpeculationPoisonRegister);
+  __ and_(esp, kSpeculationPoisonRegister);
 }
 // Assembles an instruction after register allocation, producing machine code.
@@ -622,6 +656,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
  ArchOpcode arch_opcode = ArchOpcodeField::decode(opcode);
  switch (arch_opcode) {
    case kArchCallCodeObject: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      InstructionOperand* op = instr->InputAt(0);
      if (op->IsImmediate()) {
        Handle<Code> code = i.InputCode(0);
@@ -660,6 +695,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      break;
    }
    case kArchCallWasmFunction: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      if (HasImmediateInput(instr, 0)) {
        Constant constant = i.ToConstant(instr->InputAt(0));
        Address wasm_code = static_cast<Address>(constant.ToInt32());
@@ -686,6 +722,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
    }
    case kArchTailCallCodeObjectFromJSFunction:
    case kArchTailCallCodeObject: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      if (arch_opcode == kArchTailCallCodeObjectFromJSFunction) {
        AssemblePopArgumentsAdaptorFrame(kJavaScriptCallArgCountRegister,
                                         no_reg, no_reg, no_reg);
@@ -710,6 +747,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      break;
    }
    case kArchTailCallWasm: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      if (HasImmediateInput(instr, 0)) {
        Constant constant = i.ToConstant(instr->InputAt(0));
        Address wasm_code = static_cast<Address>(constant.ToInt32());
@@ -727,6 +765,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      break;
    }
    case kArchTailCallAddress: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      CHECK(!HasImmediateInput(instr, 0));
      Register reg = i.InputRegister(0);
      DCHECK_IMPLIES(
@@ -742,6 +781,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      break;
    }
    case kArchCallJSFunction: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      Register func = i.InputRegister(0);
      if (FLAG_debug_code) {
        // Check the function's context matches the context argument.
@@ -792,6 +832,7 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      AssemblePrepareTailCall();
      break;
    case kArchCallCFunction: {
+      MoveOperandIfAliasedWithPoisonRegister(instr, this);
      int const num_parameters = MiscField::decode(instr->opcode());
      if (HasImmediateInput(instr, 0)) {
        ExternalReference ref = i.InputExternalReference(0);
@@ -1176,8 +1217,8 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      __ bswap(i.OutputRegister());
      break;
    case kArchWordPoisonOnSpeculation:
-      // TODO(860429): Remove remaining poisoning infrastructure on ia32.
+      DCHECK_EQ(i.OutputRegister(), i.InputRegister(0));
-      UNREACHABLE();
+      __ and_(i.InputRegister(0), kSpeculationPoisonRegister);
      break;
    case kLFence:
      __ lfence();
@@ -1552,9 +1593,11 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      break;
    case kIA32Movsxbl:
      ASSEMBLE_MOVX(movsx_b);
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    case kIA32Movzxbl:
      ASSEMBLE_MOVX(movzx_b);
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    case kIA32Movb: {
      size_t index = 0;
@@ -1564,13 +1607,16 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      } else {
        __ mov_b(operand, i.InputRegister(index));
      }
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    }
    case kIA32Movsxwl:
      ASSEMBLE_MOVX(movsx_w);
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    case kIA32Movzxwl:
      ASSEMBLE_MOVX(movzx_w);
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    case kIA32Movw: {
      size_t index = 0;
@@ -1580,11 +1626,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      } else {
        __ mov_w(operand, i.InputRegister(index));
      }
+      EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      break;
    }
    case kIA32Movl:
      if (instr->HasOutput()) {
        __ mov(i.OutputRegister(), i.MemoryOperand());
+        EmitWordLoadPoisoningIfNeeded(this, opcode, instr, i);
      } else {
        size_t index = 0;
        Operand operand = i.MemoryOperand(&index);
@@ -3871,8 +3919,15 @@ void CodeGenerator::AssembleArchBranch(Instruction* instr, BranchInfo* branch) {
 void CodeGenerator::AssembleBranchPoisoning(FlagsCondition condition,
                                            Instruction* instr) {
-  // TODO(860429): Remove remaining poisoning infrastructure on ia32.
+  // TODO(jarin) Handle float comparisons (kUnordered[Not]Equal).
-  UNREACHABLE();
+  if (condition == kUnorderedEqual || condition == kUnorderedNotEqual) {
+    return;
+  }
+  condition = NegateFlagsCondition(condition);
+  __ setcc(FlagsConditionToCondition(condition), kSpeculationPoisonRegister);
+  __ add(kSpeculationPoisonRegister, Immediate(255));
+  __ sar(kSpeculationPoisonRegister, 31u);
 }
 void CodeGenerator::AssembleArchDeoptBranch(Instruction* instr,
@@ -4200,6 +4255,7 @@ void CodeGenerator::AssembleConstructFrame() {
    if (FLAG_code_comments) __ RecordComment("-- OSR entrypoint --");
    osr_pc_offset_ = __ pc_offset();
    shrink_slots -= osr_helper()->UnoptimizedFrameSlots();
+    ResetSpeculationPoison();
  }
  const RegList saves = call_descriptor->CalleeSavedRegisters();

--- a/src/compiler/ia32/instruction-selector-ia32.cc
+++ b/src/compiler/ia32/instruction-selector-ia32.cc
@@ -1353,6 +1353,7 @@ void VisitPairAtomicBinOp(InstructionSelector* selector, Node* node,
  // For Word64 operations, the value input is split into the a high node,
  // and a low node in the int64-lowering phase.
  Node* value_high = node->InputAt(3);
+  bool block_root_register = !FLAG_embedded_builtins;
  // Wasm lives in 32-bit address space, so we do not need to worry about
  // base/index lowering. This will need to be fixed for Wasm64.
@@ -1365,19 +1366,22 @@ void VisitPairAtomicBinOp(InstructionSelector* selector, Node* node,
  Node* projection0 = NodeProperties::FindProjection(node, 0);
  Node* projection1 = NodeProperties::FindProjection(node, 1);
  if (projection1) {
+    InstructionOperand temps[] = {g.TempRegister(ebx)};
    InstructionOperand outputs[] = {g.DefineAsFixed(projection0, eax),
                                    g.DefineAsFixed(projection1, edx)};
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
    selector->Emit(code, arraysize(outputs), outputs, arraysize(inputs), inputs,
-                   0, {});
+                   num_temps, temps);
  } else if (projection0) {
    InstructionOperand outputs[] = {g.DefineAsFixed(projection0, eax)};
-    InstructionOperand temps[] = {g.TempRegister(edx)};
+    InstructionOperand temps[] = {g.TempRegister(edx), g.TempRegister(ebx)};
-    const int num_temps = arraysize(temps);
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
    selector->Emit(code, arraysize(outputs), outputs, arraysize(inputs), inputs,
                   num_temps, temps);
  } else {
-    InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx)};
+    InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx),
-    const int num_temps = arraysize(temps);
+                                  g.TempRegister(ebx)};
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
    selector->Emit(code, 0, nullptr, arraysize(inputs), inputs, num_temps,
                   temps);
  }
@@ -1799,6 +1803,7 @@ void InstructionSelector::VisitWord32AtomicPairStore(Node* node) {
  Node* index = node->InputAt(1);
  Node* value = node->InputAt(2);
  Node* value_high = node->InputAt(3);
+  bool block_root_register = !FLAG_embedded_builtins;
  AddressingMode addressing_mode;
  InstructionOperand inputs[] = {
@@ -1808,8 +1813,9 @@ void InstructionSelector::VisitWord32AtomicPairStore(Node* node) {
  // Allocating temp registers here as stores are performed using an atomic
  // exchange, the output of which is stored in edx:eax, which should be saved
  // and restored at the end of the instruction.
-  InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx)};
+  InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx),
-  const int num_temps = arraysize(temps);
+                                g.TempRegister(ebx)};
+  const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
  InstructionCode code =
      kIA32Word32AtomicPairStore | AddressingModeField::encode(addressing_mode);
  Emit(code, 0, nullptr, arraysize(inputs), inputs, num_temps, temps);
@@ -1843,6 +1849,7 @@ void InstructionSelector::VisitWord32AtomicPairCompareExchange(Node* node) {
  IA32OperandGenerator g(this);
  Node* index = node->InputAt(1);
  AddressingMode addressing_mode;
+  bool block_root_register = !FLAG_embedded_builtins;
  InstructionOperand inputs[] = {
      // High, Low values of old value
@@ -1859,18 +1866,22 @@ void InstructionSelector::VisitWord32AtomicPairCompareExchange(Node* node) {
                         AddressingModeField::encode(addressing_mode);
  if (projection1) {
+    InstructionOperand temps[] = {g.TempRegister(ebx)};
    InstructionOperand outputs[] = {g.DefineAsFixed(projection0, eax),
                                    g.DefineAsFixed(projection1, edx)};
-    Emit(code, arraysize(outputs), outputs, arraysize(inputs), inputs, 0, {});
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
+    Emit(code, arraysize(outputs), outputs, arraysize(inputs), inputs,
+         num_temps, temps);
  } else if (projection0) {
    InstructionOperand outputs[] = {g.DefineAsFixed(projection0, eax)};
-    InstructionOperand temps[] = {g.TempRegister(edx)};
+    InstructionOperand temps[] = {g.TempRegister(edx), g.TempRegister(ebx)};
-    const int num_temps = arraysize(temps);
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
    Emit(code, arraysize(outputs), outputs, arraysize(inputs), inputs,
         num_temps, temps);
  } else {
-    InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx)};
+    InstructionOperand temps[] = {g.TempRegister(eax), g.TempRegister(edx),
-    const int num_temps = arraysize(temps);
+                                  g.TempRegister(ebx)};
+    const int num_temps = arraysize(temps) - (block_root_register ? 0 : 1);
    Emit(code, 0, nullptr, arraysize(inputs), inputs, num_temps, temps);
  }
 }

--- a/src/compiler/instruction-selector.cc
+++ b/src/compiler/instruction-selector.cc
@@ -1015,7 +1015,7 @@ void InstructionSelector::InitializeCallBuffer(Node* call, CallBuffer* buffer,
      if (poisoning_level_ != PoisoningMitigationLevel::kDontPoison &&
          unallocated.HasFixedRegisterPolicy()) {
        int reg = unallocated.fixed_register_index();
-        if (Register::from_code(reg) == kSpeculationPoisonRegister) {
+        if (reg == kSpeculationPoisonRegister.code()) {
          buffer->instruction_args[poison_alias_index] = g.TempImmediate(
              static_cast<int32_t>(buffer->instruction_args.size()));
          op = g.UseRegisterOrSlotOrConstant(*iter);
@@ -2590,6 +2590,7 @@ void InstructionSelector::VisitCall(Node* node, BasicBlock* handler) {
  if (flags & CallDescriptor::kAllowCallThroughSlot) {
    // TODO(v8:6666): Remove kAllowCallThroughSlot and use a pc-relative call
    // instead once builtins are embedded in every build configuration.
+    DCHECK(FLAG_embedded_builtins);
    call_buffer_flags |= kAllowCallThroughSlot;
 #ifndef V8_TARGET_ARCH_32_BIT
    // kAllowCallThroughSlot is only supported on ia32.

--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -2458,24 +2458,28 @@ bool PipelineImpl::SelectInstructions(Linkage* linkage) {
    std::unique_ptr<const RegisterConfiguration> config;
    config.reset(RegisterConfiguration::RestrictGeneralRegisters(registers));
    AllocateRegisters(config.get(), call_descriptor, run_verifier);
-#ifdef V8_TARGET_ARCH_IA32
+  } else if (data->info()->GetPoisoningMitigationLevel() !=
+             PoisoningMitigationLevel::kDontPoison) {
+#if defined(V8_TARGET_ARCH_IA32)
+    DCHECK(!FLAG_embedded_builtins);
+#endif
+    AllocateRegisters(RegisterConfiguration::Poisoning(), call_descriptor,
+                      run_verifier);
  } else {
+#if defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
    // TODO(v8:6666): Ensure that that this configuration cooperates with
    // restricted allocatable registers above, i.e. that we guarantee a
    // restricted configuration cannot allocate kRootRegister on ia32.
+    static_assert(kRootRegister == kSpeculationPoisonRegister,
+                  "The following checks assume root equals poison register");
+    CHECK(!FLAG_untrusted_code_mitigations);
    AllocateRegisters(RegisterConfiguration::PreserveRootIA32(),
                      call_descriptor, run_verifier);
-  }
 #else
-  } else if (data->info()->GetPoisoningMitigationLevel() !=
-             PoisoningMitigationLevel::kDontPoison) {
-    AllocateRegisters(RegisterConfiguration::Poisoning(), call_descriptor,
-                      run_verifier);
-  } else {
    AllocateRegisters(RegisterConfiguration::Default(), call_descriptor,
                      run_verifier);
+#endif  // defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
  }
-#endif  // V8_TARGET_ARCH_IA32
  // Verify the instruction sequence has the same hash in two stages.
  VerifyGeneratedCodeIsIdempotent();

--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -4630,12 +4630,12 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
          args[pos++] = undefined_node;
        }
+        CallDescriptor::Flags flags = CallDescriptor::kNoFlags;
 #ifdef V8_TARGET_ARCH_IA32
        // TODO(v8:6666): Remove kAllowCallThroughSlot and use a pc-relative
        // call instead once builtins are embedded in every build configuration.
-        CallDescriptor::Flags flags = CallDescriptor::kAllowCallThroughSlot;
+        flags = FLAG_embedded_builtins ? CallDescriptor::kAllowCallThroughSlot
-#else
+                                       : CallDescriptor::kNoFlags;
-        CallDescriptor::Flags flags = CallDescriptor::kNoFlags;
 #endif
        auto call_descriptor = Linkage::GetStubCallDescriptor(
            mcgraph()->zone(), ArgumentsAdaptorDescriptor{}, 1 + wasm_count,

--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -809,9 +809,16 @@ void Deoptimizer::DoComputeOutputFrames() {
    }
  }
-  FrameDescription* topmost = output_[count - 1];
+#if defined(V8_TARGET_ARCH_IA32)
-  topmost->GetRegisterValues()->SetRegister(kRootRegister.code(),
+  constexpr bool kShouldInitializeRootRegister = FLAG_embedded_builtins;
-                                            isolate()->isolate_root());
+#else
+  constexpr bool kShouldInitializeRootRegister = true;
+#endif
+  if (kShouldInitializeRootRegister) {
+    FrameDescription* topmost = output_[count - 1];
+    topmost->GetRegisterValues()->SetRegister(kRootRegister.code(),
+                                              isolate()->isolate_root());
+  }
  // Print some helpful diagnostic information.
  if (trace_scope_ != nullptr) {
@@ -1477,7 +1484,7 @@ void Deoptimizer::DoComputeBuiltinContinuation(
  const bool must_handle_result =
      !is_topmost || deopt_kind_ == DeoptimizeKind::kLazy;
-#ifdef V8_TARGET_ARCH_IA32
+#if defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
  // TODO(v8:6666): Fold into Default config once root is fully supported.
  const RegisterConfiguration* config(
      RegisterConfiguration::PreserveRootIA32());

--- a/src/ia32/macro-assembler-ia32.cc
+++ b/src/ia32/macro-assembler-ia32.cc
@@ -46,6 +46,10 @@ MacroAssembler::MacroAssembler(Isolate* isolate,
 }
 void TurboAssembler::InitializeRootRegister() {
+  // TODO(v8:6666): Initialize unconditionally once poisoning support has been
+  // removed.
+  if (!FLAG_embedded_builtins) return;
  ExternalReference isolate_root = ExternalReference::isolate_root(isolate());
  Move(kRootRegister, Immediate(isolate_root));
 }
@@ -1995,6 +1999,10 @@ void TurboAssembler::ComputeCodeStartAddress(Register dst) {
  }
 }
+void TurboAssembler::ResetSpeculationPoisonRegister() {
+  mov(kSpeculationPoisonRegister, Immediate(-1));
+}
 }  // namespace internal
 }  // namespace v8

--- a/src/ia32/macro-assembler-ia32.h
+++ b/src/ia32/macro-assembler-ia32.h
@@ -21,6 +21,7 @@ constexpr Register kReturnRegister2 = edi;
 constexpr Register kJSFunctionRegister = edi;
 constexpr Register kContextRegister = esi;
 constexpr Register kAllocateSizeRegister = edx;
+constexpr Register kSpeculationPoisonRegister = ebx;
 constexpr Register kInterpreterAccumulatorRegister = eax;
 constexpr Register kInterpreterBytecodeOffsetRegister = edx;
 constexpr Register kInterpreterBytecodeArrayRegister = edi;
@@ -48,9 +49,6 @@ constexpr Register kWasmCompileLazyFuncIndexRegister = edi;
 constexpr Register kRootRegister = ebx;
-// TODO(860429): Remove remaining poisoning infrastructure on ia32.
-constexpr Register kSpeculationPoisonRegister = no_reg;
 // Convenience for platform-independent signatures.  We do not normally
 // distinguish memory operands from other operands on ia32.
 typedef Operand MemOperand;
@@ -456,8 +454,7 @@ class V8_EXPORT_PRIVATE TurboAssembler : public TurboAssemblerBase {
  // This is an alternative to embedding the {CodeObject} handle as a reference.
  void ComputeCodeStartAddress(Register dst);
-  // TODO(860429): Remove remaining poisoning infrastructure on ia32.
+  void ResetSpeculationPoisonRegister();
-  void ResetSpeculationPoisonRegister() { UNREACHABLE(); }
 };
 // MacroAssembler implements a collection of frequently used macros.

--- a/src/register-configuration.cc
+++ b/src/register-configuration.cc
@@ -166,7 +166,7 @@ static base::LazyInstance<ArchDefaultPoisoningRegisterConfiguration,
                          PoisoningRegisterConfigurationInitializer>::type
    kDefaultPoisoningRegisterConfiguration = LAZY_INSTANCE_INITIALIZER;
-#ifdef V8_TARGET_ARCH_IA32
+#if defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
 // Allocatable registers with the root register removed.
 // TODO(v8:6666): Once all builtins have been migrated, we could remove this
 // configuration and remove kRootRegister from ALLOCATABLE_GENERAL_REGISTERS
@@ -213,7 +213,7 @@ struct PreserveRootIA32RegisterConfigurationInitializer {
 static base::LazyInstance<ArchPreserveRootIA32RegisterConfiguration,
                          PreserveRootIA32RegisterConfigurationInitializer>::
    type kPreserveRootIA32RegisterConfiguration = LAZY_INSTANCE_INITIALIZER;
-#endif  // V8_TARGET_ARCH_IA32
+#endif  // defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
 // RestrictedRegisterConfiguration uses the subset of allocatable general
 // registers the architecture support, which results into generating assembly
@@ -267,11 +267,11 @@ const RegisterConfiguration* RegisterConfiguration::Poisoning() {
  return &kDefaultPoisoningRegisterConfiguration.Get();
 }
-#ifdef V8_TARGET_ARCH_IA32
+#if defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
 const RegisterConfiguration* RegisterConfiguration::PreserveRootIA32() {
  return &kPreserveRootIA32RegisterConfiguration.Get();
 }
-#endif  // V8_TARGET_ARCH_IA32
+#endif  // defined(V8_TARGET_ARCH_IA32) && defined(V8_EMBEDDED_BUILTINS)
 const RegisterConfiguration* RegisterConfiguration::RestrictGeneralRegisters(
    RegList registers) {