[ubsan] Use Address parameters for calling generated code

The simulated C++ signature for generated code entry points should
rely on primitive values (as opposed to ObjectPtr).

Bug: v8:3770
Change-Id: I6f6f4dc8a93c7ba46bfc7052dc4745b16e9fd62f
Reviewed-on: https://chromium-review.googlesource.com/c/1386875Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58409}

src/builtins/arm/builtins-arm.cc

@@ -532,9 +532,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                              Builtins::Name entry_trampoline) {
   // r0:                            code entry

src/builtins/arm64/builtins-arm64.cc

@@ -601,9 +601,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 //
 // Input:
 //   x0: code entry.

src/builtins/ia32/builtins-ia32.cc

@@ -373,9 +373,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                              Builtins::Name entry_trampoline) {
   Label invoke, handler_entry, exit;

src/builtins/mips/builtins-mips.cc

@@ -395,9 +395,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                              Builtins::Name entry_trampoline) {
   Label invoke, handler_entry, exit;

src/builtins/mips64/builtins-mips64.cc

@@ -540,9 +540,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                              Builtins::Name entry_trampoline) {
   Label invoke, handler_entry, exit;

src/builtins/x64/builtins-x64.cc

@@ -367,9 +367,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
-//      Object * new_target, Object * target, Object * receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//  using JSEntryFunction = GeneratedCode<Address(
+//      Address new_target, Address target, Address receiver, int argc,
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                              Builtins::Name entry_trampoline) {
   Label invoke, handler_entry, exit;
@@ -555,11 +555,11 @@ void Builtins::Generate_JSRunMicrotasksEntry(MacroAssembler* masm) {
 static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
                                              bool is_construct) {
   // Expects five C++ function parameters.
-  // - Object* new_target
-  // - JSFunction function
-  // - Object* receiver
+  // - Address new_target (tagged Object pointer)
+  // - Address function (tagged JSFunction pointer)
+  // - Address receiver (tagged Object pointer)
   // - int argc
-  // - Object*** argv
+  // - Address** argv (pointer to array of tagged Object pointers)
   // (see Handle::Invoke in execution.cc).
 
   // Open a C++ scope for the FrameScope.

src/execution.cc

@@ -253,7 +253,7 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
   }
 
   // Placeholder for return value.
-  Object* value = nullptr;
+  ObjectPtr value;
 
   Handle<Code> code =
       JSEntry(isolate, params.execution_target, params.is_construct);
@@ -270,9 +270,11 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
     SaveContext save(isolate);
     SealHandleScope shs(isolate);
     // clang-format off
-    using JSEntryFunction = GeneratedCode<Object*(
-        Object* new_target, Object* target, Object* receiver, int argc,
-        Object*** argv, Address root_register_value)>;
+    // {new_target}, {target}, {receiver}, return value: tagged pointers
+    // {argv}: pointer to array of tagged pointers
+    using JSEntryFunction = GeneratedCode<Address(
+        Address new_target, Address target, Address receiver, int argc,
+        Address** argv, Address root_register_value)>;
     // clang-format on
     JSEntryFunction stub_entry =
         JSEntryFunction::FromAddress(isolate, code->InstructionStart());
@@ -280,16 +282,16 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
     if (FLAG_clear_exceptions_on_js_entry) isolate->clear_pending_exception();
 
     // Call the function through the right JS entry stub.
-    Object* orig_func = *params.new_target;
-    Object* func = *params.target;
-    Object* recv = *params.receiver;
-    Object*** argv = reinterpret_cast<Object***>(params.argv);
+    Address orig_func = params.new_target->ptr();
+    Address func = params.target->ptr();
+    Address recv = params.receiver->ptr();
+    Address** argv = reinterpret_cast<Address**>(params.argv);
     if (FLAG_profile_deserialization && params.target->IsJSFunction()) {
       PrintDeserializedCodeInfo(Handle<JSFunction>::cast(params.target));
     }
     RuntimeCallTimerScope timer(isolate, RuntimeCallCounterId::kJS_Execution);
-    value = stub_entry.Call(orig_func, func, recv, params.argc, argv,
-                            isolate->isolate_data()->isolate_root());
+    value = ObjectPtr(stub_entry.Call(orig_func, func, recv, params.argc, argv,
+                                      isolate->isolate_data()->isolate_root()));
   }
 
 #ifdef VERIFY_HEAP