[ubsan] Use Address parameters for calling generated code

The simulated C++ signature for generated code entry points should rely on primitive values (as opposed to ObjectPtr). Bug: v8:3770 Change-Id: I6f6f4dc8a93c7ba46bfc7052dc4745b16e9fd62f Reviewed-on: https://chromium-review.googlesource.com/c/1386875Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#58409}

[ubsan] Use Address parameters for calling generated code
The simulated C++ signature for generated code entry points should rely on primitive values (as opposed to ObjectPtr). Bug: v8:3770 Change-Id: I6f6f4dc8a93c7ba46bfc7052dc4745b16e9fd62f Reviewed-on: https://chromium-review.googlesource.com/c/1386875Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#58409}
42b4180d · Jakob Kummerow · Commit Bot · a01508e2 · 42b4180d · 42b4180d
Commit 42b4180d authored Dec 20, 2018 by Jakob Kummerow Committed by Commit Bot Dec 20, 2018
7 changed files
--- a/src/builtins/arm/builtins-arm.cc
+++ b/src/builtins/arm/builtins-arm.cc
@@ -532,9 +532,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                             Builtins::Name entry_trampoline) {
  // r0:                            code entry

--- a/src/builtins/arm64/builtins-arm64.cc
+++ b/src/builtins/arm64/builtins-arm64.cc
@@ -601,9 +601,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 //
 // Input:
 //   x0: code entry.

--- a/src/builtins/ia32/builtins-ia32.cc
+++ b/src/builtins/ia32/builtins-ia32.cc
@@ -373,9 +373,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                             Builtins::Name entry_trampoline) {
  Label invoke, handler_entry, exit;

--- a/src/builtins/mips/builtins-mips.cc
+++ b/src/builtins/mips/builtins-mips.cc
@@ -395,9 +395,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                             Builtins::Name entry_trampoline) {
  Label invoke, handler_entry, exit;

--- a/src/builtins/mips64/builtins-mips64.cc
+++ b/src/builtins/mips64/builtins-mips64.cc
@@ -540,9 +540,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                             Builtins::Name entry_trampoline) {
  Label invoke, handler_entry, exit;

--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@@ -367,9 +367,9 @@ namespace {
 // Called with the native C calling convention. The corresponding function
 // signature is:
 //
-//  using JSEntryFunction = GeneratedCode<Object*(
+//  using JSEntryFunction = GeneratedCode<Address(
-//      Object * new_target, Object * target, Object * receiver, int argc,
+//      Address new_target, Address target, Address receiver, int argc,
-//      Object*** args, Address root_register_value)>;
+//      Address** args, Address root_register_value)>;
 void Generate_JSEntryVariant(MacroAssembler* masm, StackFrame::Type type,
                             Builtins::Name entry_trampoline) {
  Label invoke, handler_entry, exit;
@@ -555,11 +555,11 @@ void Builtins::Generate_JSRunMicrotasksEntry(MacroAssembler* masm) {
 static void Generate_JSEntryTrampolineHelper(MacroAssembler* masm,
                                             bool is_construct) {
  // Expects five C++ function parameters.
-  // - Object* new_target
+  // - Address new_target (tagged Object pointer)
-  // - JSFunction function
+  // - Address function (tagged JSFunction pointer)
-  // - Object* receiver
+  // - Address receiver (tagged Object pointer)
  // - int argc
-  // - Object*** argv
+  // - Address** argv (pointer to array of tagged Object pointers)
  // (see Handle::Invoke in execution.cc).
  // Open a C++ scope for the FrameScope.

--- a/src/execution.cc
+++ b/src/execution.cc
@@ -253,7 +253,7 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
  }
  // Placeholder for return value.
-  Object* value = nullptr;
+  ObjectPtr value;
  Handle<Code> code =
      JSEntry(isolate, params.execution_target, params.is_construct);
@@ -270,9 +270,11 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
    SaveContext save(isolate);
    SealHandleScope shs(isolate);
    // clang-format off
-    using JSEntryFunction = GeneratedCode<Object*(
+    // {new_target}, {target}, {receiver}, return value: tagged pointers
-        Object* new_target, Object* target, Object* receiver, int argc,
+    // {argv}: pointer to array of tagged pointers
-        Object*** argv, Address root_register_value)>;
+    using JSEntryFunction = GeneratedCode<Address(
+        Address new_target, Address target, Address receiver, int argc,
+        Address** argv, Address root_register_value)>;
    // clang-format on
    JSEntryFunction stub_entry =
        JSEntryFunction::FromAddress(isolate, code->InstructionStart());
@@ -280,16 +282,16 @@ V8_WARN_UNUSED_RESULT MaybeHandle<Object> Invoke(Isolate* isolate,
    if (FLAG_clear_exceptions_on_js_entry) isolate->clear_pending_exception();
    // Call the function through the right JS entry stub.
-    Object* orig_func = *params.new_target;
+    Address orig_func = params.new_target->ptr();
-    Object* func = *params.target;
+    Address func = params.target->ptr();
-    Object* recv = *params.receiver;
+    Address recv = params.receiver->ptr();
-    Object*** argv = reinterpret_cast<Object***>(params.argv);
+    Address** argv = reinterpret_cast<Address**>(params.argv);
    if (FLAG_profile_deserialization && params.target->IsJSFunction()) {
      PrintDeserializedCodeInfo(Handle<JSFunction>::cast(params.target));
    }
    RuntimeCallTimerScope timer(isolate, RuntimeCallCounterId::kJS_Execution);
-    value = stub_entry.Call(orig_func, func, recv, params.argc, argv,
+    value = ObjectPtr(stub_entry.Call(orig_func, func, recv, params.argc, argv,
-                            isolate->isolate_data()->isolate_root());
+                                      isolate->isolate_data()->isolate_root()));
  }
 #ifdef VERIFY_HEAP