[torque] make map field const

As an escape hatch, add UnsafeConstCast() to still mutate the map
field where necessary.

Drive-by change: Refactor NewPromiseReactionJobTask to avoid unsafe
allocation and map mutations.

Bug: v8:7793
Change-Id: I90e06340c1cf048059b544f1c0a6f730f75d200c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2096675
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66766}

src/builtins/base.tq

@@ -940,6 +940,10 @@ macro UnsafeCast<A : type extends Object>(implicit context: Context)(o: Object):
   return %RawDownCast<A>(o);
 }
 
+macro UnsafeConstCast<T: type>(r: const &T):&T {
+  return %RawDownCast<&T>(r);
+}
+
 extern macro FixedArrayMapConstant(): Map;
 extern macro FixedDoubleArrayMapConstant(): Map;
 extern macro FixedCOWArrayMapConstant(): Map;

src/builtins/builtins-promise-gen.cc

@@ -28,11 +28,6 @@ void PromiseBuiltinsAssembler::ZeroOutEmbedderOffsets(
   }
 }
 
-TNode<HeapObject> PromiseBuiltinsAssembler::AllocatePromiseReactionJobTask(
-    TNode<Context> context) {
-  return Allocate(PromiseReactionJobTask::kSizeOfAllPromiseReactionJobTasks);
-}
-
 TNode<HeapObject> PromiseBuiltinsAssembler::AllocateJSPromise(
     TNode<Context> context) {
   return Allocate(JSPromise::kSizeWithEmbedderFields);

src/builtins/builtins-promise-gen.h

@@ -20,8 +20,6 @@ class V8_EXPORT_PRIVATE PromiseBuiltinsAssembler : public CodeStubAssembler {
   void ZeroOutEmbedderOffsets(TNode<JSPromise> promise);
 
   TNode<HeapObject> AllocateJSPromise(TNode<Context> context);
-
-  TNode<HeapObject> AllocatePromiseReactionJobTask(TNode<Context> context);
 };
 
 }  // namespace internal

src/builtins/promise-abstract-operations.tq

@@ -115,7 +115,8 @@ namespace promise {
         kPromiseReactionSize ==
         kPromiseReactionJobTaskSizeOfAllPromiseReactionJobTasks);
     if constexpr (reactionType == kPromiseReactionFulfill) {
-      promiseReaction.map = PromiseFulfillReactionJobTaskMapConstant();
+      * UnsafeConstCast(& promiseReaction.map) =
+          PromiseFulfillReactionJobTaskMapConstant();
       const promiseReactionJobTask =
           UnsafeCast<PromiseFulfillReactionJobTask>(promiseReaction);
       promiseReactionJobTask.argument = argument;
@@ -129,7 +130,8 @@ namespace promise {
           kPromiseReactionJobTaskPromiseOrCapabilityOffset);
     } else {
       StaticAssert(reactionType == kPromiseReactionReject);
-      promiseReaction.map = PromiseRejectReactionJobTaskMapConstant();
+      * UnsafeConstCast(& promiseReaction.map) =
+          PromiseRejectReactionJobTaskMapConstant();
       const promiseReactionJobTask =
           UnsafeCast<PromiseRejectReactionJobTask>(promiseReaction);
       promiseReactionJobTask.argument = argument;
@@ -437,28 +439,25 @@ namespace promise {
           onFulfilled, onRejected);
       promise.reactions_or_result = reaction;
     } else {
-      let map: Map;
-      let handler: Callable|Undefined = Undefined;
+      const reactionsOrResult = promise.reactions_or_result;
+      let microtask: PromiseReactionJobTask;
       let handlerContext: Context;
       if (promise.Status() == PromiseState::kFulfilled) {
-        map = PromiseFulfillReactionJobTaskMapConstant();
-        handler = onFulfilled;
         handlerContext = ExtractHandlerContext(onFulfilled, onRejected);
+        microtask = NewPromiseFulfillReactionJobTask(
+            handlerContext, reactionsOrResult, onFulfilled,
+            resultPromiseOrCapability);
       } else
         deferred {
           assert(promise.Status() == PromiseState::kRejected);
-          map = PromiseRejectReactionJobTaskMapConstant();
-          handler = onRejected;
           handlerContext = ExtractHandlerContext(onRejected, onFulfilled);
+          microtask = NewPromiseRejectReactionJobTask(
+              handlerContext, reactionsOrResult, onRejected,
+              resultPromiseOrCapability);
           if (!promise.HasHandler()) {
             runtime::PromiseRevokeReject(promise);
           }
         }
-
-      const reactionsOrResult = promise.reactions_or_result;
-      const microtask = NewPromiseReactionJobTask(
-          map, handlerContext, reactionsOrResult, handler,
-          resultPromiseOrCapability);
       EnqueueMicrotask(handlerContext, microtask);
     }
     promise.SetHasHandler();

src/builtins/promise-misc.tq

@@ -16,10 +16,6 @@ namespace promise_internal {
       void;
 
   extern macro PromiseBuiltinsAssembler::AllocateJSPromise(Context): HeapObject;
-
-  extern macro PromiseBuiltinsAssembler::AllocatePromiseReactionJobTask(
-      Context): HeapObject;
-
 }
 
 namespace promise {
@@ -45,7 +41,7 @@ namespace promise {
     assert(IsFunctionWithPrototypeSlotMap(promiseFun.map));
     const promiseMap = UnsafeCast<Map>(promiseFun.prototype_or_initial_map);
     const promiseHeapObject = promise_internal::AllocateJSPromise(context);
-    promiseHeapObject.map = promiseMap;
+    * UnsafeConstCast(& promiseHeapObject.map) = promiseMap;
     const promise = UnsafeCast<JSPromise>(promiseHeapObject);
     promise.properties_or_hash = kEmptyFixedArray;
     promise.elements = kEmptyFixedArray;
@@ -54,24 +50,36 @@ namespace promise {
     return promise;
   }
 
-  macro NewPromiseReactionJobTask(implicit context: Context)(
-      map: Map, handlerContext: Context, argument: Object,
-      handler: Callable|Undefined,
+  macro NewPromiseFulfillReactionJobTask(implicit context: Context)(
+      handlerContext: Context, argument: Object, handler: Callable|Undefined,
+      promiseOrCapability: JSPromise|PromiseCapability|
+      Undefined): PromiseFulfillReactionJobTask {
+    const nativeContext = LoadNativeContext(handlerContext);
+    return new PromiseFulfillReactionJobTask{
+      map: PromiseFulfillReactionJobTaskMapConstant(),
+      argument,
+      context: handlerContext,
+      handler,
+      promise_or_capability: promiseOrCapability,
+      continuation_preserved_embedder_data: nativeContext
+          [NativeContextSlot::CONTINUATION_PRESERVED_EMBEDDER_DATA_INDEX]
+    };
+  }
+
+  macro NewPromiseRejectReactionJobTask(implicit context: Context)(
+      handlerContext: Context, argument: Object, handler: Callable|Undefined,
       promiseOrCapability: JSPromise|PromiseCapability|
-      Undefined): PromiseReactionJobTask {
+      Undefined): PromiseRejectReactionJobTask {
     const nativeContext = LoadNativeContext(handlerContext);
-    const taskHeapObject =
-        promise_internal::AllocatePromiseReactionJobTask(context);
-    taskHeapObject.map = map;
-    const jobTask = UnsafeCast<PromiseReactionJobTask>(taskHeapObject);
-    jobTask.argument = argument;
-    jobTask.context = handlerContext;
-    jobTask.handler = handler;
-    jobTask.promise_or_capability = promiseOrCapability;
-    jobTask.continuation_preserved_embedder_data =
-        nativeContext[NativeContextSlot::
-                          CONTINUATION_PRESERVED_EMBEDDER_DATA_INDEX];
-    return jobTask;
+    return new PromiseRejectReactionJobTask{
+      map: PromiseRejectReactionJobTaskMapConstant(),
+      argument,
+      context: handlerContext,
+      handler,
+      promise_or_capability: promiseOrCapability,
+      continuation_preserved_embedder_data: nativeContext
+          [NativeContextSlot::CONTINUATION_PRESERVED_EMBEDDER_DATA_INDEX]
+    };
   }
 
   // These allocate and initialize a promise with pending state and

src/objects/heap-object.tq

@@ -4,5 +4,5 @@
 
 @abstract
 extern class HeapObject extends StrongTagged {
-  map: Map;
+  const map: Map;
 }