[sparkplug] Fix frames during interrupts on x64

The StackGuard in the sparkplug prologue builtin on x64 was called with the frame in a weird state; in particular, the baseline code PC wasn't on the stack. This could lead to oddities like the baseline code getting collected by a GC during the interrupt. Now we push the baseline code return address and set up a proper frame for the interrupt. Bug: v8:11420 Change-Id: I03b4c2f2d204ad413c5f54f9e8fc28182edf9085 Fixed: chromium:1177219 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704658 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#72858}

[sparkplug] Fix frames during interrupts on x64
The StackGuard in the sparkplug prologue builtin on x64 was called with the frame in a weird state; in particular, the baseline code PC wasn't on the stack. This could lead to oddities like the baseline code getting collected by a GC during the interrupt. Now we push the baseline code return address and set up a proper frame for the interrupt. Bug: v8:11420 Change-Id: I03b4c2f2d204ad413c5f54f9e8fc28182edf9085 Fixed: chromium:1177219 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704658 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#72858}
70e6298e · Leszek Swirski · Commit Bot · a2c31f74 · 70e6298e
Commit 70e6298e authored Feb 19, 2021 by Leszek Swirski Committed by Commit Bot Feb 19, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

builtins-x64.cc src/builtins/x64/builtins-x64.cc +12 -9

No files found.
--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@@ -1644,8 +1644,6 @@ void Builtins::Generate_BaselineOutOfLinePrologue(MacroAssembler* masm) {
  __ incl(
      FieldOperand(feedback_vector, FeedbackVector::kInvocationCountOffset));

-  // Normally r12 is callee saved, but since this isn't a "real" call, we know
-  // that the baseline code doesn't care about r12, so we can reuse it here.
  Register return_address = r12;

  __ RecordComment("[ Frame Setup");
@@ -1714,7 +1712,7 @@ void Builtins::Generate_BaselineOutOfLinePrologue(MacroAssembler* masm) {

  // Push the return address back onto the stack for return.
  __ PushReturnAddressFrom(return_address);
-  // Do "fast" return to caller pushed pc.
+  // Return to caller pushed pc, without any frame teardown.
  __ Ret();

  __ bind(&has_optimized_code_or_marker);
@@ -1734,13 +1732,18 @@ void Builtins::Generate_BaselineOutOfLinePrologue(MacroAssembler* masm) {
  __ bind(&call_stack_guard);
  {
    __ RecordComment("[ Stack/interrupt call");
-    // Save incoming new target or generator
-    __ Push(kJavaScriptCallNewTargetRegister);
-    __ CallRuntime(Runtime::kStackGuard, 0);
-    __ Pop(kJavaScriptCallNewTargetRegister);
+    {
+      // Push the baseline code return address now, as if it had been pushed by
+      // the call to this builtin.
+      __ PushReturnAddressFrom(return_address);
+      FrameScope frame_scope(masm, StackFrame::INTERNAL);
+      // Save incoming new target or generator
+      __ Push(kJavaScriptCallNewTargetRegister);
+      __ CallRuntime(Runtime::kStackGuard, 0);
+      __ Pop(kJavaScriptCallNewTargetRegister);
+    }

-    // Push the return address back onto the stack for return.
-    __ PushReturnAddressFrom(return_address);
+    // Return to caller pushed pc, without any frame teardown.
    __ Ret();
    __ RecordComment("]");
  }