[cfi][arm64] Change OSR entry use of LR.

The previous uses of LR here allowed overwriting it with arbitrary addresses
that aren't signed. Change this so we never return to an arbitrary LR.

This makes a difference even when we replace the RET with a BR, because BR is
constrained by BTI, whereas RET isn't.

Bug: v8:10026
Change-Id: Ibbf326ccf0cf32f6d9541c7a82108dc0373827df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2767015Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#73507}

src/builtins/arm64/builtins-arm64.cc

@@ -2042,13 +2042,21 @@ void OnStackReplacement(MacroAssembler* masm, bool is_interpreter) {
       x1, FieldMemOperand(x1, FixedArray::OffsetOfElementAt(
                                   DeoptimizationData::kOsrPcOffsetIndex)));
 
+  // Pop the return address to this function's caller from the return stack
+  // buffer, since we'll never return to it.
+  Label jump;
+  __ Adr(lr, &jump);
+  __ Ret();
+
+  __ Bind(&jump);
+
   // Compute the target address = code_obj + header_size + osr_offset
   // <entry_addr> = <code_obj> + #header_size + <osr_offset>
   __ Add(x0, x0, x1);
-  __ Add(lr, x0, Code::kHeaderSize - kHeapObjectTag);
-
-  // And "return" to the OSR entry point of the function.
-  __ Ret();
+  UseScratchRegisterScope temps(masm);
+  temps.Exclude(x17);
+  __ Add(x17, x0, Code::kHeaderSize - kHeapObjectTag);
+  __ Br(x17);
 }
 }  // namespace
 

src/compiler/backend/arm64/code-generator-arm64.cc

@@ -3080,6 +3080,7 @@ void CodeGenerator::AssembleConstructFrame() {
       // to allocate the remaining stack slots.
       if (FLAG_code_comments) __ RecordComment("-- OSR entrypoint --");
       osr_pc_offset_ = __ pc_offset();
+      __ CodeEntry();
       size_t unoptimized_frame_slots = osr_helper()->UnoptimizedFrameSlots();
       DCHECK(call_descriptor->IsJSFunctionCall());
       DCHECK_EQ(unoptimized_frame_slots % 2, 1);