[torque] Get rid of @noVerifier annotation on PromiseReactionJobTask

Include API-instantiated functions in the definition of Callable so
that PromiseReactionJobTask::handler can verify correctly. Also make
Callable verification stricter regarding JSProxy instances: they must
have the callable bit set.

Also update test-weak-references to use a different object type, since
FeedbackVector::optimized_code_weak_or_smi should never point to a
FixedArray.

Bug: v8:9311
Change-Id: I4242df993e381a75f5b53302fee8fd2b12e96d34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1650563
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62153}

src/builtins/base.tq

@@ -513,7 +513,7 @@ extern class PrototypeInfo extends Struct {
   prototype_users: WeakArrayList | Zero;
   registry_slot: Smi;
   validity_cell: Object;
-  @noVerifier object_create_map: Smi | WeakArrayList;
+  @noVerifier object_create_map: Map | Undefined;
   bit_field: Smi;
 }
 
@@ -570,7 +570,17 @@ extern class JSBoundFunction extends JSObject {
   bound_arguments: FixedArray;
 }
 
-type Callable = JSFunction | JSBoundFunction | JSProxy;
+// Specialized types. The following two type definitions don't correspond to
+// actual C++ classes, but have Is... methods that check additional constraints.
+
+// A function built with InstantiateFunction for the public API.
+type CallableApiObject extends HeapObject;
+
+// A JSProxy with the callable bit set.
+type CallableJSProxy extends JSProxy;
+
+type Callable =
+    JSFunction | JSBoundFunction | CallableJSProxy | CallableApiObject;
 
 extern operator '.length_intptr' macro LoadAndUntagFixedArrayBaseLength(
     FixedArrayBase): intptr;
@@ -1147,7 +1157,7 @@ extern class PromiseReaction extends Struct {
 extern class PromiseReactionJobTask extends Microtask {
   argument: Object;
   context: Context;
-  @noVerifier handler: Callable | Undefined;
+  handler: Callable | Undefined;
   promise_or_capability: JSPromise | PromiseCapability | Undefined;
 }
 

src/diagnostics/objects-debug.cc

@@ -1373,11 +1373,7 @@ void CallableTask::CallableTaskVerify(Isolate* isolate) {
 
 USE_TORQUE_VERIFIER(CallbackTask)
 
-void PromiseReactionJobTask::PromiseReactionJobTaskVerify(Isolate* isolate) {
-  TorqueGeneratedClassVerifiers::PromiseReactionJobTaskVerify(*this, isolate);
-  VerifyHeapPointer(isolate, handler());
-  CHECK(handler().IsUndefined(isolate) || handler().IsCallable());
-}
+USE_TORQUE_VERIFIER(PromiseReactionJobTask)
 
 USE_TORQUE_VERIFIER(PromiseFulfillReactionJobTask)
 

src/heap/factory.cc

@@ -3802,7 +3802,8 @@ Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<NativeContext> context,
   return map;
 }
 
-Handle<LoadHandler> Factory::NewLoadHandler(int data_count) {
+Handle<LoadHandler> Factory::NewLoadHandler(int data_count,
+                                            AllocationType allocation) {
   Handle<Map> map;
   switch (data_count) {
     case 1:
@@ -3817,7 +3818,7 @@ Handle<LoadHandler> Factory::NewLoadHandler(int data_count) {
     default:
       UNREACHABLE();
   }
-  return handle(LoadHandler::cast(New(map, AllocationType::kOld)), isolate());
+  return handle(LoadHandler::cast(New(map, allocation)), isolate());
 }
 
 Handle<StoreHandler> Factory::NewStoreHandler(int data_count) {

src/heap/factory.h

@@ -892,7 +892,8 @@ class V8_EXPORT_PRIVATE Factory {
   Handle<Map> ObjectLiteralMapFromCache(Handle<NativeContext> native_context,
                                         int number_of_properties);
 
-  Handle<LoadHandler> NewLoadHandler(int data_count);
+  Handle<LoadHandler> NewLoadHandler(
+      int data_count, AllocationType allocation = AllocationType::kOld);
   Handle<StoreHandler> NewStoreHandler(int data_count);
 
   Handle<RegExpMatchInfo> NewRegExpMatchInfo();

src/objects/object-list-macros.h

@@ -249,9 +249,16 @@ class ZoneForwardList;
 
 #define HEAP_OBJECT_TEMPLATE_TYPE_LIST(V) V(HashTable)
 
+// Logical sub-types of heap objects that don't correspond to a C++ class but
+// represent some specialization in terms of additional constraints.
+#define HEAP_OBJECT_SPECIALIZED_TYPE_LIST(V) \
+  V(CallableApiObject)                       \
+  V(CallableJSProxy)
+
 #define HEAP_OBJECT_TYPE_LIST(V)    \
   HEAP_OBJECT_ORDINARY_TYPE_LIST(V) \
-  HEAP_OBJECT_TEMPLATE_TYPE_LIST(V)
+  HEAP_OBJECT_TEMPLATE_TYPE_LIST(V) \
+  HEAP_OBJECT_SPECIALIZED_TYPE_LIST(V)
 
 #define ODDBALL_LIST(V)                 \
   V(Undefined, undefined_value)         \

src/objects/objects-inl.h

@@ -152,6 +152,16 @@ bool HeapObject::IsFunction() const {
 
 bool HeapObject::IsCallable() const { return map().is_callable(); }
 
+bool HeapObject::IsCallableJSProxy() const {
+  return IsCallable() && IsJSProxy();
+}
+
+bool HeapObject::IsCallableApiObject() const {
+  InstanceType type = map().instance_type();
+  return IsCallable() &&
+         (type == JS_API_OBJECT_TYPE || type == JS_SPECIAL_API_OBJECT_TYPE);
+}
+
 bool HeapObject::IsConstructor() const { return map().is_constructor(); }
 
 bool HeapObject::IsModuleInfo() const {