[compiler] Fix CPP builtins extra arguments position when V8_REVERSE_JSARGS is set

Fix arguments order when a call to a CPP builtin is inlined.
When V8_REVERSE_JSARGS is set, the arguments should be reversed and the extra builtin parameters should be pushed last, that is, the input nodes should be located before the function arguments.

Change-Id: Icfcee15bf9e596b236bfd2615a73ce101c87857d
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218289
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68175}

src/compiler/js-typed-lowering.cc

@@ -1476,17 +1476,34 @@ void ReduceBuiltin(JSGraph* jsgraph, Node* node, int builtin_index, int arity,
                    CallDescriptor::Flags flags) {
   // Patch {node} to a direct CEntry call.
   //
+  // When V8_REVERSE_JSARGS is set:
+  // ----------- A r g u m e n t s -----------
+  // -- 0: CEntry
+  // --- Stack args ---
+  // -- 1: new_target
+  // -- 2: target
+  // -- 3: argc, including the receiver and implicit args (Smi)
+  // -- 4: padding
+  // -- 5: receiver
+  // -- [6, 6 + n[: the n actual arguments passed to the builtin
+  // --- Register args ---
+  // -- 6 + n: the C entry point
+  // -- 6 + n + 1: argc (Int32)
+  // -----------------------------------
+  //
+  // Otherwise:
   // ----------- A r g u m e n t s -----------
   // -- 0: CEntry
   // --- Stack args ---
   // -- 1: receiver
   // -- [2, 2 + n[: the n actual arguments passed to the builtin
-  // -- 2 + n: argc, including the receiver and implicit args (Smi)
-  // -- 2 + n + 1: target
-  // -- 2 + n + 2: new_target
+  // -- 2 + n: padding
+  // -- 2 + n + 1: argc, including the receiver and implicit args (Smi)
+  // -- 2 + n + 2: target
+  // -- 2 + n + 3: new_target
   // --- Register args ---
-  // -- 2 + n + 3: the C entry point
-  // -- 2 + n + 4: argc (Int32)
+  // -- 2 + n + 4: the C entry point
+  // -- 2 + n + 5: argc (Int32)
   // -----------------------------------
 
   // The logic contained here is mirrored in Builtins::Generate_Adaptor.
@@ -1509,6 +1526,25 @@ void ReduceBuiltin(JSGraph* jsgraph, Node* node, int builtin_index, int arity,
   node->ReplaceInput(0, stub);
 
   Zone* zone = jsgraph->zone();
+  const int argc = arity + BuiltinArguments::kNumExtraArgsWithReceiver;
+  Node* argc_node = jsgraph->Constant(argc);
+
+  static const int kStubAndReceiver = 2;
+#ifdef V8_REVERSE_JSARGS
+  node->InsertInput(zone, 1, new_target);
+  node->InsertInput(zone, 2, target);
+  node->InsertInput(zone, 3, argc_node);
+  node->InsertInput(zone, 4, jsgraph->PaddingConstant());
+
+  if (is_construct) {
+    // Unify representations between construct and call nodes.
+    // Remove new target and add receiver as a stack parameter.
+    Node* receiver = jsgraph->UndefinedConstant();
+    node->RemoveInput(argc);
+    node->InsertInput(zone, 5, receiver);
+  }
+  int cursor = arity + kStubAndReceiver + BuiltinArguments::kNumExtraArgs;
+#else
   if (is_construct) {
     // Unify representations between construct and call nodes.
     // Remove new target and add receiver as a stack parameter.
@@ -1517,15 +1553,12 @@ void ReduceBuiltin(JSGraph* jsgraph, Node* node, int builtin_index, int arity,
     node->InsertInput(zone, 1, receiver);
   }
 
-  const int argc = arity + BuiltinArguments::kNumExtraArgsWithReceiver;
-  Node* argc_node = jsgraph->Constant(argc);
-
-  static const int kStubAndReceiver = 2;
   int cursor = arity + kStubAndReceiver;
   node->InsertInput(zone, cursor++, jsgraph->PaddingConstant());
   node->InsertInput(zone, cursor++, argc_node);
   node->InsertInput(zone, cursor++, target);
   node->InsertInput(zone, cursor++, new_target);
+#endif
 
   Address entry = Builtins::CppEntryOf(builtin_index);
   ExternalReference entry_ref = ExternalReference::Create(entry);
@@ -1538,7 +1571,8 @@ void ReduceBuiltin(JSGraph* jsgraph, Node* node, int builtin_index, int arity,
   const char* debug_name = Builtins::name(builtin_index);
   Operator::Properties properties = node->op()->properties();
   auto call_descriptor = Linkage::GetCEntryStubCallDescriptor(
-      zone, kReturnCount, argc, debug_name, properties, flags);
+      zone, kReturnCount, argc, debug_name, properties, flags,
+      StackArgumentOrder::kJS);
 
   NodeProperties::ChangeOp(node, jsgraph->common()->Call(call_descriptor));
 }

src/compiler/linkage.cc

@@ -253,7 +253,7 @@ CallDescriptor* Linkage::GetRuntimeCallDescriptor(
 CallDescriptor* Linkage::GetCEntryStubCallDescriptor(
     Zone* zone, int return_count, int js_parameter_count,
     const char* debug_name, Operator::Properties properties,
-    CallDescriptor::Flags flags) {
+    CallDescriptor::Flags flags, StackArgumentOrder stack_order) {
   const size_t function_count = 1;
   const size_t num_args_count = 1;
   const size_t context_count = 1;
@@ -305,7 +305,8 @@ CallDescriptor* Linkage::GetCEntryStubCallDescriptor(
       kNoCalleeSaved,                   // callee-saved
       kNoCalleeSaved,                   // callee-saved fp
       flags,                            // flags
-      debug_name);                      // debug name
+      debug_name,                       // debug name
+      stack_order);                     // stack order
 }
 
 CallDescriptor* Linkage::GetJSCallDescriptor(Zone* zone, bool is_osr,

src/compiler/linkage.h

@@ -456,7 +456,8 @@ class V8_EXPORT_PRIVATE Linkage : public NON_EXPORTED_BASE(ZoneObject) {
   static CallDescriptor* GetCEntryStubCallDescriptor(
       Zone* zone, int return_count, int js_parameter_count,
       const char* debug_name, Operator::Properties properties,
-      CallDescriptor::Flags flags);
+      CallDescriptor::Flags flags,
+      StackArgumentOrder stack_order = StackArgumentOrder::kDefault);
 
   static CallDescriptor* GetStubCallDescriptor(
       Zone* zone, const CallInterfaceDescriptor& descriptor,