Extra code to diagnose a crash bug.

This will catch an invalid receiver before being passed to a load ic miss
handler in the runtime.

BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1351493002

Cr-Commit-Position: refs/heads/master@{#30768}

src/builtins.cc

@@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {
 
 
 static void Generate_LoadIC_Miss(MacroAssembler* masm) {
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);
 }
 
 

src/full-codegen/x64/full-codegen-x64.cc

@@ -2262,14 +2262,15 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
   if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
     __ Pop(LoadDescriptor::ReceiverRegister());
 
-    Label ok;
+    Label ok, sound_alarm;
     __ JumpIfSmi(rax, &ok, Label::kNear);
     __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));
-    __ CmpInstanceType(rbx, LAST_PRIMITIVE_TYPE);
-    __ j(below_equal, &ok, Label::kNear);
-    __ CmpInstanceType(rbx, FIRST_JS_RECEIVER_TYPE);
-    __ j(above_equal, &ok, Label::kNear);
+    __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+    __ j(equal, &sound_alarm);
+    __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+    __ j(not_equal, &ok, Label::kNear);
 
+    __ bind(&sound_alarm);
     __ Push(Smi::FromInt(0xaabbccdd));
     __ Push(LoadDescriptor::ReceiverRegister());
     __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),

src/ic/arm/ic-arm.cc

@@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 

src/ic/arm64/ic-arm64.cc

@@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
   ASM_LOCATION("LoadIC::GenerateMiss");

src/ic/ia32/ic-ia32.cc

@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);

src/ic/ic.h

@@ -323,8 +323,17 @@ class LoadIC : public IC {
   }
 
   // Code generator routines.
-  static void GenerateInitialize(MacroAssembler* masm) { GenerateMiss(masm); }
-  static void GenerateMiss(MacroAssembler* masm);
+
+  // TODO(jkummerow): Remove the stress parameter and these stress constants
+  // when a crash bug is fixed.
+  static const int kStressNone = 0;
+  static const int kStressInit = 1;
+  static const int kStressDispatcher = 2;
+  static const int kStressBuiltin = 3;
+  static void GenerateInitialize(MacroAssembler* masm) {
+    GenerateMiss(masm, kStressInit);
+  }
+  static void GenerateMiss(MacroAssembler* masm, int stress = kStressNone);
   static void GenerateRuntimeGetProperty(MacroAssembler* masm,
                                          LanguageMode language_mode);
   static void GenerateNormal(MacroAssembler* masm, LanguageMode language_mode);

src/ic/mips/ic-mips.cc

@@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in ra.
   Isolate* isolate = masm->isolate();
 

src/ic/mips64/ic-mips64.cc

@@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is on the stack.
   Isolate* isolate = masm->isolate();
 

src/ic/ppc/ic-ppc.cc

@@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 

src/ic/x64/ic-x64.cc

@@ -667,7 +667,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is on the stack.
 
   Counters* counters = masm->isolate()->counters();
@@ -675,6 +675,36 @@ void LoadIC::GenerateMiss(MacroAssembler* masm) {
 
   LoadIC_PushArgs(masm);
 
+  Register receiver = LoadDescriptor::ReceiverRegister();
+
+  // Sanity check: The receiver must be a JS-exposed kind of object,
+  // not something internal (like a Map, or FixedArray). Check this here
+  // to chase after a rare but recurring crash bug.
+  // TODO(jkummerow): Remove this when it has generated a few crash reports.
+
+  Label ok, sound_alarm;
+  __ JumpIfSmi(receiver, &ok, Label::kNear);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+  __ j(equal, &sound_alarm);
+  __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+  __ j(not_equal, &ok, Label::kNear);
+
+  // This cmpp instruction is only here to identify which of several kinds
+  // of code blocks embedded the MISS code. (handler, dispatcher).
+  __ cmpp(receiver, Immediate(stress));
+
+  __ bind(&sound_alarm);
+  __ Push(Smi::FromInt(0xaabbccdd));
+  __ Push(receiver);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ Push(rbx);
+  __ movp(rbx, FieldOperand(receiver, JSObject::kPropertiesOffset));
+  __ Push(rbx);
+  __ int3();
+
+  __ bind(&ok);
+
   // Perform tail call to the entry.
   int arg_count = 4;
   __ TailCallRuntime(Runtime::kLoadIC_Miss, arg_count, 1);

src/ic/x87/ic-x87.cc

@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);

src/x64/code-stubs-x64.cc

@@ -4348,7 +4348,7 @@ void LoadICStub::GenerateImpl(MacroAssembler* masm, bool in_frame) {
       masm, Code::LOAD_IC, code_flags, receiver, name, feedback, no_reg);
 
   __ bind(&miss);
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressDispatcher);
 
   __ bind(&load_smi_map);
   __ LoadRoot(receiver_map, Heap::kHeapNumberMapRootIndex);