[ubsan] Avoid isolate == nullptr ExternalReference requests

When the InstructionSelector doesn't have a valid Isolate, it should
avoid using it to look up ExternalReferences. Fortunately, this is
easy, because the result is only used for a comparison, which in case
of invalid Isolate would always fail anyway.

Bug: v8:3770
Change-Id: Ie3d65235a22021b05cf0274bf27d91bb7af21023
Reviewed-on: https://chromium-review.googlesource.com/c/1397702
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58597}

src/compiler/backend/ia32/instruction-selector-ia32.cc

@@ -1251,15 +1251,17 @@ void VisitWordCompare(InstructionSelector* selector, Node* node,
 
 void VisitWordCompare(InstructionSelector* selector, Node* node,
                       FlagsContinuation* cont) {
-  StackCheckMatcher<Int32BinopMatcher, IrOpcode::kUint32LessThan> m(
-      selector->isolate(), node);
-  if (m.Matched()) {
-    // Compare(Load(js_stack_limit), LoadStackPointer)
-    if (!node->op()->HasProperty(Operator::kCommutative)) cont->Commute();
-    InstructionCode opcode = cont->Encode(kIA32StackCheck);
-    CHECK(cont->IsBranch());
-    selector->EmitWithContinuation(opcode, cont);
-    return;
+  if (selector->isolate() != nullptr) {
+    StackCheckMatcher<Int32BinopMatcher, IrOpcode::kUint32LessThan> m(
+        selector->isolate(), node);
+    if (m.Matched()) {
+      // Compare(Load(js_stack_limit), LoadStackPointer)
+      if (!node->op()->HasProperty(Operator::kCommutative)) cont->Commute();
+      InstructionCode opcode = cont->Encode(kIA32StackCheck);
+      CHECK(cont->IsBranch());
+      selector->EmitWithContinuation(opcode, cont);
+      return;
+    }
   }
   WasmStackCheckMatcher<Int32BinopMatcher, IrOpcode::kUint32LessThan> wasm_m(
       node);

src/compiler/backend/x64/instruction-selector-x64.cc

@@ -1780,15 +1780,17 @@ void VisitWord64Compare(InstructionSelector* selector, Node* node,
           g.UseRegister(m.right().node()), cont);
     }
   }
-  StackCheckMatcher<Int64BinopMatcher, IrOpcode::kUint64LessThan> m(
-      selector->isolate(), node);
-  if (m.Matched()) {
-    // Compare(Load(js_stack_limit), LoadStackPointer)
-    if (!node->op()->HasProperty(Operator::kCommutative)) cont->Commute();
-    InstructionCode opcode = cont->Encode(kX64StackCheck);
-    CHECK(cont->IsBranch());
-    selector->EmitWithContinuation(opcode, cont);
-    return;
+  if (selector->isolate() != nullptr) {
+    StackCheckMatcher<Int64BinopMatcher, IrOpcode::kUint64LessThan> m(
+        selector->isolate(), node);
+    if (m.Matched()) {
+      // Compare(Load(js_stack_limit), LoadStackPointer)
+      if (!node->op()->HasProperty(Operator::kCommutative)) cont->Commute();
+      InstructionCode opcode = cont->Encode(kX64StackCheck);
+      CHECK(cont->IsBranch());
+      selector->EmitWithContinuation(opcode, cont);
+      return;
+    }
   }
   WasmStackCheckMatcher<Int64BinopMatcher, IrOpcode::kUint64LessThan> wasm_m(
       node);

src/compiler/node-matchers.h

@@ -782,7 +782,9 @@ struct WasmStackCheckMatcher {
 template <class BinopMatcher, IrOpcode::Value expected_opcode>
 struct StackCheckMatcher {
   StackCheckMatcher(Isolate* isolate, Node* compare)
-      : isolate_(isolate), compare_(compare) {}
+      : isolate_(isolate), compare_(compare) {
+    DCHECK_NOT_NULL(isolate);
+  }
   bool Matched() {
     // TODO(jgruber): Ideally, we could be more flexible here and also match the
     // same pattern with switched operands (i.e.: left is LoadStackPointer and