[compiler] Fix extra arguments position when reversed stack

When the interface descriptor of a builtin uses DEFINE_JS_PARAMETERS, the extra stack arguments must be positioned just above the return address, otherwise we would need to calculate its offset depending on the actual number of the arguments, we currently use a fixed offset to access them in CSA. Therefore, these extra arguments are either the first arguments when V8_REVERSE_JSARGS is enabled or otherwise the last arguments. Change-Id: If38ac7fd7f0079fc0e4fdccdb6cfb26e0425eb84 Bug: v8:10825 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2379854Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/master@{#69714}

[compiler] Fix extra arguments position when reversed stack
When the interface descriptor of a builtin uses DEFINE_JS_PARAMETERS, the extra stack arguments must be positioned just above the return address, otherwise we would need to calculate its offset depending on the actual number of the arguments, we currently use a fixed offset to access them in CSA. Therefore, these extra arguments are either the first arguments when V8_REVERSE_JSARGS is enabled or otherwise the last arguments. Change-Id: If38ac7fd7f0079fc0e4fdccdb6cfb26e0425eb84 Bug: v8:10825 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2379854Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/master@{#69714}
c1d06eb3 · Victor Gomes · Commit Bot · 0017c7bb · c1d06eb3 · c1d06eb3
Commit c1d06eb3 authored Sep 07, 2020 by Victor Gomes Committed by Commit Bot Sep 07, 2020
6 changed files
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@@ -608,6 +608,7 @@ extern macro CodeStubAssembler::AllocateNameDictionary(constexpr int32):

 extern builtin ToObject(Context, JSAny): JSReceiver;
 extern macro ToObject_Inline(Context, JSAny): JSReceiver;
+extern macro IsUndefined(Object): bool;
 extern macro IsNullOrUndefined(Object): bool;
 extern macro IsString(HeapObject): bool;
 extern macro IsSeqOneByteString(HeapObject): bool;

--- a/src/builtins/ic-callable.tq
+++ b/src/builtins/ic-callable.tq
@@ -53,6 +53,12 @@ macro TransitionToMegamorphic(implicit context: Context)(
 macro CollectCallFeedback(
    maybeTarget: JSAny, context: Context,
    maybeFeedbackVector: Undefined|FeedbackVector, slotId: uintptr): void {
+  // TODO(v8:9891): Remove this assert once all callers are ported to Torque.
+  // This assert ensures correctness of maybeFeedbackVector's type which can
+  // be easily broken for calls from CSA.
+  assert(
+      IsUndefined(maybeFeedbackVector) ||
+      Is<FeedbackVector>(maybeFeedbackVector));
  const feedbackVector =
      Cast<FeedbackVector>(maybeFeedbackVector) otherwise return;
  IncrementCallCount(feedbackVector, slotId);
@@ -97,6 +103,12 @@ macro CollectCallFeedback(
 macro CollectInstanceOfFeedback(
    maybeTarget: JSAny, context: Context,
    maybeFeedbackVector: Undefined|FeedbackVector, slotId: uintptr): void {
+  // TODO(v8:9891): Remove this assert once all callers are ported to Torque.
+  // This assert ensures correctness of maybeFeedbackVector's type which can
+  // be easily broken for calls from CSA.
+  assert(
+      IsUndefined(maybeFeedbackVector) ||
+      Is<FeedbackVector>(maybeFeedbackVector));
  const feedbackVector =
      Cast<FeedbackVector>(maybeFeedbackVector) otherwise return;
  // Note: The call count is not incremented.
@@ -134,6 +146,12 @@ macro CollectConstructFeedback(implicit context: Context)(
    maybeFeedbackVector: Undefined|FeedbackVector,
    slotId: uintptr): never labels ConstructGeneric,
    ConstructArray(AllocationSite) {
+  // TODO(v8:9891): Remove this assert once all callers are ported to Torque.
+  // This assert ensures correctness of maybeFeedbackVector's type which can
+  // be easily broken for calls from CSA.
+  assert(
+      IsUndefined(maybeFeedbackVector) ||
+      Is<FeedbackVector>(maybeFeedbackVector));
  const feedbackVector = Cast<FeedbackVector>(maybeFeedbackVector)
      otherwise goto ConstructGeneric;
  IncrementCallCount(feedbackVector, slotId);

--- a/src/builtins/internal.tq
+++ b/src/builtins/internal.tq
@@ -14,11 +14,17 @@ extern runtime BytecodeBudgetInterruptFromCode(implicit context: Context)(
 builtin GetTemplateObject(
    context: Context, shared: SharedFunctionInfo,
    description: TemplateObjectDescription, slot: uintptr,
-    maybeFeedbackVector: FeedbackVector|Undefined): JSArray {
+    maybeFeedbackVector: Undefined|FeedbackVector): JSArray {
  // TODO(jgruber): Consider merging with the GetTemplateObject bytecode
  // handler; the current advantage of the split implementation is that the
  // bytecode can skip most work if feedback exists.

+  // TODO(v8:9891): Remove this assert once all callers are ported to Torque.
+  // This assert ensures correctness of maybeFeedbackVector's type which can
+  // be easily broken for calls from CSA.
+  assert(
+      IsUndefined(maybeFeedbackVector) ||
+      Is<FeedbackVector>(maybeFeedbackVector));
  try {
    const vector =
        Cast<FeedbackVector>(maybeFeedbackVector) otherwise CallRuntime;

--- a/src/builtins/iterator.tq
+++ b/src/builtins/iterator.tq
@@ -50,9 +50,16 @@ extern builtin IterableToFixedArrayWithSymbolLookupSlow(

 transitioning builtin GetIteratorWithFeedback(
    context: Context, receiver: JSAny, loadSlot: TaggedIndex,
-    callSlot: TaggedIndex, feedback: Undefined|FeedbackVector): JSAny {
+    callSlot: TaggedIndex,
+    maybeFeedbackVector: Undefined|FeedbackVector): JSAny {
+  // TODO(v8:9891): Remove this assert once all callers are ported to Torque.
+  // This assert ensures correctness of maybeFeedbackVector's type which can
+  // be easily broken for calls from CSA.
+  assert(
+      IsUndefined(maybeFeedbackVector) ||
+      Is<FeedbackVector>(maybeFeedbackVector));
  let iteratorMethod: JSAny;
-  typeswitch (feedback) {
+  typeswitch (maybeFeedbackVector) {
    case (Undefined): {
      iteratorMethod = GetProperty(receiver, IteratorSymbolConstant());
    }
@@ -64,7 +71,7 @@ transitioning builtin GetIteratorWithFeedback(
  // TODO(v8:10047): Use TaggedIndex here once TurboFan supports it.
  const callSlotSmi: Smi = TaggedIndexToSmi(callSlot);
  return CallIteratorWithFeedback(
-      context, receiver, iteratorMethod, callSlotSmi, feedback);
+      context, receiver, iteratorMethod, callSlotSmi, maybeFeedbackVector);
 }

 transitioning builtin CallIteratorWithFeedback(

--- a/src/codegen/interface-descriptors.h
+++ b/src/codegen/interface-descriptors.h
@@ -503,6 +503,10 @@ STATIC_ASSERT(kMaxTFSBuiltinRegisterParams <= kMaxBuiltinRegisterParams);
  DEFINE_RESULT_AND_PARAMETER_TYPES(MachineType::AnyTagged() /* result */, \
                                    ##__VA_ARGS__)

+// When the extra arguments described here are located in the stack, they are
+// just above the return address in the frame. Therefore, they are either the
+// first arguments when V8_REVERSE_JSARGS is enabled, or otherwise the last
+// arguments.
 #define DEFINE_JS_PARAMETERS(...)                           \
  static constexpr int kDescriptorFlags =                   \
      CallInterfaceDescriptorData::kAllowVarArgs;           \

--- a/src/compiler/js-generic-lowering.cc
+++ b/src/compiler/js-generic-lowering.cc