[sparkplug] Fix frame fill

Change the frame fill to unconditionally subtract already pushed
registers from register count. This ensures that the decision to add a
push loop is dependent on the _remaining_ registers, not the _total_
registers.

Bug: v8:11420
Change-Id: Ide763654e66f0a8c827a00fca1b4a77be2052f76
Fixed: chromium:1179595
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704672
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72863}

src/baseline/arm64/baseline-compiler-arm64-inl.h

@@ -503,7 +503,7 @@ void BaselineCompiler::PrologueFillFrame() {
   const int new_target_index = new_target_or_generator_register.index();
   const bool has_new_target = new_target_index != kMaxInt;
   // BaselineOutOfLinePrologue already pushed one undefined.
-  int i = 1;
+  register_count -= 1;
   if (has_new_target) {
     if (new_target_index == 0) {
       // Oops, need to fix up that undefined that BaselineOutOfLinePrologue
@@ -511,24 +511,25 @@ void BaselineCompiler::PrologueFillFrame() {
       __ masm()->Poke(kJavaScriptCallNewTargetRegister, Operand(0));
     } else {
       DCHECK_LE(new_target_index, register_count);
-      for (; i + 2 <= new_target_index; i += 2) {
+      int index = 1;
+      for (; index + 2 <= new_target_index; index += 2) {
         __ masm()->Push(kInterpreterAccumulatorRegister,
                         kInterpreterAccumulatorRegister);
       }
-      if (i == new_target_index) {
+      if (index == new_target_index) {
         __ masm()->Push(kJavaScriptCallNewTargetRegister,
                         kInterpreterAccumulatorRegister);
       } else {
-        DCHECK_EQ(i, new_target_index - 1);
+        DCHECK_EQ(index, new_target_index - 1);
         __ masm()->Push(kInterpreterAccumulatorRegister,
                         kJavaScriptCallNewTargetRegister);
       }
-      i += 2;
+      register_count -= (index + 2);
     }
   }
   if (register_count < 2 * kLoopUnrollSize) {
     // If the frame is small enough, just unroll the frame fill completely.
-    for (; i < register_count; i += 2) {
+    for (int i = 0; i < register_count; i += 2) {
       __ masm()->Push(kInterpreterAccumulatorRegister,
                       kInterpreterAccumulatorRegister);
     }
@@ -536,11 +537,9 @@ void BaselineCompiler::PrologueFillFrame() {
     BaselineAssembler::ScratchRegisterScope temps(&basm_);
     Register scratch = temps.AcquireScratch();
 
-    register_count -= i;
-    i = 0;
     // Extract the first few registers to round to the unroll size.
     int first_registers = register_count % kLoopUnrollSize;
-    for (; i < first_registers; i += 2) {
+    for (int i = 0; i < first_registers; i += 2) {
       __ masm()->Push(kInterpreterAccumulatorRegister,
                       kInterpreterAccumulatorRegister);
     }
@@ -550,7 +549,7 @@ void BaselineCompiler::PrologueFillFrame() {
     DCHECK_GT(register_count / kLoopUnrollSize, 0);
     Label loop;
     __ Bind(&loop);
-    for (int j = 0; j < kLoopUnrollSize; j += 2) {
+    for (int i = 0; i < kLoopUnrollSize; i += 2) {
       __ masm()->Push(kInterpreterAccumulatorRegister,
                       kInterpreterAccumulatorRegister);
     }

src/baseline/x64/baseline-compiler-x64-inl.h

@@ -391,27 +391,24 @@ void BaselineCompiler::PrologueFillFrame() {
   const int kLoopUnrollSize = 8;
   const int new_target_index = new_target_or_generator_register.index();
   const bool has_new_target = new_target_index != kMaxInt;
-  int i = 0;
   if (has_new_target) {
     DCHECK_LE(new_target_index, register_count);
-    for (; i < new_target_index; i++) {
+    for (int i = 0; i < new_target_index; i++) {
       __ Push(kInterpreterAccumulatorRegister);
     }
     // Push new_target_or_generator.
     __ Push(kJavaScriptCallNewTargetRegister);
-    i++;
+    register_count -= new_target_index + 1;
   }
   if (register_count < 2 * kLoopUnrollSize) {
     // If the frame is small enough, just unroll the frame fill completely.
-    for (; i < register_count; ++i) {
+    for (int i = 0; i < register_count; ++i) {
       __ Push(kInterpreterAccumulatorRegister);
     }
   } else {
-    register_count -= i;
-    i = 0;
     // Extract the first few registers to round to the unroll size.
     int first_registers = register_count % kLoopUnrollSize;
-    for (; i < first_registers; ++i) {
+    for (int i = 0; i < first_registers; ++i) {
       __ Push(kInterpreterAccumulatorRegister);
     }
     BaselineAssembler::ScratchRegisterScope scope(&basm_);
@@ -422,7 +419,7 @@ void BaselineCompiler::PrologueFillFrame() {
     DCHECK_GT(register_count / kLoopUnrollSize, 0);
     Label loop;
     __ Bind(&loop);
-    for (int j = 0; j < kLoopUnrollSize; ++j) {
+    for (int i = 0; i < kLoopUnrollSize; ++i) {
       __ Push(kInterpreterAccumulatorRegister);
     }
     __ masm()->decl(scratch);