[sparkplug] Fix maximum frame size in prologue.

Maximum frame size (in bytes) is used to check for stack overflows
in the prologue.
The maximum number of call arguments is pre-calculated and included
in this check. However the count was added to the frame size wihout
converting the count to bytes, resulting in inaccurate stack overflow
checks.

Bug: chromium:1235182
Change-Id: I21bca4e183fccfd055f2f1d5a40b71651c14b911
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3071399Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76090}

src/baseline/arm/baseline-compiler-arm-inl.h

@@ -18,7 +18,8 @@ void BaselineCompiler::Prologue() {
   // Enter the frame here, since CallBuiltin will override lr.
   __ masm()->EnterFrame(StackFrame::BASELINE);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/arm64/baseline-compiler-arm64-inl.h

@@ -18,7 +18,8 @@ void BaselineCompiler::Prologue() {
   // Enter the frame here, since CallBuiltin will override lr.
   __ masm()->EnterFrame(StackFrame::BASELINE);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/ia32/baseline-compiler-ia32-inl.h

@@ -17,7 +17,8 @@ namespace baseline {
 
 void BaselineCompiler::Prologue() {
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/mips/baseline-compiler-mips-inl.h

@@ -18,7 +18,8 @@ void BaselineCompiler::Prologue() {
   ASM_CODE_COMMENT(&masm_);
   __ masm()->EnterFrame(StackFrame::BASELINE);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/mips64/baseline-compiler-mips64-inl.h

@@ -18,7 +18,8 @@ void BaselineCompiler::Prologue() {
   ASM_CODE_COMMENT(&masm_);
   __ masm()->EnterFrame(StackFrame::BASELINE);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/riscv64/baseline-compiler-riscv64-inl.h

@@ -18,7 +18,8 @@ void BaselineCompiler::Prologue() {
   // Enter the frame here, since CallBuiltin will override lr.
   __ masm()->EnterFrame(StackFrame::BASELINE);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

src/baseline/x64/baseline-compiler-x64-inl.h

@@ -18,7 +18,8 @@ namespace baseline {
 void BaselineCompiler::Prologue() {
   ASM_CODE_COMMENT(&masm_);
   DCHECK_EQ(kJSFunctionRegister, kJavaScriptCallTargetRegister);
-  int max_frame_size = bytecode_->frame_size() + max_call_args_;
+  int max_frame_size =
+      bytecode_->frame_size() + max_call_args_ * kSystemPointerSize;
   CallBuiltin<Builtin::kBaselineOutOfLinePrologue>(
       kContextRegister, kJSFunctionRegister, kJavaScriptCallArgCountRegister,
       max_frame_size, kJavaScriptCallNewTargetRegister, bytecode_);

test/mjsunit/regress/regress-crbug-1235182.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var call_f = new Function('f(' + ('0,').repeat(7023) + ')');
+function f() {[1, 2, 3].sort(call_f);}
+assertThrows(call_f, RangeError);