[turbofan] Zero-initialize BigInt padding

The code generated for ChangeUint64ToBigInt in the
EffectControlLinearizer did not initialize the optional padding
field of newly allocated BigInts. This padding field is present
on 64 bit builds without pointer compression enabled. This CL
fixes this by 0-filling the padding field if present.

Bug: v8:9407
Change-Id: I511e163e676dc966a3eb6dfb92b5065e36329225
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695464Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@google.com>
Cr-Commit-Position: refs/heads/master@{#62683}

src/compiler/access-builder.cc

@@ -71,8 +71,19 @@ FieldAccess AccessBuilder::ForBigIntBitfield() {
   return access;
 }
 
+// static
+FieldAccess AccessBuilder::ForBigIntOptionalPadding() {
+  DCHECK_EQ(FIELD_SIZE(BigInt::kOptionalPaddingOffset), 4);
+  FieldAccess access = {
+      kTaggedBase,        BigInt::kOptionalPaddingOffset, MaybeHandle<Name>(),
+      MaybeHandle<Map>(), TypeCache::Get()->kInt32,       MachineType::Uint32(),
+      kNoWriteBarrier};
+  return access;
+}
+
 // static
 FieldAccess AccessBuilder::ForBigIntLeastSignificantDigit64() {
+  DCHECK_EQ(BigInt::SizeFor(1) - BigInt::SizeFor(0), 8);
   FieldAccess access = {
       kTaggedBase,        BigInt::kDigitsOffset,        MaybeHandle<Name>(),
       MaybeHandle<Map>(), TypeCache::Get()->kBigUint64, MachineType::Uint64(),

src/compiler/access-builder.h

@@ -42,6 +42,11 @@ class V8_EXPORT_PRIVATE AccessBuilder final
   // Provides access to BigInt's bit field.
   static FieldAccess ForBigIntBitfield();
 
+  // Provides access to BigInt's 32 bit padding that is placed after the
+  // bitfield on 64 bit architectures without pointer compression. Do not use
+  // this on 32 bit architectures.
+  static FieldAccess ForBigIntOptionalPadding();
+
   // Provides access to BigInt's least significant digit on 64 bit
   // architectures. Do not use this on 32 bit architectures.
   static FieldAccess ForBigIntLeastSignificantDigit64();

src/compiler/effect-control-linearizer.cc

@@ -2755,6 +2755,11 @@ Node* EffectControlLinearizer::LowerChangeUint64ToBigInt(Node* node) {
     __ StoreField(AccessBuilder::ForMap(), result, map);
     __ StoreField(AccessBuilder::ForBigIntBitfield(), result,
                   __ IntPtrConstant(bitfield));
+    // BigInts have no padding on 64 bit architectures with pointer compression.
+    if (BigInt::HasOptionalPadding()) {
+      __ StoreField(AccessBuilder::ForBigIntOptionalPadding(), result,
+                    __ IntPtrConstant(0));
+    }
     __ StoreField(AccessBuilder::ForBigIntLeastSignificantDigit64(), result,
                   value);
     __ Goto(&done, result);
@@ -2768,6 +2773,11 @@ Node* EffectControlLinearizer::LowerChangeUint64ToBigInt(Node* node) {
     __ StoreField(AccessBuilder::ForMap(), result, map);
     __ StoreField(AccessBuilder::ForBigIntBitfield(), result,
                   __ IntPtrConstant(bitfield));
+    // BigInts have no padding on 64 bit architectures with pointer compression.
+    if (BigInt::HasOptionalPadding()) {
+      __ StoreField(AccessBuilder::ForBigIntOptionalPadding(), result,
+                    __ IntPtrConstant(0));
+    }
     __ Goto(&done, result);
   }
 

src/objects/bigint.h

@@ -72,6 +72,10 @@ class BigIntBase : public HeapObject {
   DEFINE_FIELD_OFFSET_CONSTANTS(HeapObject::kHeaderSize, BIGINT_FIELDS)
 #undef BIGINT_FIELDS
 
+  static constexpr bool HasOptionalPadding() {
+    return FIELD_SIZE(kOptionalPaddingOffset) > 0;
+  }
+
  private:
   friend class ::v8::internal::BigInt;  // MSVC wants full namespace.
   friend class MutableBigInt;