[sparkplug] Fix instance type checks

We were using CmpInstanceType instead of CmpObjectType in some places,
which meant that we were reading the value at the instance type field
offset within objects directly, rather than first loading their map and
reading the instance type there.

Bug: chromium:1180434
Change-Id: I4771b4f8f9a32bdc35944c6e6cd30c54e4ac8b6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2716292
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73003}

src/baseline/arm64/baseline-assembler-arm64-inl.h

@@ -141,11 +141,16 @@ void BaselineAssembler::CmpObjectType(Register object,
   Register type = temps.AcquireScratch();
   __ CompareObjectType(object, map, type, instance_type);
 }
-void BaselineAssembler::CmpInstanceType(Register value,
+void BaselineAssembler::CmpInstanceType(Register map,
                                         InstanceType instance_type) {
   ScratchRegisterScope temps(this);
   Register type = temps.AcquireScratch();
-  __ CompareInstanceType(value, type, instance_type);
+  if (emit_debug_code()) {
+    __ AssertNotSmi(map);
+    __ CompareObjectType(map, type, type, MAP_TYPE);
+    __ Assert(eq, AbortReason::kUnexpectedValue);
+  }
+  __ CompareInstanceType(map, type, instance_type);
 }
 void BaselineAssembler::Cmp(Register value, Smi smi) { __ Cmp(value, smi); }
 void BaselineAssembler::ComparePointer(Register value, MemOperand operand) {

src/baseline/baseline-assembler.h

@@ -55,7 +55,7 @@ class BaselineAssembler {
 
   inline void CmpObjectType(Register object, InstanceType instance_type,
                             Register map);
-  inline void CmpInstanceType(Register value, InstanceType instance_type);
+  inline void CmpInstanceType(Register map, InstanceType instance_type);
   inline void Cmp(Register value, Smi smi);
   inline void ComparePointer(Register value, MemOperand operand);
   inline Condition CheckSmi(Register value);

src/baseline/baseline-compiler.cc

@@ -1232,6 +1232,7 @@ void BaselineCompiler::VisitIntrinsicIsJSReceiver(
   SelectBooleanConstant(
       kInterpreterAccumulatorRegister,
       [&](Label* is_true, Label::Distance distance) {
+        BaselineAssembler::ScratchRegisterScope scratch_scope(&basm_);
         __ LoadRegister(kInterpreterAccumulatorRegister, args[0]);
 
         Label is_smi;
@@ -1240,8 +1241,9 @@ void BaselineCompiler::VisitIntrinsicIsJSReceiver(
         // If we ever added more instance types after LAST_JS_RECEIVER_TYPE,
         // this would have to become a range check.
         STATIC_ASSERT(LAST_JS_RECEIVER_TYPE == LAST_TYPE);
-        __ CmpInstanceType(kInterpreterAccumulatorRegister,
-                           FIRST_JS_RECEIVER_TYPE);
+        __ CmpObjectType(kInterpreterAccumulatorRegister,
+                         FIRST_JS_RECEIVER_TYPE,
+                         scratch_scope.AcquireScratch());
         __ JumpIf(Condition::kGreaterThanEqual, is_true, distance);
 
         __ Bind(&is_smi);
@@ -1252,12 +1254,14 @@ void BaselineCompiler::VisitIntrinsicIsArray(interpreter::RegisterList args) {
   SelectBooleanConstant(
       kInterpreterAccumulatorRegister,
       [&](Label* is_true, Label::Distance distance) {
+        BaselineAssembler::ScratchRegisterScope scratch_scope(&basm_);
         __ LoadRegister(kInterpreterAccumulatorRegister, args[0]);
 
         Label is_smi;
         __ JumpIfSmi(kInterpreterAccumulatorRegister, &is_smi, Label::kNear);
 
-        __ CmpInstanceType(kInterpreterAccumulatorRegister, JS_ARRAY_TYPE);
+        __ CmpObjectType(kInterpreterAccumulatorRegister, JS_ARRAY_TYPE,
+                         scratch_scope.AcquireScratch());
         __ JumpIf(Condition::kEqual, is_true, distance);
 
         __ Bind(&is_smi);
@@ -1858,10 +1862,13 @@ void BaselineCompiler::VisitJumpIfUndefinedOrNull() {
 }
 
 void BaselineCompiler::VisitJumpIfJSReceiver() {
+  BaselineAssembler::ScratchRegisterScope scratch_scope(&basm_);
+
   Label is_smi, dont_jump;
   __ JumpIfSmi(kInterpreterAccumulatorRegister, &is_smi, Label::kNear);
 
-  __ CmpInstanceType(kInterpreterAccumulatorRegister, FIRST_JS_RECEIVER_TYPE);
+  __ CmpObjectType(kInterpreterAccumulatorRegister, FIRST_JS_RECEIVER_TYPE,
+                   scratch_scope.AcquireScratch());
   __ JumpIf(Condition::kLessThan, &dont_jump);
   UpdateInterruptBudgetAndDoInterpreterJump();
 

src/baseline/x64/baseline-assembler-x64-inl.h

@@ -140,11 +140,17 @@ void BaselineAssembler::Test(Register value, int mask) {
 void BaselineAssembler::CmpObjectType(Register object,
                                       InstanceType instance_type,
                                       Register map) {
+  __ AssertNotSmi(object);
   __ CmpObjectType(object, instance_type, map);
 }
-void BaselineAssembler::CmpInstanceType(Register value,
+void BaselineAssembler::CmpInstanceType(Register map,
                                         InstanceType instance_type) {
-  __ CmpInstanceType(value, instance_type);
+  if (emit_debug_code()) {
+    __ AssertNotSmi(map);
+    __ CmpObjectType(map, MAP_TYPE, kScratchRegister);
+    __ Assert(equal, AbortReason::kUnexpectedValue);
+  }
+  __ CmpInstanceType(map, instance_type);
 }
 void BaselineAssembler::Cmp(Register value, Smi smi) { __ Cmp(value, smi); }
 void BaselineAssembler::ComparePointer(Register value, MemOperand operand) {