Remove new.target value from construct stub frames.

This drops the specific slot containing the new.target value from our
construct stub frames. This side-channel has been deprecated and will
no longer be accessed by any consumers.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1489353004

Cr-Commit-Position: refs/heads/master@{#32550}

src/arm/builtins-arm.cc

@@ -499,10 +499,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
 
     __ SmiUntag(r0);
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
-    __ push(r3);
-
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
@@ -524,8 +520,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // r4: number of arguments (smi-tagged)
     // sp[0]: receiver
     // sp[1]: receiver
-    // sp[2]: new.target
-    // sp[3]: number of arguments (smi-tagged)
+    // sp[2]: number of arguments (smi-tagged)
     Label loop, entry;
     __ SmiTag(r4, r0);
     __ b(&entry);
@@ -559,8 +554,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // Restore context from the frame.
     // r0: result
     // sp[0]: receiver
-    // sp[1]: new.target
-    // sp[2]: number of arguments (smi-tagged)
+    // sp[1]: number of arguments (smi-tagged)
     __ ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
 
     if (create_implicit_receiver) {
@@ -572,8 +566,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       // If the result is a smi, it is *not* an object in the ECMA sense.
       // r0: result
       // sp[0]: receiver
-      // sp[1]: new.target
-      // sp[2]: number of arguments (smi-tagged)
+      // sp[1]: number of arguments (smi-tagged)
       __ JumpIfSmi(r0, &use_receiver);
 
       // If the type of the result (stored in its map) is less than
@@ -591,11 +584,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ bind(&exit);
       // r0: result
       // sp[0]: receiver (newly allocated object)
-      // sp[1]: new target
-      // sp[2]: number of arguments (smi-tagged)
-      __ ldr(r1, MemOperand(sp, 2 * kPointerSize));
+      // sp[1]: number of arguments (smi-tagged)
+      __ ldr(r1, MemOperand(sp, 1 * kPointerSize));
     } else {
-      __ ldr(r1, MemOperand(sp, kPointerSize));
+      __ ldr(r1, MemOperand(sp));
     }
 
     // Leave construct frame.

src/arm64/builtins-arm64.cc

@@ -506,15 +506,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
 
     __ SmiUntag(argc);
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
       // conventions dictate that the called function pops the receiver.
-      __ Push(new_target, x4, x4);
+      __ Push(x4, x4);
     } else {
-      __ push(new_target);
       __ PushRoot(Heap::kTheHoleValueRootIndex);
     }
 
@@ -529,8 +526,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // x3: new target
     // jssp[0]: receiver
     // jssp[1]: receiver
-    // jssp[2]: new.target
-    // jssp[3]: number of arguments (smi-tagged)
+    // jssp[2]: number of arguments (smi-tagged)
     // Compute the start address of the copy in x3.
     __ Add(x4, x2, Operand(argc, LSL, kPointerSizeLog2));
     Label loop, entry, done_copying_arguments;
@@ -570,8 +566,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // Restore the context from the frame.
     // x0: result
     // jssp[0]: receiver
-    // jssp[1]: new.target
-    // jssp[2]: number of arguments (smi-tagged)
+    // jssp[1]: number of arguments (smi-tagged)
     __ Ldr(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
 
     if (create_implicit_receiver) {
@@ -600,11 +595,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ Bind(&exit);
       // x0: result
       // jssp[0]: receiver (newly allocated object)
-      // jssp[1]: new target
-      // jssp[2]: number of arguments (smi-tagged)
-      __ Peek(x1, 2 * kXRegSize);
+      // jssp[1]: number of arguments (smi-tagged)
+      __ Peek(x1, 1 * kXRegSize);
     } else {
-      __ Peek(x1, kXRegSize);
+      __ Peek(x1, 0);
     }
 
     // Leave construct frame.

src/deoptimizer.cc

@@ -1235,12 +1235,6 @@ void Deoptimizer::DoComputeConstructStubFrame(int frame_index) {
     PrintF(trace_scope_->file(), "(%d)\n", height - 1);
   }
 
-  // The new target.
-  output_offset -= kPointerSize;
-  value = reinterpret_cast<intptr_t>(isolate_->heap()->undefined_value());
-  output_frame->SetFrameSlot(output_offset, value);
-  DebugPrintOutputSlot(value, frame_index, output_offset, "new.target\n");
-
   // The newly allocated object was passed as receiver in the artificial
   // constructor stub environment created by HEnvironment::CopyForInlining().
   output_offset -= kPointerSize;

src/frames.h

@@ -161,8 +161,6 @@ class ConstructFrameConstants : public AllStatic {
  public:
   // FP-relative.
   static const int kImplicitReceiverOffset =
-      StandardFrameConstants::kExpressionsOffset - 4 * kPointerSize;
-  static const int kNewTargetOffset =
       StandardFrameConstants::kExpressionsOffset - 3 * kPointerSize;
   static const int kLengthOffset =
       StandardFrameConstants::kExpressionsOffset - 2 * kPointerSize;
@@ -172,7 +170,7 @@ class ConstructFrameConstants : public AllStatic {
       StandardFrameConstants::kExpressionsOffset - 0 * kPointerSize;
 
   static const int kFrameSize =
-      StandardFrameConstants::kFixedFrameSize + 5 * kPointerSize;
+      StandardFrameConstants::kFixedFrameSize + 4 * kPointerSize;
 };
 
 

src/ia32/builtins-ia32.cc

@@ -280,10 +280,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
 
     __ SmiUntag(eax);
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
-    __ push(edx);
-
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
@@ -347,12 +343,11 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ mov(eax, Operand(esp, 0));
 
       // Restore the arguments count and leave the construct frame. The
-      // arguments
-      // count is stored below the reciever and the new.target.
+      // arguments count is stored below the receiver.
       __ bind(&exit);
-      __ mov(ebx, Operand(esp, 2 * kPointerSize));
+      __ mov(ebx, Operand(esp, 1 * kPointerSize));
     } else {
-      __ mov(ebx, Operand(esp, kPointerSize));
+      __ mov(ebx, Operand(esp, 0));
     }
 
     // Leave construct frame.

src/mips/builtins-mips.cc

@@ -498,15 +498,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
 
     __ SmiUntag(a0);
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
       // conventions dictate that the called function pops the receiver.
-      __ Push(a3, t4, t4);
+      __ Push(t4, t4);
     } else {
-      __ push(a3);
       __ PushRoot(Heap::kTheHoleValueRootIndex);
     }
 
@@ -521,8 +518,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // t4: number of arguments (smi-tagged)
     // sp[0]: receiver
     // sp[1]: receiver
-    // sp[2]: new.target
-    // sp[3]: number of arguments (smi-tagged)
+    // sp[2]: number of arguments (smi-tagged)
     Label loop, entry;
     __ SmiTag(t4, a0);
     __ jmp(&entry);
@@ -567,8 +563,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       // If the result is a smi, it is *not* an object in the ECMA sense.
       // v0: result
       // sp[0]: receiver (newly allocated object)
-      // sp[1]: new.target
-      // sp[2]: number of arguments (smi-tagged)
+      // sp[1]: number of arguments (smi-tagged)
       __ JumpIfSmi(v0, &use_receiver);
 
       // If the type of the result (stored in its map) is less than
@@ -586,11 +581,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ bind(&exit);
       // v0: result
       // sp[0]: receiver (newly allocated object)
-      // sp[1]: new target
-      // sp[2]: number of arguments (smi-tagged)
-      __ lw(a1, MemOperand(sp, 2 * kPointerSize));
+      // sp[1]: number of arguments (smi-tagged)
+      __ lw(a1, MemOperand(sp, 1 * kPointerSize));
     } else {
-      __ lw(a1, MemOperand(sp, kPointerSize));
+      __ lw(a1, MemOperand(sp));
     }
 
     // Leave construct frame.

src/mips64/builtins-mips64.cc

@@ -492,15 +492,12 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     }
     __ SmiUntag(a0);
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
       // conventions dictate that the called function pops the receiver.
-      __ Push(a3, t0, t0);
+      __ Push(t0, t0);
     } else {
-      __ push(a3);
       __ PushRoot(Heap::kTheHoleValueRootIndex);
     }
 
@@ -515,8 +512,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
     // t0: number of arguments (smi-tagged)
     // sp[0]: receiver
     // sp[1]: receiver
-    // sp[2]: new.target
-    // sp[3]: number of arguments (smi-tagged)
+    // sp[2]: number of arguments (smi-tagged)
     Label loop, entry;
     __ mov(t0, a0);
     __ jmp(&entry);
@@ -561,8 +557,7 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       // If the result is a smi, it is *not* an object in the ECMA sense.
       // v0: result
       // sp[0]: receiver (newly allocated object)
-      // sp[1]: new.target
-      // sp[2]: number of arguments (smi-tagged)
+      // sp[1]: number of arguments (smi-tagged)
       __ JumpIfSmi(v0, &use_receiver);
 
       // If the type of the result (stored in its map) is less than
@@ -580,11 +575,10 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ bind(&exit);
       // v0: result
       // sp[0]: receiver (newly allocated object)
-      // sp[1]: new target
-      // sp[2]: number of arguments (smi-tagged)
-      __ ld(a1, MemOperand(sp, 2 * kPointerSize));
+      // sp[1]: number of arguments (smi-tagged)
+      __ ld(a1, MemOperand(sp, 1 * kPointerSize));
     } else {
-      __ ld(a1, MemOperand(sp, kPointerSize));
+      __ ld(a1, MemOperand(sp));
     }
 
     // Leave construct frame.

src/x64/builtins-x64.cc

@@ -278,10 +278,6 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ SmiToInteger32(rax, rax);
     }
 
-    // Push new.target onto the construct frame. This is stored just below the
-    // receiver on the stack.
-    __ Push(rdx);
-
     if (create_implicit_receiver) {
       // Push the allocated receiver to the stack. We need two copies
       // because we may have to return the original one and the calling
@@ -345,11 +341,11 @@ static void Generate_JSConstructStubHelper(MacroAssembler* masm,
       __ movp(rax, Operand(rsp, 0));
 
       // Restore the arguments count and leave the construct frame. The
-      // arguments count is stored below the reciever and the new.target.
+      // arguments count is stored below the receiver.
       __ bind(&exit);
-      __ movp(rbx, Operand(rsp, 2 * kPointerSize));
+      __ movp(rbx, Operand(rsp, 1 * kPointerSize));
     } else {
-      __ movp(rbx, Operand(rsp, kPointerSize));
+      __ movp(rbx, Operand(rsp, 0));
     }
 
     // Leave construct frame.