[turbofan] Frame size computation should include additional arguments

For adding stack checks in optimized code, we compute a conservative
estimate of the frame size in the case of a deoptimization. Earlier we
included the size of arguments adaptor frames used when actual arguments
didn't match formal parameter count. Though we don't have an explicit
adaptor frame, we should still include the size of these additional
arguments when computing the frame size.

Bug: chromium:1181240
Change-Id: Ib977c5492bb824762fe62aac5e4ffb1c2c233b86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2723252
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73094}

src/compiler/backend/instruction.cc

@@ -1012,7 +1012,10 @@ size_t GetConservativeFrameSizeInBytes(FrameStateType type,
       // The arguments adaptor frame state is only used in the deoptimizer and
       // does not occupy any extra space in the stack. Check out the design doc:
       // https://docs.google.com/document/d/150wGaUREaZI6YWqOQFD5l2mWQXaPbbZjcAIJLOFrzMs/edit
-      return 0;
+      // We just need to account for the additional parameters we might push
+      // here.
+      return UnoptimizedFrameInfo::GetStackSizeForAdditionalArguments(
+          static_cast<int>(parameters_count));
     case FrameStateType::kConstructStub: {
       auto info = ConstructStubFrameInfo::Conservative(
           static_cast<int>(parameters_count));

src/execution/frames.cc

@@ -2247,6 +2247,13 @@ UnoptimizedFrameInfo::UnoptimizedFrameInfo(int parameters_count_with_receiver,
   frame_size_in_bytes_ = frame_size_in_bytes_without_fixed_ + fixed_frame_size;
 }
 
+// static
+uint32_t UnoptimizedFrameInfo::GetStackSizeForAdditionalArguments(
+    int parameters_count) {
+  return (parameters_count + ArgumentPaddingSlots(parameters_count)) *
+         kSystemPointerSize;
+}
+
 ConstructStubFrameInfo::ConstructStubFrameInfo(int translation_height,
                                                bool is_topmost,
                                                FrameInfoKind frame_info_kind) {

src/execution/frames.h

@@ -1354,6 +1354,8 @@ class UnoptimizedFrameInfo {
             FrameInfoKind::kConservative};
   }
 
+  static uint32_t GetStackSizeForAdditionalArguments(int parameters_count);
+
   uint32_t register_stack_slot_count() const {
     return register_stack_slot_count_;
   }

test/mjsunit/regress/regress-1181240.js

@@ -0,0 +1,46 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function runNearStackLimit(f) {
+  function t() {
+    try {
+      t();
+    } catch (e) {
+      f(true);
+    }
+  }
+  t();
+}
+
+var a = {x: 10};
+var b = {y: 10};
+function inner(should_deopt) {
+  if (should_deopt == true) {
+    a.x;
+  }
+  return b.y;
+}
+
+%PrepareFunctionForOptimization(f);
+%PrepareFunctionForOptimization(inner);
+f(false);
+f(false);
+%OptimizeFunctionOnNextCall(f);
+f(false);
+
+function f(x) {
+  // Pass a large number of arguments so the stack check would fail.
+  inner(x,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
+      );
+}
+
+runNearStackLimit(f);