[arm64] Fix in Generate_JSBuiltinsConstructStubHelper for jssp removal

Even though a previous patch made the number of slots pushed/claimed on
the stack aligned, the boundary between frames was not a multiple of
two slots as well. We were pushing the number of arguments (which belongs
in the stub's frame) together with the arguments to pass to the
constructor function (which belong to the frame of the constructor
function). Those need to be separated so we can drop the arguments without
messing up the alignment.

Bug: v8:6644
Change-Id: I839a4ab9caf451623fbcf03dd8a8afe5879fef99
Reviewed-on: https://chromium-review.googlesource.com/771670
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#49391}

src/builtins/arm64/builtins-arm64.cc

@@ -213,30 +213,30 @@ void Generate_JSBuiltinsConstructStubHelper(MacroAssembler* masm) {
       __ Check(eq, kUnexpectedValue);
     }
 
-    // Add slots for the tagged argc and receiver, and round up to maintain
-    // alignment.
+    // Push number of arguments.
+    __ SmiTag(x11, argc);
+    __ Push(x11, padreg);
+
+    // Add a slot for the receiver, and round up to maintain alignment.
     Register slot_count = x2;
     Register slot_count_without_rounding = x12;
-    __ Add(slot_count_without_rounding, argc, 3);
+    __ Add(slot_count_without_rounding, argc, 2);
     __ Bic(slot_count, slot_count_without_rounding, 1);
     __ Claim(slot_count);
 
     // Preserve the incoming parameters on the stack.
     __ LoadRoot(x10, Heap::kTheHoleValueRootIndex);
-    __ SmiTag(x11, argc);
 
     // Compute a pointer to the slot immediately above the location on the
     // stack to which arguments will be later copied.
     __ SlotAddress(x2, argc);
 
-    // Poke the hole (receiver) and number of arguments (tagged) into the
-    // highest claimed slots, with padding between them if argc was odd.
-    __ Stp(x10, x11, MemOperand(x2));
+    // Poke the hole (receiver) in the highest slot.
+    __ Str(x10, MemOperand(x2));
     __ Tbnz(slot_count_without_rounding, 0, &already_aligned);
 
-    // Overwrite the previously written argc with padding, and store argc at the
-    // next highest slot.
-    __ Stp(padreg, x11, MemOperand(x2, 1 * kPointerSize));
+    // Store padding, if needed.
+    __ Str(padreg, MemOperand(x2, 1 * kPointerSize));
     __ Bind(&already_aligned);
 
     // Copy arguments to the expression stack.
@@ -254,13 +254,23 @@ void Generate_JSBuiltinsConstructStubHelper(MacroAssembler* masm) {
     //  --                     x0: number of arguments (untagged)
     //  --                     x1: constructor function
     //  --                     x3: new target
+    // If argc is odd:
     //  --     sp[0*kPointerSize]: argument n - 1
     //  --             ...
     //  -- sp[(n-1)*kPointerSize]: argument 0
     //  -- sp[(n+0)*kPointerSize]: the hole (receiver)
-    //  -- sp[(n+1)*kPointerSize]: optional padding, depending on argc.
-    //  -- sp[(n+1+(argc&1))*kPointerSize]: number of arguments (tagged)
-    //  -- sp[(n+2+(argc&1))*kPointerSize]: context (pushed by FrameScope)
+    //  -- sp[(n+1)*kPointerSize]: padding
+    //  -- sp[(n+2)*kPointerSize]: padding
+    //  -- sp[(n+3)*kPointerSize]: number of arguments (tagged)
+    //  -- sp[(n+4)*kPointerSize]: context (pushed by FrameScope)
+    // If argc is even:
+    //  --     sp[0*kPointerSize]: argument n - 1
+    //  --             ...
+    //  -- sp[(n-1)*kPointerSize]: argument 0
+    //  -- sp[(n+0)*kPointerSize]: the hole (receiver)
+    //  -- sp[(n+1)*kPointerSize]: padding
+    //  -- sp[(n+2)*kPointerSize]: number of arguments (tagged)
+    //  -- sp[(n+3)*kPointerSize]: context (pushed by FrameScope)
     // -----------------------------------
 
     // Call the function.