From c9e0d7610314489a2cb34257905e49cc149d6f5e Mon Sep 17 00:00:00 2001
From: Victor Gomes <victorgomes@chromium.org>
Date: Wed, 30 Nov 2022 12:55:22 +0100
Subject: [PATCH] [maglev] Fix empty arguments in PopReceiver

In case of empty arguments, we set the receiver_mode to
kNullOrUndefined, which forces the new receiver to be null.

But now `args` has a null receiver and 1 non-receiver argument.
We *must* clear the argument vector to avoid using the old receiver as
the first argument to FunctionPrototypeCall.

Bug: v8:7700
Change-Id: Ie23bfb28a50f484fbdd6caba55b44ffbaa806b34
Fixed: v8:13456
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4066479
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84571}
---
 src/maglev/maglev-graph-builder.cc | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
index 4925350c85..61043afdeb 100644
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@@ -163,19 +163,17 @@ class CallArguments {
   void PopReceiver(ConvertReceiverMode new_receiver_mode) {
     DCHECK_NE(receiver_mode_, ConvertReceiverMode::kNullOrUndefined);
     DCHECK_NE(new_receiver_mode, ConvertReceiverMode::kNullOrUndefined);
-
-    if (count() == 0) {
-      // If there is no non-receiver argument to become the new receiver,
-      // consider the new receiver to be known undefined.
-      receiver_mode_ = ConvertReceiverMode::kNullOrUndefined;
-    } else {
-      // TODO(victorgomes): Do this better!
-      for (size_t i = 0; i < args_.size() - 1; i++) {
-        args_[i] = args_[i + 1];
-      }
-      args_.pop_back();
-      receiver_mode_ = new_receiver_mode;
+    DCHECK_GT(args_.size(), 0);  // We have at least a receiver to pop!
+    // TODO(victorgomes): Do this better!
+    for (size_t i = 0; i < args_.size() - 1; i++) {
+      args_[i] = args_[i + 1];
     }
+    args_.pop_back();
+
+    // If there is no non-receiver argument to become the new receiver,
+    // consider the new receiver to be known undefined.
+    receiver_mode_ = args_.size() == 0 ? ConvertReceiverMode::kNullOrUndefined
+                                       : new_receiver_mode;
   }
 
  private: