From d8cd42360dfbbf4f7b0668ea0334ac300426fbaa Mon Sep 17 00:00:00 2001
From: Leszek Swirski <leszeks@chromium.org>
Date: Thu, 12 Jan 2023 13:28:05 +0100
Subject: [PATCH] [maglev] Ensure CheckedObjectToIndex zero extends

Use SmiToInt32 instead of SmiUntag to get a zero extended value in
CheckedObjectToIndex.

Bug: v8:7700
Change-Id: I034039781d8db106713e54ebaf72672c261b8fc1
Fixed: chromium:1406573
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4161759
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85252}
---
 src/codegen/x64/macro-assembler-x64.cc | 6 ++++++
 src/codegen/x64/macro-assembler-x64.h  | 1 +
 src/maglev/arm64/maglev-ir-arm64.cc    | 4 ++--
 src/maglev/x64/maglev-ir-x64.cc        | 4 ++--
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/codegen/x64/macro-assembler-x64.cc b/src/codegen/x64/macro-assembler-x64.cc
index 035629ca8d..e489efa058 100644
--- a/src/codegen/x64/macro-assembler-x64.cc
+++ b/src/codegen/x64/macro-assembler-x64.cc
@@ -1580,6 +1580,12 @@ void TurboAssembler::SmiToInt32(Register reg) {
   }
 }
 
+void TurboAssembler::SmiToInt32(Register dst, Register src) {
+  DCHECK(dst != src);
+  mov_tagged(dst, src);
+  SmiToInt32(dst);
+}
+
 void TurboAssembler::SmiCompare(Register smi1, Register smi2) {
   AssertSmi(smi1);
   AssertSmi(smi2);
diff --git a/src/codegen/x64/macro-assembler-x64.h b/src/codegen/x64/macro-assembler-x64.h
index d596feb042..4d0ce5cd84 100644
--- a/src/codegen/x64/macro-assembler-x64.h
+++ b/src/codegen/x64/macro-assembler-x64.h
@@ -367,6 +367,7 @@ class V8_EXPORT_PRIVATE TurboAssembler
 
   // Convert smi to 32-bit value.
   void SmiToInt32(Register reg);
+  void SmiToInt32(Register dst, Register src);
 
   // Loads the address of the external reference into the destination
   // register.
diff --git a/src/maglev/arm64/maglev-ir-arm64.cc b/src/maglev/arm64/maglev-ir-arm64.cc
index 10d8ffcc14..93945f3e5d 100644
--- a/src/maglev/arm64/maglev-ir-arm64.cc
+++ b/src/maglev/arm64/maglev-ir-arm64.cc
@@ -790,9 +790,9 @@ void CheckedObjectToIndex::GenerateCode(MaglevAssembler* masm,
 
   // If we didn't enter the deferred block, we're a Smi.
   if (result_reg == object) {
-    __ SmiUntag(object);
+    __ SmiToInt32(result_reg);
   } else {
-    __ SmiUntag(result_reg, object);
+    __ SmiToInt32(result_reg, object);
   }
 
   __ bind(*done);
diff --git a/src/maglev/x64/maglev-ir-x64.cc b/src/maglev/x64/maglev-ir-x64.cc
index 1a37b546f2..a4e616d9c6 100644
--- a/src/maglev/x64/maglev-ir-x64.cc
+++ b/src/maglev/x64/maglev-ir-x64.cc
@@ -714,9 +714,9 @@ void CheckedObjectToIndex::GenerateCode(MaglevAssembler* masm,
 
   // If we didn't enter the deferred block, we're a Smi.
   if (result_reg == object) {
-    __ SmiUntag(object);
+    __ SmiToInt32(result_reg);
   } else {
-    __ SmiUntag(result_reg, object);
+    __ SmiToInt32(result_reg, object);
   }
 
   __ bind(*done);