deoptimizer.cc

Go to the documentation of this file.

// Copyright 2013 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
 
#include "src/deoptimizer/deoptimizer.h"
 
#include <optional>
 
#include "src/base/memory.h"
#include "src/codegen/interface-descriptors.h"
#include "src/codegen/register-configuration.h"
#include "src/codegen/reloc-info.h"
#include "src/debug/debug.h"
#include "src/deoptimizer/deoptimized-frame-info.h"
#include "src/deoptimizer/materialized-object-store.h"
#include "src/deoptimizer/translated-state.h"
#include "src/execution/frames-inl.h"
#include "src/execution/isolate.h"
#include "src/execution/pointer-authentication.h"
#include "src/execution/v8threads.h"
#include "src/handles/handles-inl.h"
#include "src/heap/heap-inl.h"
#include "src/logging/counters.h"
#include "src/logging/log.h"
#include "src/logging/runtime-call-stats-scope.h"
#include "src/objects/deoptimization-data.h"
#include "src/objects/js-function-inl.h"
#include "src/objects/oddball.h"
#include "src/snapshot/embedded/embedded-data.h"
#include "src/utils/utils.h"
 
#if V8_ENABLE_WEBASSEMBLY
#include "src/wasm/baseline/liftoff-compiler.h"
#include "src/wasm/baseline/liftoff-varstate.h"
#include "src/wasm/compilation-environment-inl.h"
#include "src/wasm/function-compiler.h"
#include "src/wasm/signature-hashing.h"
#include "src/wasm/wasm-deopt-data.h"
#include "src/wasm/wasm-engine.h"
#include "src/wasm/wasm-linkage.h"
#endif  // V8_ENABLE_WEBASSEMBLY
 
namespace v8 {
 
using base::Memory;
 
namespace internal {
 
namespace {
 
class DeoptimizableCodeIterator {
 public:
  explicit DeoptimizableCodeIterator(Isolate* isolate);
  DeoptimizableCodeIterator(const DeoptimizableCodeIterator&) = delete;
  DeoptimizableCodeIterator& operator=(const DeoptimizableCodeIterator&) =
      delete;
  Tagged<Code> Next();
 
 private:
  Isolate* const isolate_;
  std::unique_ptr<SafepointScope> safepoint_scope_;
  std::unique_ptr<ObjectIterator> object_iterator_;
  enum { kIteratingCodeSpace, kIteratingCodeLOSpace, kDone } state_;
 
  DISALLOW_GARBAGE_COLLECTION(no_gc)
};
 
DeoptimizableCodeIterator::DeoptimizableCodeIterator(Isolate* isolate)
    : isolate_(isolate),
      safepoint_scope_(std::make_unique<SafepointScope>(
          isolate, isolate->is_shared_space_isolate()
                       ? SafepointKind::kGlobal
                       : SafepointKind::kIsolate)),
      object_iterator_(
          isolate->heap()->code_space()->GetObjectIterator(isolate->heap())),
      state_(kIteratingCodeSpace) {}
 
Tagged<Code> DeoptimizableCodeIterator::Next() {
  while (true) {
    Tagged<HeapObject> object = object_iterator_->Next();
    if (object.is_null()) {
      // No objects left in the current iterator, try to move to the next space
      // based on the state.
      switch (state_) {
        case kIteratingCodeSpace: {
          object_iterator_ =
              isolate_->heap()->code_lo_space()->GetObjectIterator(
                  isolate_->heap());
          state_ = kIteratingCodeLOSpace;
          continue;
        }
        case kIteratingCodeLOSpace:
          // No other spaces to iterate, so clean up and we're done. Keep the
          // object iterator so that it keeps returning null on Next(), to avoid
          // needing to branch on state_ before the while loop, but drop the
          // safepoint scope since we no longer need to stop the heap from
          // moving.
          safepoint_scope_.reset();
          state_ = kDone;
          [[fallthrough]];
        case kDone:
          return Code();
      }
    }
    Tagged<InstructionStream> istream = Cast<InstructionStream>(object);
    Tagged<Code> code;
    if (!istream->TryGetCode(&code, kAcquireLoad)) continue;
    if (!CodeKindCanDeoptimize(code->kind())) continue;
    return code;
  }
}
 
}  // namespace
 
// {FrameWriter} offers a stack writer abstraction for writing
// FrameDescriptions. The main service the class provides is managing
// {top_offset_}, i.e. the offset of the next slot to write to.
//
// Note: Not in an anonymous namespace due to the friend class declaration
// in Deoptimizer.
class FrameWriter {
 public:
  static const int NO_INPUT_INDEX = -1;
  FrameWriter(Deoptimizer* deoptimizer, FrameDescription* frame,
              CodeTracer::Scope* trace_scope)
      : deoptimizer_(deoptimizer),
        frame_(frame),
        trace_scope_(trace_scope),
        top_offset_(frame->GetFrameSize()) {}
 
  void PushRawValue(intptr_t value, const char* debug_hint) {
    PushValue(value);
    if (trace_scope_ != nullptr) {
      DebugPrintOutputValue(value, debug_hint);
    }
  }
 
  void PushRawObject(Tagged<Object> obj, const char* debug_hint) {
    intptr_t value = obj.ptr();
    PushValue(value);
    if (trace_scope_ != nullptr) {
      DebugPrintOutputObject(obj, top_offset_, debug_hint);
    }
  }
 
  // There is no check against the allowed addresses for bottommost frames, as
  // the caller's pc could be anything. The caller's pc pushed here should never
  // be re-signed.
  void PushBottommostCallerPc(intptr_t pc) {
    top_offset_ -= kPCOnStackSize;
    frame_->SetFrameSlot(top_offset_, pc);
    DebugPrintOutputPc(pc, "bottommost caller's pc\n");
  }
 
  void PushApprovedCallerPc(intptr_t pc) {
    top_offset_ -= kPCOnStackSize;
    frame_->SetCallerPc(top_offset_, pc);
    DebugPrintOutputPc(pc, "caller's pc\n");
  }
 
  void PushCallerFp(intptr_t fp) {
    top_offset_ -= kFPOnStackSize;
    frame_->SetCallerFp(top_offset_, fp);
    DebugPrintOutputValue(fp, "caller's fp\n");
  }
 
  void PushCallerConstantPool(intptr_t cp) {
    top_offset_ -= kSystemPointerSize;
    frame_->SetCallerConstantPool(top_offset_, cp);
    DebugPrintOutputValue(cp, "caller's constant_pool\n");
  }
 
  void PushTranslatedValue(const TranslatedFrame::iterator& iterator,
                           const char* debug_hint = "") {
    Tagged<Object> obj = iterator->GetRawValue();
    PushRawObject(obj, debug_hint);
    if (trace_scope_ != nullptr) {
      PrintF(trace_scope_->file(), " (input #%d)\n", iterator.input_index());
    }
    deoptimizer_->QueueValueForMaterialization(output_address(top_offset_), obj,
                                               iterator);
  }
 
  void PushFeedbackVectorForMaterialization(
      const TranslatedFrame::iterator& iterator) {
    // Push a marker temporarily.
    PushRawObject(ReadOnlyRoots(deoptimizer_->isolate()).arguments_marker(),
                  "feedback vector");
    deoptimizer_->QueueFeedbackVectorForMaterialization(
        output_address(top_offset_), iterator);
  }
 
  void PushStackJSArguments(TranslatedFrame::iterator& iterator,
                            int parameters_count) {
    std::vector<TranslatedFrame::iterator> parameters;
    parameters.reserve(parameters_count);
    for (int i = 0; i < parameters_count; ++i, ++iterator) {
      parameters.push_back(iterator);
    }
    for (auto& parameter : base::Reversed(parameters)) {
      PushTranslatedValue(parameter, "stack parameter");
    }
  }
 
  unsigned top_offset() const { return top_offset_; }
 
  FrameDescription* frame() { return frame_; }
 
 private:
  void PushValue(intptr_t value) {
    CHECK_GE(top_offset_, 0);
    top_offset_ -= kSystemPointerSize;
    frame_->SetFrameSlot(top_offset_, value);
  }
 
  Address output_address(unsigned output_offset) {
    Address output_address =
        static_cast<Address>(frame_->GetTop()) + output_offset;
    return output_address;
  }
 
  void DebugPrintOutputValue(intptr_t value, const char* debug_hint = "") {
    if (trace_scope_ != nullptr) {
      PrintF(trace_scope_->file(),
             "    " V8PRIxPTR_FMT ": [top + %3d] <- " V8PRIxPTR_FMT " ;  %s",
             output_address(top_offset_), top_offset_, value, debug_hint);
    }
  }
 
  void DebugPrintOutputPc(intptr_t value, const char* debug_hint = "") {
#ifdef V8_ENABLE_CONTROL_FLOW_INTEGRITY
    if (trace_scope_ != nullptr) {
      PrintF(trace_scope_->file(),
             "    " V8PRIxPTR_FMT ": [top + %3d] <- " V8PRIxPTR_FMT
             " (signed) " V8PRIxPTR_FMT " (unsigned) ;  %s",
             output_address(top_offset_), top_offset_, value,
             PointerAuthentication::StripPAC(value), debug_hint);
    }
#else
    DebugPrintOutputValue(value, debug_hint);
#endif
  }
 
  void DebugPrintOutputObject(Tagged<Object> obj, unsigned output_offset,
                              const char* debug_hint = "") {
    if (trace_scope_ != nullptr) {
      PrintF(trace_scope_->file(), "    " V8PRIxPTR_FMT ": [top + %3d] <- ",
             output_address(output_offset), output_offset);
      if (IsSmi(obj)) {
        PrintF(trace_scope_->file(), V8PRIxPTR_FMT " <Smi %d>", obj.ptr(),
               Cast<Smi>(obj).value());
      } else {
        ShortPrint(obj, trace_scope_->file());
      }
      PrintF(trace_scope_->file(), " ;  %s", debug_hint);
    }
  }
 
  Deoptimizer* deoptimizer_;
  FrameDescription* frame_;
  CodeTracer::Scope* const trace_scope_;
  unsigned top_offset_;
};
 
// We rely on this function not causing a GC. It is called from generated code
// without having a real stack frame in place.
Deoptimizer* Deoptimizer::New(Address raw_function, DeoptimizeKind kind,
                              Address from, int fp_to_sp_delta,
                              Isolate* isolate) {
  // This is zero for wasm.
  Tagged<JSFunction> function =
      raw_function != 0 ? Cast<JSFunction>(Tagged<Object>(raw_function))
                        : Tagged<JSFunction>();
  Deoptimizer* deoptimizer =
      new Deoptimizer(isolate, function, kind, from, fp_to_sp_delta);
  isolate->set_current_deoptimizer(deoptimizer);
  return deoptimizer;
}
 
Deoptimizer* Deoptimizer::Grab(Isolate* isolate) {
  Deoptimizer* result = isolate->GetAndClearCurrentDeoptimizer();
  result->DeleteFrameDescriptions();
  return result;
}
 
size_t Deoptimizer::DeleteForWasm(Isolate* isolate) {
  // The deoptimizer disallows garbage collections.
  DCHECK(!AllowGarbageCollection::IsAllowed());
  Deoptimizer* deoptimizer = Deoptimizer::Grab(isolate);
  int output_count = deoptimizer->output_count();
  delete deoptimizer;
  // Now garbage collections are allowed again.
  DCHECK(AllowGarbageCollection::IsAllowed());
  return output_count;
}
 
DeoptimizedFrameInfo* Deoptimizer::DebuggerInspectableFrame(
    JavaScriptFrame* frame, int jsframe_index, Isolate* isolate) {
  CHECK(frame->is_optimized_js());
 
  TranslatedState translated_values(frame);
  translated_values.Prepare(frame->fp());
 
  TranslatedState::iterator frame_it = translated_values.end();
  int counter = jsframe_index;
  for (auto it = translated_values.begin(); it != translated_values.end();
       it++) {
    if (it->kind() == TranslatedFrame::kUnoptimizedFunction ||
        it->kind() == TranslatedFrame::kJavaScriptBuiltinContinuation ||
        it->kind() ==
            TranslatedFrame::kJavaScriptBuiltinContinuationWithCatch) {
      if (counter == 0) {
        frame_it = it;
        break;
      }
      counter--;
    }
  }
  CHECK(frame_it != translated_values.end());
  // We only include kJavaScriptBuiltinContinuation frames above to get the
  // counting right.
  CHECK_EQ(frame_it->kind(), TranslatedFrame::kUnoptimizedFunction);
 
  DeoptimizedFrameInfo* info =
      new DeoptimizedFrameInfo(&translated_values, frame_it, isolate);
 
  return info;
}
 
namespace {
class ActivationsFinder : public ThreadVisitor {
 public:
  ActivationsFinder(Tagged<GcSafeCode> topmost_optimized_code,
                    bool safe_to_deopt_topmost_optimized_code) {
#ifdef DEBUG
    topmost_ = topmost_optimized_code;
    safe_to_deopt_ = safe_to_deopt_topmost_optimized_code;
#endif
  }
 
  // Find the frames with activations of codes marked for deoptimization, search
  // for the trampoline to the deoptimizer call respective to each code, and use
  // it to replace the current pc on the stack.
  void VisitThread(Isolate* isolate, ThreadLocalTop* top) override {
    for (StackFrameIterator it(isolate, top); !it.done(); it.Advance()) {
      if (it.frame()->is_optimized_js()) {
        Tagged<GcSafeCode> code = it.frame()->GcSafeLookupCode();
        if (CodeKindCanDeoptimize(code->kind()) &&
            code->marked_for_deoptimization()) {
          // Obtain the trampoline to the deoptimizer call.
          int trampoline_pc;
          if (code->is_maglevved()) {
            MaglevSafepointEntry safepoint = MaglevSafepointTable::FindEntry(
                isolate, code, it.frame()->pc());
            trampoline_pc = safepoint.trampoline_pc();
          } else {
            SafepointEntry safepoint = SafepointTable::FindEntry(
                isolate, code, it.frame()->maybe_unauthenticated_pc());
            trampoline_pc = safepoint.trampoline_pc();
          }
          // TODO(saelo): currently we have to use full pointer comparison as
          // builtin Code is still inside the sandbox while runtime-generated
          // Code is in trusted space.
          static_assert(!kAllCodeObjectsLiveInTrustedSpace);
          DCHECK_IMPLIES(code.SafeEquals(topmost_), safe_to_deopt_);
          static_assert(SafepointEntry::kNoTrampolinePC == -1);
          CHECK_GE(trampoline_pc, 0);
          if (!it.frame()->InFastCCall()) {
            Address new_pc = code->instruction_start() + trampoline_pc;
            if (v8_flags.cet_compatible) {
              Address pc = *it.frame()->pc_address();
              Deoptimizer::PatchToJump(pc, new_pc);
            } else {
              // Replace the current pc on the stack with the trampoline.
              // TODO(v8:10026): avoid replacing a signed pointer.
              Address* pc_addr = it.frame()->pc_address();
              PointerAuthentication::ReplacePC(pc_addr, new_pc,
                                               kSystemPointerSize);
            }
          }
        }
      }
    }
  }
 
 private:
#ifdef DEBUG
  Tagged<GcSafeCode> topmost_;
  bool safe_to_deopt_;
#endif
};
}  // namespace
 
// Replace pc on the stack for codes marked for deoptimization.
// static
void Deoptimizer::DeoptimizeMarkedCode(Isolate* isolate) {
  DisallowGarbageCollection no_gc;
 
  Tagged<GcSafeCode> topmost_optimized_code;
  bool safe_to_deopt_topmost_optimized_code = false;
#ifdef DEBUG
  // Make sure all activations of optimized code can deopt at their current PC.
  // The topmost optimized code has special handling because it cannot be
  // deoptimized due to weak object dependency.
  for (StackFrameIterator it(isolate, isolate->thread_local_top()); !it.done();
       it.Advance()) {
    if (it.frame()->is_optimized_js()) {
      Tagged<GcSafeCode> code = it.frame()->GcSafeLookupCode();
      Tagged<JSFunction> function =
          static_cast<OptimizedJSFrame*>(it.frame())->function();
      TraceFoundActivation(isolate, function);
      bool safe_if_deopt_triggered;
      if (code->is_maglevved()) {
        MaglevSafepointEntry safepoint =
            MaglevSafepointTable::FindEntry(isolate, code, it.frame()->pc());
        safe_if_deopt_triggered = safepoint.has_deoptimization_index();
      } else {
        SafepointEntry safepoint = SafepointTable::FindEntry(
            isolate, code, it.frame()->maybe_unauthenticated_pc());
        safe_if_deopt_triggered = safepoint.has_deoptimization_index();
      }
 
      // Deopt is checked when we are patching addresses on stack.
      bool is_builtin_code = code->kind() == CodeKind::BUILTIN;
      DCHECK(topmost_optimized_code.is_null() || safe_if_deopt_triggered ||
             is_builtin_code);
      if (topmost_optimized_code.is_null()) {
        topmost_optimized_code = code;
        safe_to_deopt_topmost_optimized_code = safe_if_deopt_triggered;
      }
    }
  }
#endif
 
  ActivationsFinder visitor(topmost_optimized_code,
                            safe_to_deopt_topmost_optimized_code);
  // Iterate over the stack of this thread.
  visitor.VisitThread(isolate, isolate->thread_local_top());
  // In addition to iterate over the stack of this thread, we also
  // need to consider all the other threads as they may also use
  // the code currently beings deoptimized.
  isolate->thread_manager()->IterateArchivedThreads(&visitor);
}
 
void Deoptimizer::DeoptimizeAll(Isolate* isolate) {
  RCS_SCOPE(isolate, RuntimeCallCounterId::kDeoptimizeCode);
  TimerEventScope<TimerEventDeoptimizeCode> timer(isolate);
  TRACE_EVENT0("v8", "V8.DeoptimizeCode");
  TraceDeoptAll(isolate);
  isolate->AbortConcurrentOptimization(BlockingBehavior::kBlock);
 
  // Mark all code, then deoptimize.
  {
    DeoptimizableCodeIterator it(isolate);
    for (Tagged<Code> code = it.Next(); !code.is_null(); code = it.Next()) {
      code->SetMarkedForDeoptimization(isolate,
                                       LazyDeoptimizeReason::kDebugger);
    }
  }
 
  DeoptimizeMarkedCode(isolate);
}
 
// static
void Deoptimizer::DeoptimizeFunction(Tagged<JSFunction> function,
                                     LazyDeoptimizeReason reason,
                                     Tagged<Code> code) {
  Isolate* isolate = function->GetIsolate();
  RCS_SCOPE(isolate, RuntimeCallCounterId::kDeoptimizeCode);
  TimerEventScope<TimerEventDeoptimizeCode> timer(isolate);
  TRACE_EVENT0("v8", "V8.DeoptimizeCode");
  function->ResetIfCodeFlushed(isolate);
  if (code.is_null()) code = function->code(isolate);
 
  if (CodeKindCanDeoptimize(code->kind())) {
    // Mark the code for deoptimization and unlink any functions that also
    // refer to that code. The code cannot be shared across native contexts,
    // so we only need to search one.
    code->SetMarkedForDeoptimization(isolate, reason);
#ifndef V8_ENABLE_LEAPTIERING_BOOL
    // The code in the function's optimized code feedback vector slot might
    // be different from the code on the function - evict it if necessary.
    function->feedback_vector()->EvictOptimizedCodeMarkedForDeoptimization(
        isolate, function->shared(), "unlinking code marked for deopt");
#endif  // !V8_ENABLE_LEAPTIERING_BOOL
 
    DeoptimizeMarkedCode(isolate);
  }
}
 
// static
void Deoptimizer::DeoptimizeAllOptimizedCodeWithFunction(
    Isolate* isolate, DirectHandle<SharedFunctionInfo> function) {
  RCS_SCOPE(isolate, RuntimeCallCounterId::kDeoptimizeCode);
  TimerEventScope<TimerEventDeoptimizeCode> timer(isolate);
  TRACE_EVENT0("v8", "V8.DeoptimizeAllOptimizedCodeWithFunction");
 
  // Make sure no new code is compiled with the function.
  isolate->AbortConcurrentOptimization(BlockingBehavior::kBlock);
 
  // Mark all code that inlines this function, then deoptimize.
  bool any_marked = false;
  {
    DeoptimizableCodeIterator it(isolate);
    for (Tagged<Code> code = it.Next(); !code.is_null(); code = it.Next()) {
      if (code->Inlines(*function)) {
        code->SetMarkedForDeoptimization(isolate,
                                         LazyDeoptimizeReason::kDebugger);
        any_marked = true;
      }
    }
  }
  if (any_marked) {
    DeoptimizeMarkedCode(isolate);
  }
}
 
#define DEOPTIMIZATION_HELPER_BUILTINS(V)                                    \
  V(Builtin::kInterpreterEnterAtBytecode,                                    \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kInterpreterEnterAtNextBytecode,                                \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kContinueToCodeStubBuiltinWithResult,                           \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kContinueToCodeStubBuiltin,                                     \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kContinueToJavaScriptBuiltinWithResult,                         \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kContinueToJavaScriptBuiltin,                                   \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kRestartFrameTrampoline,                                        \
    deopt_pc_offset_after_adapt_shadow_stack)                                \
  V(Builtin::kJSConstructStubGeneric, construct_stub_create_deopt_pc_offset) \
  V(Builtin::kInterpreterPushArgsThenFastConstructFunction,                  \
    construct_stub_invoke_deopt_pc_offset)
 
// static
Address Deoptimizer::EnsureValidReturnAddress(Isolate* isolate,
                                              Address address) {
  // TODO(42201233): We should make sure everything here we use for validation
  // (builtins array, code object, and offset values) are not writable.
  Builtins* builtins = isolate->builtins();
  Heap* heap = isolate->heap();
#define CHECK_BUILTIN(builtin, offset)                                        \
  if (builtins->code(builtin)->instruction_start() + heap->offset().value() - \
          Deoptimizer::kAdaptShadowStackOffsetToSubtract ==                   \
      address)                                                                \
    return address;
 
  DEOPTIMIZATION_HELPER_BUILTINS(CHECK_BUILTIN)
#undef CHECK_BUILTIN
 
  // NotifyDeoptimized is used for continuation.
  if (builtins->code(Builtin::kNotifyDeoptimized)->instruction_start() ==
      address)
    return address;
 
#if V8_ENABLE_WEBASSEMBLY
  if (v8_flags.wasm_deopt &&
      wasm::GetWasmCodeManager()->LookupCode(isolate, address) != nullptr) {
    // TODO(42204618): This does not check for the PC being a valid "deopt
    // point" but could be any arbitrary address inside a wasm code object
    // (including pointing into the middle of an instruction).
    return address;
  }
#endif
 
  CHECK_WITH_MSG(false, "Not allowed return address");
}
 
void Deoptimizer::ComputeOutputFrames(Deoptimizer* deoptimizer) {
  deoptimizer->DoComputeOutputFrames();
}
 
const char* Deoptimizer::MessageFor(DeoptimizeKind kind) {
  switch (kind) {
    case DeoptimizeKind::kEager:
      return "deopt-eager";
    case DeoptimizeKind::kLazy:
      return "deopt-lazy";
  }
}
 
Deoptimizer::Deoptimizer(Isolate* isolate, Tagged<JSFunction> function,
                         DeoptimizeKind kind, Address from, int fp_to_sp_delta)
    : isolate_(isolate),
      function_(function),
      deopt_exit_index_(kFixedExitSizeMarker),
      deopt_kind_(kind),
      from_(from),
      fp_to_sp_delta_(fp_to_sp_delta),
      deoptimizing_throw_(false),
      catch_handler_data_(-1),
      catch_handler_pc_offset_(-1),
      restart_frame_index_(-1),
      input_(nullptr),
      output_count_(0),
      output_(nullptr),
      caller_frame_top_(0),
      caller_fp_(0),
      caller_pc_(0),
      caller_constant_pool_(0),
      actual_argument_count_(0),
      stack_fp_(0),
      trace_scope_(v8_flags.trace_deopt || v8_flags.log_deopt
                       ? new CodeTracer::Scope(isolate->GetCodeTracer())
                       : nullptr) {
  if (isolate->deoptimizer_lazy_throw()) {
    CHECK_EQ(kind, DeoptimizeKind::kLazy);
    isolate->set_deoptimizer_lazy_throw(false);
    deoptimizing_throw_ = true;
  }
 
  if (isolate->debug()->IsRestartFrameScheduled()) {
    CHECK(deoptimizing_throw_);
    restart_frame_index_ = isolate->debug()->restart_inline_frame_index();
    CHECK_GE(restart_frame_index_, 0);
    isolate->debug()->clear_restart_frame();
  }
 
  DCHECK_NE(from, kNullAddress);
 
#ifdef DEBUG
  DCHECK(AllowGarbageCollection::IsAllowed());
  disallow_garbage_collection_ = new DisallowGarbageCollection();
#endif  // DEBUG
 
#if V8_ENABLE_WEBASSEMBLY
  if (v8_flags.wasm_deopt && function.is_null()) {
#if V8_ENABLE_SANDBOX
    no_heap_access_during_wasm_deopt_ =
        SandboxHardwareSupport::MaybeBlockAccess();
#endif
    wasm::WasmCode* code =
        wasm::GetWasmCodeManager()->LookupCode(isolate, from);
    compiled_optimized_wasm_code_ = code;
    DCHECK_NOT_NULL(code);
    CHECK_EQ(code->kind(), wasm::WasmCode::kWasmFunction);
    wasm::WasmDeoptView deopt_view(code->deopt_data());
    const wasm::WasmDeoptData& deopt_data = deopt_view.GetDeoptData();
    DCHECK_NE(deopt_data.translation_array_size, 0);
    CHECK_GE(from, deopt_data.deopt_exit_start_offset);
    Address deopt_exit_offset = from - code->instruction_start();
    // All eager deopt exits are calls "at the end" of the code to the builtin
    // generated by Generate_DeoptimizationEntry_Eager. These calls have a fixed
    // size kEagerDeoptExitsSize and the deopt data contains the offset of the
    // first such call to the beginning of the code, so we can map any PC of
    // such call to a unique index for this deopt point.
    deopt_exit_index_ =
        static_cast<uint32_t>(deopt_exit_offset -
                              deopt_data.deopt_exit_start_offset -
                              kEagerDeoptExitSize) /
        kEagerDeoptExitSize;
 
    // Note: The parameter stack slots are not really part of the frame.
    // However, the deoptimizer needs access to the incoming parameter values
    // and therefore they need to be included in the FrameDescription. Between
    // the parameters and the actual frame there are 2 pointers (the caller's pc
    // and saved stack pointer) that therefore also need to be included. Both
    // pointers as well as the incoming parameter stack slots are going to be
    // copied into the outgoing FrameDescription which will "push" them back
    // onto the stack. (This is consistent with how JS handles this.)
    const wasm::FunctionSig* sig =
        code->native_module()->module()->functions[code->index()].sig;
    int parameter_stack_slots, return_stack_slots;
    GetWasmStackSlotsCounts(sig, &parameter_stack_slots, &return_stack_slots);
 
    unsigned input_frame_size = fp_to_sp_delta +
                                parameter_stack_slots * kSystemPointerSize +
                                CommonFrameConstants::kFixedFrameSizeAboveFp;
    input_ = FrameDescription::Create(input_frame_size, parameter_stack_slots,
                                      isolate_);
    return;
  }
#endif
 
  compiled_code_ = isolate_->heap()->FindCodeForInnerPointer(from);
  DCHECK(!compiled_code_.is_null());
  DCHECK(IsCode(compiled_code_));
 
  DCHECK(IsJSFunction(function));
  CHECK(CodeKindCanDeoptimize(compiled_code_->kind()));
  {
    HandleScope scope(isolate_);
    PROFILE(isolate_, CodeDeoptEvent(direct_handle(compiled_code_, isolate_),
                                     kind, from_, fp_to_sp_delta_));
  }
  unsigned size = ComputeInputFrameSize();
  const int parameter_count = compiled_code_->parameter_count();
  DCHECK_EQ(
      parameter_count,
      function->shared()->internal_formal_parameter_count_with_receiver());
  input_ = FrameDescription::Create(size, parameter_count, isolate_);
 
  DCHECK_EQ(deopt_exit_index_, kFixedExitSizeMarker);
  // Calculate the deopt exit index from return address.
  DCHECK_GT(kEagerDeoptExitSize, 0);
  DCHECK_GT(kLazyDeoptExitSize, 0);
  Tagged<DeoptimizationData> deopt_data =
      Cast<DeoptimizationData>(compiled_code_->deoptimization_data());
  Address deopt_start = compiled_code_->instruction_start() +
                        deopt_data->DeoptExitStart().value();
  int eager_deopt_count = deopt_data->EagerDeoptCount().value();
  Address lazy_deopt_start =
      deopt_start + eager_deopt_count * kEagerDeoptExitSize;
  // The deoptimization exits are sorted so that lazy deopt exits appear after
  // eager deopts.
  static_assert(static_cast<int>(DeoptimizeKind::kLazy) ==
                    static_cast<int>(kLastDeoptimizeKind),
                "lazy deopts are expected to be emitted last");
  // from_ is the value of the link register after the call to the
  // deoptimizer, so for the last lazy deopt, from_ points to the first
  // non-lazy deopt, so we use <=, similarly for the last non-lazy deopt and
  // the first deopt with resume entry.
  if (from_ <= lazy_deopt_start) {
    DCHECK_EQ(kind, DeoptimizeKind::kEager);
    int offset = static_cast<int>(from_ - kEagerDeoptExitSize - deopt_start);
    DCHECK_EQ(0, offset % kEagerDeoptExitSize);
    deopt_exit_index_ = offset / kEagerDeoptExitSize;
  } else {
    DCHECK_EQ(kind, DeoptimizeKind::kLazy);
    int offset =
        static_cast<int>(from_ - kLazyDeoptExitSize - lazy_deopt_start);
    DCHECK_EQ(0, offset % kLazyDeoptExitSize);
    deopt_exit_index_ = eager_deopt_count + (offset / kLazyDeoptExitSize);
  }
}
 
DirectHandle<JSFunction> Deoptimizer::function() const {
  return DirectHandle<JSFunction>(function_, isolate());
}
 
DirectHandle<Code> Deoptimizer::compiled_code() const {
  return DirectHandle<Code>(compiled_code_, isolate());
}
 
Deoptimizer::~Deoptimizer() {
  DCHECK(input_ == nullptr && output_ == nullptr);
#ifdef V8_ENABLE_CET_SHADOW_STACK
  DCHECK_NULL(shadow_stack_);
#endif
  DCHECK_NULL(disallow_garbage_collection_);
  delete trace_scope_;
}
 
void Deoptimizer::DeleteFrameDescriptions() {
  delete input_;
  for (int i = 0; i < output_count_; ++i) {
    if (output_[i] != input_) delete output_[i];
  }
  delete[] output_;
  input_ = nullptr;
  output_ = nullptr;
#ifdef V8_ENABLE_CET_SHADOW_STACK
  if (shadow_stack_ != nullptr) {
    delete[] shadow_stack_;
    shadow_stack_ = nullptr;
  }
#endif  // V8_ENABLE_CET_SHADOW_STACK
#ifdef DEBUG
  DCHECK(!AllowGarbageCollection::IsAllowed());
  DCHECK_NOT_NULL(disallow_garbage_collection_);
  delete disallow_garbage_collection_;
  disallow_garbage_collection_ = nullptr;
#endif  // DEBUG
}
 
Builtin Deoptimizer::GetDeoptimizationEntry(DeoptimizeKind kind) {
  switch (kind) {
    case DeoptimizeKind::kEager:
      return Builtin::kDeoptimizationEntry_Eager;
    case DeoptimizeKind::kLazy:
      return Builtin::kDeoptimizationEntry_Lazy;
  }
}
 
namespace {
 
int LookupCatchHandler(Isolate* isolate, TranslatedFrame* translated_frame,
                       int* data_out) {
  switch (translated_frame->kind()) {
    case TranslatedFrame::kUnoptimizedFunction: {
      int bytecode_offset = translated_frame->bytecode_offset().ToInt();
      HandlerTable table(
          translated_frame->raw_shared_info()->GetBytecodeArray(isolate));
      int handler_index = table.LookupHandlerIndexForRange(bytecode_offset);
      if (handler_index == HandlerTable::kNoHandlerFound) return handler_index;
      *data_out = table.GetRangeData(handler_index);
      table.MarkHandlerUsed(handler_index);
      return table.GetRangeHandler(handler_index);
    }
    case TranslatedFrame::kJavaScriptBuiltinContinuationWithCatch: {
      return 0;
    }
    default:
      break;
  }
  return -1;
}
 
}  // namespace
 
void Deoptimizer::TraceDeoptBegin(int optimization_id,
                                  BytecodeOffset bytecode_offset) {
  DCHECK(tracing_enabled());
  FILE* file = trace_scope()->file();
  Deoptimizer::DeoptInfo info = Deoptimizer::GetDeoptInfo();
  PrintF(file, "[bailout (kind: %s, reason: %s): begin. deoptimizing ",
         MessageFor(deopt_kind_), DeoptimizeReasonToString(info.deopt_reason));
  if (IsJSFunction(function_)) {
    ShortPrint(function_, file);
    PrintF(file, ", ");
  }
  ShortPrint(compiled_code_, file);
  PrintF(file,
         ", opt id %d, "
#ifdef DEBUG
         "node id %d, "
#endif  // DEBUG
         "bytecode offset %d, deopt exit %d, FP to SP "
         "delta %d, "
         "caller SP " V8PRIxPTR_FMT ", pc " V8PRIxPTR_FMT "]\n",
         optimization_id,
#ifdef DEBUG
         info.node_id,
#endif  // DEBUG
         bytecode_offset.ToInt(), deopt_exit_index_, fp_to_sp_delta_,
         caller_frame_top_, PointerAuthentication::StripPAC(from_));
  if (verbose_tracing_enabled() && deopt_kind_ != DeoptimizeKind::kLazy) {
    PrintF(file, "            ;;; deoptimize at ");
    OFStream outstr(file);
    info.position.Print(outstr, compiled_code_);
    PrintF(file, "\n");
  }
}
 
void Deoptimizer::TraceDeoptEnd(double deopt_duration) {
  DCHECK(verbose_tracing_enabled());
  PrintF(trace_scope()->file(), "[bailout end. took %0.3f ms]\n",
         deopt_duration);
}
 
// static
void Deoptimizer::TraceMarkForDeoptimization(Isolate* isolate,
                                             Tagged<Code> code,
                                             LazyDeoptimizeReason reason) {
  // `DiscardBaselineCodeVisitor` can discard baseline code for debug purpose,
  // and it may use `MarkForDeoptimization` for interpreting the new stack
  // frame as an interpreter frame, but it does not have deoptimization data.
  if (code->kind() == CodeKind::BASELINE) return;
 
  DCHECK(code->uses_deoptimization_data());
  if (!v8_flags.trace_deopt && !v8_flags.log_deopt) return;
 
  DisallowGarbageCollection no_gc;
  Tagged<DeoptimizationData> deopt_data =
      Cast<DeoptimizationData>(code->deoptimization_data());
  CodeTracer::Scope scope(isolate->GetCodeTracer());
  if (v8_flags.trace_deopt) {
    PrintF(scope.file(), "[marking dependent code ");
    ShortPrint(code, scope.file());
    PrintF(scope.file(), " (");
    ShortPrint(deopt_data->GetSharedFunctionInfo(), scope.file());
    PrintF(") (opt id %d) for deoptimization, reason: %s]\n",
           deopt_data->OptimizationId().value(),
           DeoptimizeReasonToString(reason));
  }
  if (!v8_flags.log_deopt) return;
  no_gc.Release();
  {
    HandleScope handle_scope(isolate);
    PROFILE(isolate,
            CodeDependencyChangeEvent(
                direct_handle(code, isolate),
                direct_handle(deopt_data->GetSharedFunctionInfo(), isolate),
                DeoptimizeReasonToString(reason)));
  }
}
 
// static
void Deoptimizer::TraceEvictFromOptimizedCodeCache(
    Isolate* isolate, Tagged<SharedFunctionInfo> sfi, const char* reason) {
  if (!v8_flags.trace_deopt_verbose) return;
 
  DisallowGarbageCollection no_gc;
  CodeTracer::Scope scope(isolate->GetCodeTracer());
  PrintF(scope.file(),
         "[evicting optimized code marked for deoptimization (%s) for ",
         reason);
  ShortPrint(sfi, scope.file());
  PrintF(scope.file(), "]\n");
}
 
#ifdef DEBUG
// static
void Deoptimizer::TraceFoundActivation(Isolate* isolate,
                                       Tagged<JSFunction> function) {
  if (!v8_flags.trace_deopt_verbose) return;
  CodeTracer::Scope scope(isolate->GetCodeTracer());
  PrintF(scope.file(), "[deoptimizer found activation of function: ");
  function->PrintName(scope.file());
  PrintF(scope.file(), " / %" V8PRIxPTR "]\n", function.ptr());
}
#endif  // DEBUG
 
// static
void Deoptimizer::TraceDeoptAll(Isolate* isolate) {
  if (!v8_flags.trace_deopt_verbose) return;
  CodeTracer::Scope scope(isolate->GetCodeTracer());
  PrintF(scope.file(), "[deoptimize all code in all contexts]\n");
}
 
#if V8_ENABLE_WEBASSEMBLY
namespace {
std::pair<wasm::WasmCode*,
          std::unique_ptr<wasm::LiftoffFrameDescriptionForDeopt>>
CompileWithLiftoffAndGetDeoptInfo(wasm::NativeModule* native_module,
                                  int function_index,
                                  BytecodeOffset deopt_point, bool is_topmost) {
  wasm::CompilationEnv env = wasm::CompilationEnv::ForModule(native_module);
  // We only deopt after the NativeModule is finished, hence wire bytes do not
  // change any more. We can thus hold a non-owning vector here.
  base::Vector<const uint8_t> wire_bytes = native_module->wire_bytes();
  const wasm::WasmFunction* function = &env.module->functions[function_index];
  bool is_shared = env.module->type(function->sig_index).is_shared;
  wasm::FunctionBody body{function->sig, function->code.offset(),
                          wire_bytes.begin() + function->code.offset(),
                          wire_bytes.begin() + function->code.end_offset(),
                          is_shared};
  wasm::WasmCompilationResult result = ExecuteLiftoffCompilation(
      &env, body,
      wasm::LiftoffOptions{}
          .set_func_index(function_index)
          .set_deopt_info_bytecode_offset(deopt_point.ToInt())
          .set_deopt_location_kind(
              is_topmost ? wasm::LocationKindForDeopt::kEagerDeopt
                         : wasm::LocationKindForDeopt::kInlinedCall));
 
  // Replace the optimized code with the unoptimized code in the
  // WasmCodeManager as a deopt was reached.
  wasm::UnpublishedWasmCode compiled_code =
      native_module->AddCompiledCode(result);
  wasm::WasmCodeRefScope code_ref_scope;
  // TODO(mliedtke): This might unoptimize functions because they were inlined
  // into a function that now needs to deopt them while the optimized function
  // might have taken different inlining decisions.
  // TODO(mliedtke): The code cache should also be invalidated.
  wasm::WasmCode* wasm_code = native_module->compilation_state()->PublishCode(
      base::VectorOf(&compiled_code, 1))[0];
  return {wasm_code, std::move(result.liftoff_frame_descriptions)};
}
}  // anonymous namespace
 
FrameDescription* Deoptimizer::DoComputeWasmLiftoffFrame(
    TranslatedFrame& frame, wasm::NativeModule* native_module,
    Tagged<WasmTrustedInstanceData> wasm_trusted_instance, int frame_index,
    std::stack<intptr_t>& shadow_stack) {
  // Given inlined frames where function a calls b, b is considered the topmost
  // because b is on top of the call stack! This is aligned with the names used
  // by the JS deopt.
  const bool is_bottommost = frame_index == 0;
  const bool is_topmost = output_count_ - 1 == frame_index;
  // Recompile the liftoff (unoptimized) wasm code for the input frame.
  // TODO(mliedtke): This recompiles every single function even if it never got
  // optimized and exists as a liftoff variant in the WasmCodeManager as we also
  // need to compute the deopt information. Can we avoid some of the extra work
  // here?
  auto [wasm_code, liftoff_description] = CompileWithLiftoffAndGetDeoptInfo(
      native_module, frame.wasm_function_index(), frame.bytecode_offset(),
      is_topmost);
 
  DCHECK(liftoff_description);
 
  int parameter_stack_slots, return_stack_slots;
  const wasm::FunctionSig* sig =
      native_module->module()->functions[frame.wasm_function_index()].sig;
  GetWasmStackSlotsCounts(sig, &parameter_stack_slots, &return_stack_slots);
 
  // Allocate and populate the FrameDescription describing the output frame.
  const uint32_t output_frame_size = liftoff_description->total_frame_size;
  const uint32_t total_output_frame_size =
      output_frame_size + parameter_stack_slots * kSystemPointerSize +
      CommonFrameConstants::kFixedFrameSizeAboveFp;
 
  if (verbose_tracing_enabled()) {
    std::ostringstream outstream;
    outstream << "  Liftoff stack & register state for function index "
              << frame.wasm_function_index() << ", frame size "
              << output_frame_size << ", total frame size "
              << total_output_frame_size << '\n';
    size_t index = 0;
    for (const wasm::LiftoffVarState& state : liftoff_description->var_state) {
      outstream << "     " << index++ << ": " << state << '\n';
    }
    FILE* file = trace_scope()->file();
    PrintF(file, "%s", outstream.str().c_str());
  }
 
  FrameDescription* output_frame = FrameDescription::Create(
      total_output_frame_size, parameter_stack_slots, isolate());
 
  // Copy the parameter stack slots.
  static_assert(CommonFrameConstants::kFixedFrameSizeAboveFp ==
                2 * kSystemPointerSize);
  uint32_t output_offset = total_output_frame_size;
  // Zero out the incoming parameter slots. This will make sure that tagged
  // values are safely ignored by the gc.
  // Note that zero is clearly not the correct value. Still, liftoff copies
  // all parameters into "its own" stack slots at the beginning and always
  // uses these slots to restore parameters from the stack.
  for (int i = 0; i < parameter_stack_slots; ++i) {
    output_offset -= kSystemPointerSize;
    output_frame->SetFrameSlot(output_offset, 0);
  }
 
  // Calculate top and update previous caller's pc.
  Address top = is_bottommost ? caller_frame_top_ - total_output_frame_size
                              : output_[frame_index - 1]->GetTop() -
                                    total_output_frame_size;
  output_frame->SetTop(top);
  Address pc = wasm_code->instruction_start() + liftoff_description->pc_offset;
  // Sign the PC. Note that for the non-topmost frames the stack pointer at
  // which the PC is stored as the "caller pc" / return address depends on the
  // amount of parameter stack slots of the callee. To simplify the code, we
  // just sign it as if there weren't any parameter stack slots.
  // When building up the next frame we can check and "move" the caller PC by
  // signing it again with the correct stack pointer.
  output_frame->SetPc(PointerAuthentication::SignAndCheckPC(
      isolate(), pc, output_frame->GetTop()));
#ifdef V8_ENABLE_CET_SHADOW_STACK
  if (v8_flags.cet_compatible) {
    if (is_topmost) {
      shadow_stack.push(pc);
    } else {
      shadow_stack.push(wasm_code->instruction_start() +
                        liftoff_description->adapt_shadow_stack_pc_offset);
    }
  }
#endif  // V8_ENABLE_CET_SHADOW_STACK
 
  // Sign the previous frame's PC.
  if (is_bottommost) {
    Address old_context =
        caller_frame_top_ - input_->parameter_count() * kSystemPointerSize;
    Address new_context =
        caller_frame_top_ - parameter_stack_slots * kSystemPointerSize;
    caller_pc_ = PointerAuthentication::MoveSignedPC(isolate(), caller_pc_,
                                                     new_context, old_context);
  } else if (parameter_stack_slots != 0) {
    // The previous frame's PC is stored at a different stack slot, so we need
    // to re-sign the PC for the new context (stack pointer).
    FrameDescription* previous_frame = output_[frame_index - 1];
    Address old_context = previous_frame->GetTop();
    Address new_context =
        old_context - parameter_stack_slots * kSystemPointerSize;
    Address signed_pc = PointerAuthentication::MoveSignedPC(
        isolate(), previous_frame->GetPc(), new_context, old_context);
    previous_frame->SetPc(signed_pc);
  }
 
  // Store the caller PC.
  output_offset -= kSystemPointerSize;
  output_frame->SetFrameSlot(
      output_offset,
      is_bottommost ? caller_pc_ : output_[frame_index - 1]->GetPc());
  // Store the caller frame pointer.
  output_offset -= kSystemPointerSize;
  output_frame->SetFrameSlot(
      output_offset,
      is_bottommost ? caller_fp_ : output_[frame_index - 1]->GetFp());
 
  CHECK_EQ(output_frame_size, output_offset);
  int base_offset = output_frame_size;
 
  // Set trusted instance data on output frame.
  output_frame->SetFrameSlot(
      base_offset - WasmLiftoffFrameConstants::kInstanceDataOffset,
      wasm_trusted_instance.ptr());
  if (liftoff_description->trusted_instance != no_reg) {
    output_frame->SetRegister(liftoff_description->trusted_instance.code(),
                              wasm_trusted_instance.ptr());
  }
 
  DCHECK_GE(translated_state_.frames().size(), 1);
  auto liftoff_iter = liftoff_description->var_state.begin();
  if constexpr (Is64()) {
    // On 32 bit platforms int64s are represented as 2 values on Turbofan.
    // Liftoff on the other hand treats them as 1 value (a register pair).
    CHECK_EQ(liftoff_description->var_state.size(), frame.GetValueCount());
  }
 
  bool int64_lowering_is_low = true;
 
  for (const TranslatedValue& value : frame) {
    bool skip_increase_liftoff_iter = false;
    switch (liftoff_iter->loc()) {
      case wasm::LiftoffVarState::kIntConst:
        if (!Is64() && liftoff_iter->kind() == wasm::ValueKind::kI64) {
          if (int64_lowering_is_low) skip_increase_liftoff_iter = true;
          int64_lowering_is_low = !int64_lowering_is_low;
        }
        break;  // Nothing to be done for constants in liftoff frame.
      case wasm::LiftoffVarState::kRegister:
        if (liftoff_iter->is_gp_reg()) {
          intptr_t reg_value = kZapValue;
          switch (value.kind()) {
            case TranslatedValue::Kind::kInt32:
              // Ensure that the upper half is zeroed out.
              reg_value = static_cast<uint32_t>(value.int32_value());
              break;
            case TranslatedValue::Kind::kTagged:
              reg_value = value.raw_literal().ptr();
              break;
            case TranslatedValue::Kind::kInt64:
              reg_value = value.int64_value();
              break;
            default:
              UNIMPLEMENTED();
          }
          output_frame->SetRegister(liftoff_iter->reg().gp().code(), reg_value);
        } else if (liftoff_iter->is_fp_reg()) {
          switch (value.kind()) {
            case TranslatedValue::Kind::kDouble:
              output_frame->SetDoubleRegister(liftoff_iter->reg().fp().code(),
                                              value.double_value());
              break;
            case TranslatedValue::Kind::kFloat:
              // Liftoff doesn't have a concept of floating point registers.
              // This is an important distinction as e.g. on arm s1 and d1 are
              // two completely distinct registers.
              static_assert(std::is_same_v<decltype(liftoff_iter->reg().fp()),
                                           DoubleRegister>);
              output_frame->SetDoubleRegister(
                  liftoff_iter->reg().fp().code(),
                  Float64::FromBits(value.float_value().get_bits()));
              break;
            case TranslatedValue::Kind::kSimd128:
              output_frame->SetSimd128Register(liftoff_iter->reg().fp().code(),
                                               value.simd_value());
              break;
            default:
              UNIMPLEMENTED();
          }
        } else if (!Is64() && liftoff_iter->is_gp_reg_pair()) {
          intptr_t reg_value = kZapValue;
          switch (value.kind()) {
            case TranslatedValue::Kind::kInt32:
              // Ensure that the upper half is zeroed out.
              reg_value = static_cast<uint32_t>(value.int32_value());
              break;
            case TranslatedValue::Kind::kTagged:
              reg_value = value.raw_literal().ptr();
              break;
            default:
              UNREACHABLE();
          }
          int8_t reg = int64_lowering_is_low
                           ? liftoff_iter->reg().low_gp().code()
                           : liftoff_iter->reg().high_gp().code();
          output_frame->SetRegister(reg, reg_value);
          if (int64_lowering_is_low) skip_increase_liftoff_iter = true;
          int64_lowering_is_low = !int64_lowering_is_low;
        } else if (!Is64() && liftoff_iter->is_fp_reg_pair()) {
          CHECK_EQ(value.kind(), TranslatedValue::Kind::kSimd128);
          Simd128 simd_value = value.simd_value();
          Address val_ptr = reinterpret_cast<Address>(&simd_value);
          output_frame->SetDoubleRegister(
              liftoff_iter->reg().low_fp().code(),
              Float64::FromBits(base::ReadUnalignedValue<uint64_t>(val_ptr)));
          output_frame->SetDoubleRegister(
              liftoff_iter->reg().high_fp().code(),
              Float64::FromBits(base::ReadUnalignedValue<uint64_t>(
                  val_ptr + sizeof(double))));
        } else {
          UNREACHABLE();
        }
        break;
      case wasm::LiftoffVarState::kStack:
#ifdef V8_TARGET_BIG_ENDIAN
        static constexpr int kLiftoffStackBias = 4;
#else
        static constexpr int kLiftoffStackBias = 0;
#endif
        switch (liftoff_iter->kind()) {
          case wasm::ValueKind::kI32:
            CHECK(value.kind() == TranslatedValue::Kind::kInt32 ||
                  value.kind() == TranslatedValue::Kind::kUint32);
            output_frame->SetLiftoffFrameSlot32(
                base_offset - liftoff_iter->offset() + kLiftoffStackBias,
                value.int32_value_);
            break;
          case wasm::ValueKind::kF32:
            CHECK_EQ(value.kind(), TranslatedValue::Kind::kFloat);
            output_frame->SetLiftoffFrameSlot32(
                base_offset - liftoff_iter->offset() + kLiftoffStackBias,
                value.float_value().get_bits());
            break;
          case wasm::ValueKind::kI64:
            if constexpr (Is64()) {
              CHECK(value.kind() == TranslatedValue::Kind::kInt64 ||
                    value.kind() == TranslatedValue::Kind::kUint64);
              output_frame->SetLiftoffFrameSlot64(
                  base_offset - liftoff_iter->offset(), value.int64_value_);
            } else {
              CHECK(value.kind() == TranslatedValue::Kind::kInt32 ||
                    value.kind() == TranslatedValue::Kind::kUint32);
              // TODO(bigendian): Either the offsets or the default for
              // int64_lowering_is_low might have to be swapped.
              if (int64_lowering_is_low) {
                skip_increase_liftoff_iter = true;
                output_frame->SetLiftoffFrameSlot32(
                    base_offset - liftoff_iter->offset(), value.int32_value_);
              } else {
                output_frame->SetLiftoffFrameSlot32(
                    base_offset - liftoff_iter->offset() + sizeof(int32_t),
                    value.int32_value_);
              }
              int64_lowering_is_low = !int64_lowering_is_low;
            }
            break;
          case wasm::ValueKind::kS128: {
            int64x2 values = value.simd_value().to_i64x2();
            const int offset = base_offset - liftoff_iter->offset();
            output_frame->SetLiftoffFrameSlot64(offset, values.val[0]);
            output_frame->SetLiftoffFrameSlot64(offset + sizeof(int64_t),
                                                values.val[1]);
            break;
          }
          case wasm::ValueKind::kF64:
            CHECK_EQ(value.kind(), TranslatedValue::Kind::kDouble);
            output_frame->SetLiftoffFrameSlot64(
                base_offset - liftoff_iter->offset(),
                value.double_value().get_bits());
            break;
          case wasm::ValueKind::kRef:
          case wasm::ValueKind::kRefNull:
            CHECK_EQ(value.kind(), TranslatedValue::Kind::kTagged);
            output_frame->SetLiftoffFrameSlotPointer(
                base_offset - liftoff_iter->offset(), value.raw_literal_.ptr());
            break;
          default:
            UNIMPLEMENTED();
        }
        break;
    }
    DCHECK_IMPLIES(skip_increase_liftoff_iter, !Is64());
    if (!skip_increase_liftoff_iter) {
      ++liftoff_iter;
    }
  }
 
  // Store frame kind.
  uint32_t frame_type_offset =
      base_offset + WasmLiftoffFrameConstants::kFrameTypeOffset;
  output_frame->SetFrameSlot(frame_type_offset,
                             StackFrame::TypeToMarker(StackFrame::WASM));
  // Store feedback vector in stack slot.
  Tagged<FixedArray> module_feedback =
      wasm_trusted_instance->feedback_vectors();
  uint32_t feedback_offset =
      base_offset - WasmLiftoffFrameConstants::kFeedbackVectorOffset;
  uint32_t fct_feedback_index = wasm::declared_function_index(
      native_module->module(), frame.wasm_function_index());
  CHECK_LT(fct_feedback_index, module_feedback->length());
  Tagged<Object> feedback_vector = module_feedback->get(fct_feedback_index);
  if (IsSmi(feedback_vector)) {
    if (verbose_tracing_enabled()) {
      PrintF(trace_scope()->file(),
             "Deopt with uninitialized feedback vector for function %s [%d]\n",
             wasm_code->DebugName().c_str(), frame.wasm_function_index());
    }
    // Not having a feedback vector can happen with multiple instantiations of
    // the same module as the type feedback is separate per instance but the
    // code is shared (even cross-isolate).
    // Note that we cannot allocate the feedback vector here. Instead, store
    // the function index, so that the feedback vector can be populated by the
    // deopt finish builtin called from Liftoff.
    output_frame->SetFrameSlot(feedback_offset,
                               Smi::FromInt(fct_feedback_index).ptr());
  } else {
    output_frame->SetFrameSlot(feedback_offset, feedback_vector.ptr());
  }
 
  // Instead of a builtin continuation for wasm the deopt builtin will
  // call a c function to destroy the Deoptimizer object and then directly
  // return to the liftoff code.
  output_frame->SetContinuation(0);
 
  const intptr_t fp_value = top + output_frame_size;
  output_frame->SetFp(fp_value);
  Register fp_reg = JavaScriptFrame::fp_register();
  output_frame->SetRegister(fp_reg.code(), fp_value);
  output_frame->SetRegister(kRootRegister.code(), isolate()->isolate_root());
#ifdef V8_COMPRESS_POINTERS
  output_frame->SetRegister(kPtrComprCageBaseRegister.code(),
                            isolate()->cage_base());
#endif
 
  return output_frame;
}
 
// Build up the output frames for a wasm deopt. This creates the
// FrameDescription objects representing the output frames to be "materialized"
// on the stack.
void Deoptimizer::DoComputeOutputFramesWasmImpl() {
  CHECK(v8_flags.wasm_deopt);
  base::ElapsedTimer timer;
  // Lookup the deopt info for the input frame.
  wasm::WasmCode* code = compiled_optimized_wasm_code_;
  DCHECK_NOT_NULL(code);
  DCHECK_EQ(code->kind(), wasm::WasmCode::kWasmFunction);
  wasm::WasmDeoptView deopt_view(code->deopt_data());
  wasm::WasmDeoptEntry deopt_entry =
      deopt_view.GetDeoptEntry(deopt_exit_index_);
 
  if (tracing_enabled()) {
    timer.Start();
    FILE* file = trace_scope()->file();
    PrintF(file,
           "[bailout (kind: %s, reason: %s, type: Wasm): begin. deoptimizing "
           "%s, function index %d, bytecode offset %d, deopt exit %d, FP to SP "
           "delta %d, "
           "pc " V8PRIxPTR_FMT "]\n",
           MessageFor(deopt_kind_),
           DeoptimizeReasonToString(DeoptimizeReason::kWrongCallTarget),
           code->DebugName().c_str(), code->index(),
           deopt_entry.bytecode_offset.ToInt(), deopt_entry.translation_index,
           fp_to_sp_delta_, PointerAuthentication::StripPAC(from_));
  }
 
  base::Vector<const uint8_t> off_heap_translations =
      deopt_view.GetTranslationsArray();
 
  DeoptTranslationIterator state_iterator(off_heap_translations,
                                          deopt_entry.translation_index);
  wasm::NativeModule* native_module = code->native_module();
  int parameter_count = static_cast<int>(
      native_module->module()->functions[code->index()].sig->parameter_count());
  DeoptimizationLiteralProvider literals(
      deopt_view.BuildDeoptimizationLiteralArray());
 
  Register fp_reg = JavaScriptFrame::fp_register();
  stack_fp_ = input_->GetRegister(fp_reg.code());
  Address fp_address = input_->GetFramePointerAddress();
  caller_fp_ = Memory<intptr_t>(fp_address);
  caller_pc_ =
      Memory<intptr_t>(fp_address + CommonFrameConstants::kCallerPCOffset);
  caller_frame_top_ = stack_fp_ + CommonFrameConstants::kFixedFrameSizeAboveFp +
                      input_->parameter_count() * kSystemPointerSize;
 
  FILE* trace_file =
      verbose_tracing_enabled() ? trace_scope()->file() : nullptr;
  translated_state_.Init(isolate_, input_->GetFramePointerAddress(), stack_fp_,
                         &state_iterator, {}, literals,
                         input_->GetRegisterValues(), trace_file,
                         parameter_count, parameter_count);
 
  const size_t output_frames = translated_state_.frames().size();
  CHECK_GT(output_frames, 0);
  output_count_ = static_cast<int>(output_frames);
  output_ = new FrameDescription* [output_frames] {};
 
  // The top output function *should* be the same as the optimized function
  // with the deopt. However, this is not the case in case of inlined return
  // calls. The optimized function still needs to be invalidated.
  if (translated_state_.frames()[0].wasm_function_index() !=
      compiled_optimized_wasm_code_->index()) {
    CompileWithLiftoffAndGetDeoptInfo(native_module,
                                      compiled_optimized_wasm_code_->index(),
                                      deopt_entry.bytecode_offset, false);
  }
 
  // Read the trusted instance data from the input frame.
  Tagged<WasmTrustedInstanceData> wasm_trusted_instance =
      Cast<WasmTrustedInstanceData>((Tagged<Object>(input_->GetFrameSlot(
          input_->GetFrameSize() -
          (2 + input_->parameter_count()) * kSystemPointerSize -
          WasmLiftoffFrameConstants::kInstanceDataOffset))));
 
  std::stack<intptr_t> shadow_stack;
  for (int i = 0; i < output_count_; ++i) {
    TranslatedFrame& frame = translated_state_.frames()[i];
    output_[i] = DoComputeWasmLiftoffFrame(
        frame, native_module, wasm_trusted_instance, i, shadow_stack);
  }
 
#ifdef V8_ENABLE_CET_SHADOW_STACK
  if (v8_flags.cet_compatible) {
    CHECK_EQ(shadow_stack_count_, 0);
    shadow_stack_ = new intptr_t[shadow_stack.size()];
    while (!shadow_stack.empty()) {
      shadow_stack_[shadow_stack_count_++] = shadow_stack.top();
      shadow_stack.pop();
    }
    CHECK_EQ(shadow_stack_count_, output_count_);
  }
#endif  // V8_ENABLE_CET_SHADOW_STACK
 
  {
    // Mark the cached feedback result produced by the
    // TransitiveTypeFeedbackProcessor as outdated.
    // This is required to prevent deopt loops as new feedback is ignored
    // otherwise.
    wasm::TypeFeedbackStorage& feedback =
        native_module->module()->type_feedback;
    base::MutexGuard mutex_guard(&feedback.mutex);
    for (const TranslatedFrame& frame : translated_state_) {
      int index = frame.wasm_function_index();
      auto iter = feedback.feedback_for_function.find(index);
      if (iter != feedback.feedback_for_function.end()) {
        iter->second.needs_reprocessing_after_deopt = true;
      }
    }
    // Reset tierup priority. This is important as the tierup trigger will only
    // be taken into account if the tierup_priority is a power of two (to
    // prevent a hot function being enqueued too many times into the compilation
    // queue.)
    feedback.feedback_for_function[code->index()].tierup_priority = 0;
    // Add sample for how many times this function was deopted.
    isolate()->counters()->wasm_deopts_per_function()->AddSample(
        ++feedback.deopt_count_for_function[code->index()]);
  }
 
  // Reset tiering budget of the function that triggered the deopt.
  int declared_func_index =
      wasm::declared_function_index(native_module->module(), code->index());
  wasm_trusted_instance->tiering_budget_array()[declared_func_index].store(
      v8_flags.wasm_tiering_budget, std::memory_order_relaxed);
 
  isolate()->counters()->wasm_deopts_executed()->AddSample(
      wasm::GetWasmEngine()->IncrementDeoptsExecutedCount());
 
  if (verbose_tracing_enabled()) {
    TraceDeoptEnd(timer.Elapsed().InMillisecondsF());
  }
}
 
void Deoptimizer::GetWasmStackSlotsCounts(const wasm::FunctionSig* sig,
                                          int* parameter_stack_slots,
                                          int* return_stack_slots) {
  class DummyResultCollector {
   public:
    void AddParamAt(size_t index, LinkageLocation location) {}
    void AddReturnAt(size_t index, LinkageLocation location) {}
  } result_collector;
 
  // On 32 bits we need to perform the int64 lowering for the signature.
#if V8_TARGET_ARCH_32_BIT
  if (!alloc_) {
    DCHECK(!zone_);
    alloc_.emplace();
    zone_.emplace(&*alloc_, "deoptimizer i32sig lowering");
  }
  sig = GetI32Sig(&*zone_, sig);
#endif
  int untagged_slots, untagged_return_slots;  // Unused.
  wasm::IterateSignatureImpl(sig, false, result_collector, &untagged_slots,
                             parameter_stack_slots, &untagged_return_slots,
                             return_stack_slots);
}
#endif  // V8_ENABLE_WEBASSEMBLY
 
namespace {
 
bool DeoptimizedMaglevvedCodeEarly(Isolate* isolate,
                                   Tagged<JSFunction> function,
                                   Tagged<Code> code) {
  if (!code->is_maglevved()) return false;
  if (function->GetRequestedOptimizationIfAny(isolate) ==
      CodeKind::TURBOFAN_JS) {
    // We request turbofan after consuming the invocation_count_for_turbofan
    // budget which is greater than
    // invocation_count_for_maglev_with_delay.
    return false;
  }
  int current_invocation_budget =
      function->raw_feedback_cell()->interrupt_budget() /
      function->shared()->GetBytecodeArray(isolate)->length();
  return current_invocation_budget >=
         v8_flags.invocation_count_for_turbofan -
             v8_flags.invocation_count_for_maglev_with_delay;
}
 
}  // namespace
 
// We rely on this function not causing a GC.  It is called from generated code
// without having a real stack frame in place.
void Deoptimizer::DoComputeOutputFrames() {
  // When we call this function, the return address of the previous frame has
  // been removed from the stack by the DeoptimizationEntry builtin, so the
  // stack is not iterable by the StackFrameIteratorForProfiler.
#if V8_TARGET_ARCH_STORES_RETURN_ADDRESS_ON_STACK
  DCHECK_EQ(0, isolate()->isolate_data()->stack_is_iterable());
#endif
  base::ElapsedTimer timer;
 
#if V8_ENABLE_WEBASSEMBLY
  if (v8_flags.wasm_deopt && function_.is_null()) {
    trap_handler::ClearThreadInWasm();
    DoComputeOutputFramesWasmImpl();
    trap_handler::SetThreadInWasm();
    return;
  }
#endif
 
  // Determine basic deoptimization information.  The optimized frame is
  // described by the input data.
  Tagged<DeoptimizationData> input_data =
      Cast<DeoptimizationData>(compiled_code_->deoptimization_data());
 
  {
    // Read caller's PC, caller's FP and caller's constant pool values
    // from input frame. Compute caller's frame top address.
 
    Register fp_reg = JavaScriptFrame::fp_register();
    stack_fp_ = input_->GetRegister(fp_reg.code());
 
    caller_frame_top_ = stack_fp_ + ComputeInputFrameAboveFpFixedSize();
 
    Address fp_address = input_->GetFramePointerAddress();
    caller_fp_ = Memory<intptr_t>(fp_address);
    caller_pc_ =
        Memory<intptr_t>(fp_address + CommonFrameConstants::kCallerPCOffset);
    actual_argument_count_ = static_cast<int>(
        Memory<intptr_t>(fp_address + StandardFrameConstants::kArgCOffset));
 
    if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
      caller_constant_pool_ = Memory<intptr_t>(
          fp_address + CommonFrameConstants::kConstantPoolOffset);
    }
  }
 
  StackGuard* const stack_guard = isolate()->stack_guard();
  CHECK_GT(static_cast<uintptr_t>(caller_frame_top_),
           stack_guard->real_jslimit());
 
  BytecodeOffset bytecode_offset =
      input_data->GetBytecodeOffsetOrBuiltinContinuationId(deopt_exit_index_);
  auto translations = input_data->FrameTranslation();
  unsigned translation_index =
      input_data->TranslationIndex(deopt_exit_index_).value();
 
  if (tracing_enabled()) {
    timer.Start();
    TraceDeoptBegin(input_data->OptimizationId().value(), bytecode_offset);
  }
 
  FILE* trace_file =
      verbose_tracing_enabled() ? trace_scope()->file() : nullptr;
  DeoptimizationFrameTranslation::Iterator state_iterator(translations,
                                                          translation_index);
  DeoptimizationLiteralProvider literals(input_data->LiteralArray());
  translated_state_.Init(isolate_, input_->GetFramePointerAddress(), stack_fp_,
                         &state_iterator, input_data->ProtectedLiteralArray(),
                         literals, input_->GetRegisterValues(), trace_file,
                         compiled_code_->parameter_count_without_receiver(),
                         actual_argument_count_ - kJSArgcReceiverSlots);
 
  bytecode_offset_in_outermost_frame_ =
      translated_state_.frames()[0].bytecode_offset();
 
  // Do the input frame to output frame(s) translation.
  size_t count = translated_state_.frames().size();
  if (is_restart_frame()) {
    // If the debugger requested to restart a particular frame, only materialize
    // up to that frame.
    count = restart_frame_index_ + 1;
  } else if (deoptimizing_throw_) {
    // If we are supposed to go to the catch handler, find the catching frame
    // for the catch and make sure we only deoptimize up to that frame.
    size_t catch_handler_frame_index = count;
    for (size_t i = count; i-- > 0;) {
      catch_handler_pc_offset_ = LookupCatchHandler(
          isolate(), &(translated_state_.frames()[i]), &catch_handler_data_);
      if (catch_handler_pc_offset_ >= 0) {
        catch_handler_frame_index = i;
        break;
      }
    }
    CHECK_LT(catch_handler_frame_index, count);
    count = catch_handler_frame_index + 1;
  }
 
  DCHECK_NULL(output_);
  output_ = new FrameDescription* [count] {};
  output_count_ = static_cast<int>(count);
 
  // Translate each output frame.
  int frame_index = 0;
  size_t total_output_frame_size = 0;
  for (size_t i = 0; i < count; ++i, ++frame_index) {
    TranslatedFrame* translated_frame = &(translated_state_.frames()[i]);
    const bool handle_exception = deoptimizing_throw_ && i == count - 1;
    switch (translated_frame->kind()) {
      case TranslatedFrame::kUnoptimizedFunction:
        DoComputeUnoptimizedFrame(translated_frame, frame_index,
                                  handle_exception);
        break;
      case TranslatedFrame::kInlinedExtraArguments:
        DoComputeInlinedExtraArguments(translated_frame, frame_index);
        break;
      case TranslatedFrame::kConstructCreateStub:
        DoComputeConstructCreateStubFrame(translated_frame, frame_index);
        break;
      case TranslatedFrame::kConstructInvokeStub:
        DoComputeConstructInvokeStubFrame(translated_frame, frame_index);
        break;
      case TranslatedFrame::kBuiltinContinuation:
#if V8_ENABLE_WEBASSEMBLY
      case TranslatedFrame::kJSToWasmBuiltinContinuation:
#endif  // V8_ENABLE_WEBASSEMBLY
        DoComputeBuiltinContinuation(translated_frame, frame_index,
                                     BuiltinContinuationMode::STUB);
        break;
      case TranslatedFrame::kJavaScriptBuiltinContinuation:
        DoComputeBuiltinContinuation(translated_frame, frame_index,
                                     BuiltinContinuationMode::JAVASCRIPT);
        break;
      case TranslatedFrame::kJavaScriptBuiltinContinuationWithCatch:
        DoComputeBuiltinContinuation(
            translated_frame, frame_index,
            handle_exception
                ? BuiltinContinuationMode::JAVASCRIPT_HANDLE_EXCEPTION
                : BuiltinContinuationMode::JAVASCRIPT_WITH_CATCH);
        break;
#if V8_ENABLE_WEBASSEMBLY
      case TranslatedFrame::kWasmInlinedIntoJS:
        FATAL("inlined wasm frames may not appear in JS deopts");
      case TranslatedFrame::kLiftoffFunction:
        FATAL("wasm liftoff frames may not appear in JS deopts");
#endif
      case TranslatedFrame::kInvalid:
        FATAL("invalid frame");
    }
    total_output_frame_size += output_[frame_index]->GetFrameSize();
  }
 
  FrameDescription* topmost = output_[count - 1];
  topmost->GetRegisterValues()->SetRegister(kRootRegister.code(),
                                            isolate()->isolate_root());
#ifdef V8_COMPRESS_POINTERS
  topmost->GetRegisterValues()->SetRegister(kPtrComprCageBaseRegister.code(),
                                            isolate()->cage_base());
#endif
 
#ifdef V8_ENABLE_CET_SHADOW_STACK
  if (v8_flags.cet_compatible) {
    CHECK_EQ(shadow_stack_count_, 0);
    shadow_stack_ = new intptr_t[count + 1];
 
    // We should jump to the continuation through AdaptShadowStack to avoid
    // security exception.
    // Clear the continuation so that DeoptimizationEntry does not push the
    // address onto the stack, and push it to the shadow stack instead.
    if (output_[count - 1]->GetContinuation()) {
      shadow_stack_[shadow_stack_count_++] =
          output_[count - 1]->GetContinuation();
      output_[count - 1]->SetContinuation(0);
    }
 
    // Add topmost frame's pc to the shadow stack.
    shadow_stack_[shadow_stack_count_++] =
        output_[count - 1]->GetPc() -
        Deoptimizer::kAdaptShadowStackOffsetToSubtract;
 
    // Add return addresses to the shadow stack, except for the bottommost.
    // The bottommost frame's return address already exists in the shadow stack.
    for (int i = static_cast<int>(count) - 1; i > 0; i--) {
      if (!output_[i]->HasCallerPc()) continue;
      shadow_stack_[shadow_stack_count_++] =
          output_[i]->GetCallerPc() -
          Deoptimizer::kAdaptShadowStackOffsetToSubtract;
    }
  }
#endif  // V8_ENABLE_CET_SHADOW_STACK
 
  // Don't reset the tiering state for OSR code since we might reuse OSR code
  // after deopt, and we still want to tier up to non-OSR code even if OSR code
  // deoptimized.
  bool osr_early_exit = Deoptimizer::GetDeoptInfo().deopt_reason ==
                        DeoptimizeReason::kOSREarlyExit;
  // TODO(saelo): We have to use full pointer comparisons here while not all
  // Code objects have been migrated into trusted space.
  static_assert(!kAllCodeObjectsLiveInTrustedSpace);
  if (IsJSFunction(function_) &&
      (compiled_code_->osr_offset().IsNone()
           ? function_->code(isolate()).SafeEquals(compiled_code_)
           : (!osr_early_exit &&
              DeoptExitIsInsideOsrLoop(isolate(), function_,
                                       bytecode_offset_in_outermost_frame_,
                                       compiled_code_->osr_offset())))) {
    if (v8_flags.profile_guided_optimization &&
        function_->shared()->cached_tiering_decision() !=
            CachedTieringDecision::kDelayMaglev) {
      if (DeoptimizedMaglevvedCodeEarly(isolate(), function_, compiled_code_)) {
        function_->shared()->set_cached_tiering_decision(
            CachedTieringDecision::kDelayMaglev);
      } else {
        function_->shared()->set_cached_tiering_decision(
            CachedTieringDecision::kNormal);
      }
    }
    function_->ResetTieringRequests();
    // This allows us to quickly re-spawn a new compilation request even if
    // there is already one running. In particular it helps to squeeze in a
    // maglev compilation when there is a long running turbofan one that was
    // started right before the deopt.
    function_->SetTieringInProgress(false);
    function_->SetInterruptBudget(isolate_, BudgetModification::kReset,
                                  CodeKind::INTERPRETED_FUNCTION);
    function_->feedback_vector()->set_was_once_deoptimized();
  }
 
  // Print some helpful diagnostic information.
  if (verbose_tracing_enabled()) {
    TraceDeoptEnd(timer.Elapsed().InMillisecondsF());
  }
 
  // The following invariant is fairly tricky to guarantee, since the size of
  // an optimized frame and its deoptimized counterparts usually differs. We
  // thus need to consider the case in which deoptimized frames are larger than
  // the optimized frame in stack checks in optimized code. We do this by
  // applying an offset to stack checks (see kArchStackPointerGreaterThan in the
  // code generator).
  // Note that we explicitly allow deopts to exceed the limit by a certain
  // number of slack bytes.
  CHECK_GT(
      static_cast<uintptr_t>(caller_frame_top_) - total_output_frame_size,
      stack_guard->real_jslimit() - kStackLimitSlackForDeoptimizationInBytes);
}
 
// static
bool Deoptimizer::DeoptExitIsInsideOsrLoop(Isolate* isolate,
                                           Tagged<JSFunction> function,
                                           BytecodeOffset deopt_exit_offset,
                                           BytecodeOffset osr_offset) {
  DisallowGarbageCollection no_gc;
  HandleScope scope(isolate);
  DCHECK(!deopt_exit_offset.IsNone());
  DCHECK(!osr_offset.IsNone());
 
  Handle<BytecodeArray> bytecode_array(
      function->shared()->GetBytecodeArray(isolate), isolate);
  DCHECK(interpreter::BytecodeArrayIterator::IsValidOffset(
      bytecode_array, deopt_exit_offset.ToInt()));
 
  interpreter::BytecodeArrayIterator it(bytecode_array, osr_offset.ToInt());
  CHECK(it.CurrentBytecodeIsValidOSREntry());
 
  for (; !it.done(); it.Advance()) {
    const int current_offset = it.current_offset();
    // If we've reached the deopt exit, it's contained in the current loop
    // (this is covered by IsInRange below, but this check lets us avoid
    // useless iteration).
    if (current_offset == deopt_exit_offset.ToInt()) return true;
    // We're only interested in loop ranges.
    if (it.current_bytecode() != interpreter::Bytecode::kJumpLoop) continue;
    // Is the deopt exit contained in the current loop?
    if (base::IsInRange(deopt_exit_offset.ToInt(), it.GetJumpTargetOffset(),
                        current_offset)) {
      return true;
    }
    // We've reached nesting level 0, i.e. the current JumpLoop concludes a
    // top-level loop.
    const int loop_nesting_level = it.GetImmediateOperand(1);
    if (loop_nesting_level == 0) return false;
  }
 
  UNREACHABLE();
}
namespace {
 
// Get the dispatch builtin for unoptimized frames.
Builtin DispatchBuiltinFor(bool advance_bc, bool is_restart_frame) {
  if (is_restart_frame) return Builtin::kRestartFrameTrampoline;
 
  return advance_bc ? Builtin::kInterpreterEnterAtNextBytecode
                    : Builtin::kInterpreterEnterAtBytecode;
}
 
}  // namespace
 
void Deoptimizer::DoComputeUnoptimizedFrame(TranslatedFrame* translated_frame,
                                            int frame_index,
                                            bool goto_catch_handler) {
  Tagged<BytecodeArray> bytecode_array = translated_frame->raw_bytecode_array();
  TranslatedFrame::iterator value_iterator = translated_frame->begin();
  const bool is_bottommost = (0 == frame_index);
  const bool is_topmost = (output_count_ - 1 == frame_index);
 
  const int real_bytecode_offset = translated_frame->bytecode_offset().ToInt();
  const int bytecode_offset =
      goto_catch_handler ? catch_handler_pc_offset_ : real_bytecode_offset;
 
  const int parameters_count = bytecode_array->parameter_count();
 
  // If this is the bottom most frame or the previous frame was the inlined
  // extra arguments frame, then we already have extra arguments in the stack
  // (including any extra padding). Therefore we should not try to add any
  // padding.
  bool should_pad_arguments =
      !is_bottommost && (translated_state_.frames()[frame_index - 1]).kind() !=
                            TranslatedFrame::kInlinedExtraArguments;
 
  const int locals_count = translated_frame->height();
  UnoptimizedFrameInfo frame_info = UnoptimizedFrameInfo::Precise(
      parameters_count, locals_count, is_topmost, should_pad_arguments);
  const uint32_t output_frame_size = frame_info.frame_size_in_bytes();
 
  TranslatedFrame::iterator function_iterator = value_iterator++;
 
  std::optional<Tagged<DebugInfo>> debug_info =
      translated_frame->raw_shared_info()->TryGetDebugInfo(isolate());
  if (debug_info.has_value() && debug_info.value()->HasBreakInfo()) {
    // TODO(leszeks): Validate this bytecode.
    bytecode_array = debug_info.value()->DebugBytecodeArray(isolate());
  }
 
  // Allocate and store the output frame description.
  FrameDescription* output_frame =
      FrameDescription::Create(output_frame_size, parameters_count, isolate());
  FrameWriter frame_writer(this, output_frame, verbose_trace_scope());
 
  CHECK(frame_index >= 0 && frame_index < output_count_);
  CHECK_NULL(output_[frame_index]);
  output_[frame_index] = output_frame;
 
  // Compute this frame's PC and state.
  // For interpreted frames, the PC will be a special builtin that
  // continues the bytecode dispatch. Note that non-topmost and lazy-style
  // bailout handlers also advance the bytecode offset before dispatch, hence
  // simulating what normal handlers do upon completion of the operation.
  // For baseline frames, the PC will be a builtin to convert the interpreter
  // frame to a baseline frame before continuing execution of baseline code.
  // We can't directly continue into baseline code, because of CFI.
  Builtins* builtins = isolate_->builtins();
  const bool advance_bc =
      (!is_topmost || (deopt_kind_ == DeoptimizeKind::kLazy)) &&
      !goto_catch_handler;
  const bool restart_frame = goto_catch_handler && is_restart_frame();
  Tagged<Code> dispatch_builtin =
      builtins->code(DispatchBuiltinFor(advance_bc, restart_frame));
 
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(), "  translating interpreted frame ");
    std::unique_ptr<char[]> name =
        translated_frame->raw_shared_info()->DebugNameCStr();
    PrintF(trace_scope()->file(), "%s", name.get());
    PrintF(trace_scope()->file(), " => bytecode_offset=%d, ",
           real_bytecode_offset);
    PrintF(trace_scope()->file(), "variable_frame_size=%d, frame_size=%d%s\n",
           frame_info.frame_size_in_bytes_without_fixed(), output_frame_size,
           goto_catch_handler ? " (throw)" : "");
  }
 
  // The top address of the frame is computed from the previous frame's top and
  // this frame's size.
  const intptr_t top_address =
      is_bottommost ? caller_frame_top_ - output_frame_size
                    : output_[frame_index - 1]->GetTop() - output_frame_size;
  output_frame->SetTop(top_address);
 
  // Compute the incoming parameter translation.
  ReadOnlyRoots roots(isolate());
  if (should_pad_arguments) {
    for (int i = 0; i < ArgumentPaddingSlots(parameters_count); ++i) {
      frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
    }
  }
 
  if (verbose_tracing_enabled() && is_bottommost &&
      actual_argument_count_ > parameters_count) {
    PrintF(trace_scope_->file(),
           "    -- %d extra argument(s) already in the stack --\n",
           actual_argument_count_ - parameters_count);
  }
  frame_writer.PushStackJSArguments(value_iterator, parameters_count);
 
  DCHECK_EQ(output_frame->GetLastArgumentSlotOffset(should_pad_arguments),
            frame_writer.top_offset());
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(), "    -------------------------\n");
  }
 
  // There are no translation commands for the caller's pc and fp, the
  // context, the function and the bytecode offset.  Synthesize
  // their values and set them up
  // explicitly.
  //
  // The caller's pc for the bottommost output frame is the same as in the
  // input frame. For all subsequent output frames, it can be read from the
  // previous one. This frame's pc can be computed from the non-optimized
  // function code and bytecode offset of the bailout.
  if (is_bottommost) {
    frame_writer.PushBottommostCallerPc(caller_pc_);
  } else {
    frame_writer.PushApprovedCallerPc(output_[frame_index - 1]->GetPc());
  }
 
  // The caller's frame pointer for the bottommost output frame is the same
  // as in the input frame.  For all subsequent output frames, it can be
  // read from the previous one.  Also compute and set this frame's frame
  // pointer.
  const intptr_t caller_fp =
      is_bottommost ? caller_fp_ : output_[frame_index - 1]->GetFp();
  frame_writer.PushCallerFp(caller_fp);
 
  const intptr_t fp_value = top_address + frame_writer.top_offset();
  output_frame->SetFp(fp_value);
  if (is_topmost) {
    Register fp_reg = UnoptimizedJSFrame::fp_register();
    output_frame->SetRegister(fp_reg.code(), fp_value);
  }
 
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    // For the bottommost output frame the constant pool pointer can be gotten
    // from the input frame. For subsequent output frames, it can be read from
    // the previous frame.
    const intptr_t caller_cp =
        is_bottommost ? caller_constant_pool_
                      : output_[frame_index - 1]->GetConstantPool();
    frame_writer.PushCallerConstantPool(caller_cp);
  }
 
  // For the bottommost output frame the context can be gotten from the input
  // frame. For all subsequent output frames it can be gotten from the function
  // so long as we don't inline functions that need local contexts.
 
  // When deoptimizing into a catch block, we need to take the context
  // from a register that was specified in the handler table.
  TranslatedFrame::iterator context_pos = value_iterator++;
  if (goto_catch_handler) {
    // Skip to the translated value of the register specified
    // in the handler table.
    for (int i = 0; i < catch_handler_data_ + 1; ++i) {
      context_pos++;
    }
  }
  // Read the context from the translations.
  frame_writer.PushTranslatedValue(context_pos, "context");
 
  // The function was mentioned explicitly in the BEGIN_FRAME.
  frame_writer.PushTranslatedValue(function_iterator, "function");
 
  // Actual argument count.
  int argc;
  if (is_bottommost) {
    argc = actual_argument_count_;
  } else {
    TranslatedFrame::Kind previous_frame_kind =
        (translated_state_.frames()[frame_index - 1]).kind();
    argc = previous_frame_kind == TranslatedFrame::kInlinedExtraArguments
               ? output_[frame_index - 1]->parameter_count()
               : parameters_count;
  }
  frame_writer.PushRawValue(argc, "actual argument count\n");
 
  // Set the bytecode array pointer.
  frame_writer.PushRawObject(bytecode_array, "bytecode array\n");
 
  // The bytecode offset was mentioned explicitly in the BEGIN_FRAME.
  const int raw_bytecode_offset =
      BytecodeArray::kHeaderSize - kHeapObjectTag + bytecode_offset;
  Tagged<Smi> smi_bytecode_offset = Smi::FromInt(raw_bytecode_offset);
  frame_writer.PushRawObject(smi_bytecode_offset, "bytecode offset\n");
 
  // We need to materialize the closure before getting the feedback vector.
  frame_writer.PushFeedbackVectorForMaterialization(function_iterator);
 
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(), "    -------------------------\n");
  }
 
  // Translate the rest of the interpreter registers in the frame.
  // The return_value_offset is counted from the top. Here, we compute the
  // register index (counted from the start).
  const int return_value_first_reg =
      locals_count - translated_frame->return_value_offset();
  const int return_value_count = translated_frame->return_value_count();
  for (int i = 0; i < locals_count; ++i, ++value_iterator) {
    // Ensure we write the return value if we have one and we are returning
    // normally to a lazy deopt point.
    if (is_topmost && !goto_catch_handler &&
        deopt_kind_ == DeoptimizeKind::kLazy && i >= return_value_first_reg &&
        i < return_value_first_reg + return_value_count) {
      const int return_index = i - return_value_first_reg;
      if (return_index == 0) {
        frame_writer.PushRawValue(input_->GetRegister(kReturnRegister0.code()),
                                  "return value 0\n");
        // We do not handle the situation when one return value should go into
        // the accumulator and another one into an ordinary register. Since
        // the interpreter should never create such situation, just assert
        // this does not happen.
        CHECK_LE(return_value_first_reg + return_value_count, locals_count);
      } else {
        CHECK_EQ(return_index, 1);
        frame_writer.PushRawValue(input_->GetRegister(kReturnRegister1.code()),
                                  "return value 1\n");
      }
    } else {
      // This is not return value, just write the value from the translations.
      frame_writer.PushTranslatedValue(value_iterator, "stack parameter");
    }
  }
 
  uint32_t register_slots_written = static_cast<uint32_t>(locals_count);
  DCHECK_LE(register_slots_written, frame_info.register_stack_slot_count());
  // Some architectures must pad the stack frame with extra stack slots
  // to ensure the stack frame is aligned. Do this now.
  while (register_slots_written < frame_info.register_stack_slot_count()) {
    register_slots_written++;
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  // Translate the accumulator register (depending on frame position).
  if (is_topmost) {
    for (int i = 0; i < ArgumentPaddingSlots(1); ++i) {
      frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
    }
    // For topmost frame, put the accumulator on the stack. The
    // {NotifyDeoptimized} builtin pops it off the topmost frame (possibly
    // after materialization).
    if (goto_catch_handler) {
      // If we are lazy deopting to a catch handler, we set the accumulator to
      // the exception (which lives in the result register).
      intptr_t accumulator_value =
          input_->GetRegister(kInterpreterAccumulatorRegister.code());
      frame_writer.PushRawObject(Tagged<Object>(accumulator_value),
                                 "accumulator\n");
    } else {
      // If we are lazily deoptimizing make sure we store the deopt
      // return value into the appropriate slot.
      if (deopt_kind_ == DeoptimizeKind::kLazy &&
          translated_frame->return_value_offset() == 0 &&
          translated_frame->return_value_count() > 0) {
        CHECK_EQ(translated_frame->return_value_count(), 1);
        frame_writer.PushRawValue(input_->GetRegister(kReturnRegister0.code()),
                                  "return value 0\n");
      } else {
        frame_writer.PushTranslatedValue(value_iterator, "accumulator");
      }
    }
    ++value_iterator;  // Move over the accumulator.
  } else {
    // For non-topmost frames, skip the accumulator translation. For those
    // frames, the return value from the callee will become the accumulator.
    ++value_iterator;
  }
  CHECK_EQ(translated_frame->end(), value_iterator);
  CHECK_EQ(0u, frame_writer.top_offset());
 
  const intptr_t pc =
      static_cast<intptr_t>(dispatch_builtin->instruction_start()) +
      isolate()->heap()->deopt_pc_offset_after_adapt_shadow_stack().value();
  if (is_topmost) {
    // Only the pc of the topmost frame needs to be signed since it is
    // authenticated at the end of the DeoptimizationEntry builtin.
    const intptr_t top_most_pc = PointerAuthentication::SignAndCheckPC(
        isolate(), pc, frame_writer.frame()->GetTop());
    output_frame->SetPc(top_most_pc);
  } else {
    output_frame->SetPc(pc);
  }
 
  // Update constant pool.
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    intptr_t constant_pool_value =
        static_cast<intptr_t>(dispatch_builtin->constant_pool());
    output_frame->SetConstantPool(constant_pool_value);
    if (is_topmost) {
      Register constant_pool_reg =
          UnoptimizedJSFrame::constant_pool_pointer_register();
      output_frame->SetRegister(constant_pool_reg.code(), constant_pool_value);
    }
  }
 
  // Clear the context register. The context might be a de-materialized object
  // and will be materialized by {Runtime_NotifyDeoptimized}. For additional
  // safety we use Tagged<Smi>(0) instead of the potential {arguments_marker}
  // here.
  if (is_topmost) {
    intptr_t context_value = static_cast<intptr_t>(Smi::zero().ptr());
    Register context_reg = JavaScriptFrame::context_register();
    output_frame->SetRegister(context_reg.code(), context_value);
    // Set the continuation for the topmost frame.
    Tagged<Code> continuation = builtins->code(Builtin::kNotifyDeoptimized);
    output_frame->SetContinuation(
        static_cast<intptr_t>(continuation->instruction_start()));
  }
}
 
void Deoptimizer::DoComputeInlinedExtraArguments(
    TranslatedFrame* translated_frame, int frame_index) {
  // Inlined arguments frame can not be the topmost, nor the bottom most frame.
  CHECK(frame_index < output_count_ - 1);
  CHECK_GT(frame_index, 0);
  CHECK_NULL(output_[frame_index]);
 
  // During deoptimization we need push the extra arguments of inlined functions
  // (arguments with index greater than the formal parameter count).
  // For more info, see the design document:
  // https://docs.google.com/document/d/150wGaUREaZI6YWqOQFD5l2mWQXaPbbZjcAIJLOFrzMs
 
  TranslatedFrame::iterator value_iterator = translated_frame->begin();
  const int argument_count_without_receiver = translated_frame->height() - 1;
  const int formal_parameter_count_without_receiver =
      translated_frame->formal_parameter_count() - 1;
  SBXCHECK_GE(formal_parameter_count_without_receiver, 0);
  const int extra_argument_count =
      argument_count_without_receiver - formal_parameter_count_without_receiver;
  // The number of pushed arguments is the maximum of the actual argument count
  // and the formal parameter count + the receiver.
  const int padding =
      ArgumentPaddingSlots(std::max(argument_count_without_receiver,
                                    formal_parameter_count_without_receiver) +
                           1);
  const int output_frame_size =
      (std::max(0, extra_argument_count) + padding) * kSystemPointerSize;
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope_->file(),
           "  translating inlined arguments frame => variable_size=%d\n",
           output_frame_size);
  }
 
  // Allocate and store the output frame description.
  FrameDescription* output_frame = FrameDescription::Create(
      output_frame_size, JSParameterCount(argument_count_without_receiver),
      isolate());
  // The top address of the frame is computed from the previous frame's top and
  // this frame's size.
  const intptr_t top_address =
      output_[frame_index - 1]->GetTop() - output_frame_size;
  output_frame->SetTop(top_address);
  // This is not a real frame, we take PC and FP values from the parent frame.
  output_frame->SetPc(output_[frame_index - 1]->GetPc());
  output_frame->SetFp(output_[frame_index - 1]->GetFp());
  output_[frame_index] = output_frame;
 
  FrameWriter frame_writer(this, output_frame, verbose_trace_scope());
 
  ReadOnlyRoots roots(isolate());
  for (int i = 0; i < padding; ++i) {
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  if (extra_argument_count > 0) {
    // The receiver and arguments with index below the formal parameter
    // count are in the fake adaptor frame, because they are used to create the
    // arguments object. We should however not push them, since the interpreter
    // frame will do that.
    value_iterator++;  // Skip function.
    value_iterator++;  // Skip receiver.
    for (int i = 0; i < formal_parameter_count_without_receiver; i++)
      value_iterator++;
    frame_writer.PushStackJSArguments(value_iterator, extra_argument_count);
  }
}
 
void Deoptimizer::DoComputeConstructCreateStubFrame(
    TranslatedFrame* translated_frame, int frame_index) {
  TranslatedFrame::iterator value_iterator = translated_frame->begin();
  const bool is_topmost = (output_count_ - 1 == frame_index);
  // The construct frame could become topmost only if we inlined a constructor
  // call which does a tail call (otherwise the tail callee's frame would be
  // the topmost one). So it could only be the DeoptimizeKind::kLazy case.
  CHECK(!is_topmost || deopt_kind_ == DeoptimizeKind::kLazy);
  DCHECK_EQ(translated_frame->kind(), TranslatedFrame::kConstructCreateStub);
 
  const int parameters_count = translated_frame->height();
  ConstructStubFrameInfo frame_info =
      ConstructStubFrameInfo::Precise(parameters_count, is_topmost);
  const uint32_t output_frame_size = frame_info.frame_size_in_bytes();
 
  TranslatedFrame::iterator function_iterator = value_iterator++;
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(),
           "  translating construct create stub => variable_frame_size=%d, "
           "frame_size=%d\n",
           frame_info.frame_size_in_bytes_without_fixed(), output_frame_size);
  }
 
  // Allocate and store the output frame description.
  FrameDescription* output_frame =
      FrameDescription::Create(output_frame_size, parameters_count, isolate());
  FrameWriter frame_writer(this, output_frame, verbose_trace_scope());
  DCHECK(frame_index > 0 && frame_index < output_count_);
  DCHECK_NULL(output_[frame_index]);
  output_[frame_index] = output_frame;
 
  // The top address of the frame is computed from the previous frame's top and
  // this frame's size.
  const intptr_t top_address =
      output_[frame_index - 1]->GetTop() - output_frame_size;
  output_frame->SetTop(top_address);
 
  ReadOnlyRoots roots(isolate());
  for (int i = 0; i < ArgumentPaddingSlots(parameters_count); ++i) {
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  // The allocated receiver of a construct stub frame is passed as the
  // receiver parameter through the translation. It might be encoding
  // a captured object, so we need save it for later.
  TranslatedFrame::iterator receiver_iterator = value_iterator;
 
  // Compute the incoming parameter translation.
  frame_writer.PushStackJSArguments(value_iterator, parameters_count);
 
  DCHECK_EQ(output_frame->GetLastArgumentSlotOffset(),
            frame_writer.top_offset());
 
  // Read caller's PC from the previous frame.
  const intptr_t caller_pc = output_[frame_index - 1]->GetPc();
  frame_writer.PushApprovedCallerPc(caller_pc);
 
  // Read caller's FP from the previous frame, and set this frame's FP.
  const intptr_t caller_fp = output_[frame_index - 1]->GetFp();
  frame_writer.PushCallerFp(caller_fp);
 
  const intptr_t fp_value = top_address + frame_writer.top_offset();
  output_frame->SetFp(fp_value);
  if (is_topmost) {
    Register fp_reg = JavaScriptFrame::fp_register();
    output_frame->SetRegister(fp_reg.code(), fp_value);
  }
 
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    // Read the caller's constant pool from the previous frame.
    const intptr_t caller_cp = output_[frame_index - 1]->GetConstantPool();
    frame_writer.PushCallerConstantPool(caller_cp);
  }
 
  // A marker value is used to mark the frame.
  intptr_t marker = StackFrame::TypeToMarker(StackFrame::CONSTRUCT);
  frame_writer.PushRawValue(marker, "context (construct stub sentinel)\n");
 
  frame_writer.PushTranslatedValue(value_iterator++, "context");
 
  // Number of incoming arguments.
  const uint32_t argc = parameters_count;
  frame_writer.PushRawValue(argc, "argc\n");
 
  // The constructor function was mentioned explicitly in the
  // CONSTRUCT_STUB_FRAME.
  frame_writer.PushTranslatedValue(function_iterator, "constructor function\n");
 
  // The deopt info contains the implicit receiver or the new target at the
  // position of the receiver. Copy it to the top of stack, with the hole value
  // as padding to maintain alignment.
  frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  frame_writer.PushTranslatedValue(receiver_iterator, "new target\n");
 
  if (is_topmost) {
    for (int i = 0; i < ArgumentPaddingSlots(1); ++i) {
      frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
    }
    // Ensure the result is restored back when we return to the stub.
    Register result_reg = kReturnRegister0;
    intptr_t result = input_->GetRegister(result_reg.code());
    frame_writer.PushRawValue(result, "subcall result\n");
  }
 
  CHECK_EQ(translated_frame->end(), value_iterator);
  CHECK_EQ(0u, frame_writer.top_offset());
 
  // Compute this frame's PC.
  Tagged<Code> construct_stub =
      isolate_->builtins()->code(Builtin::kJSConstructStubGeneric);
  Address start = construct_stub->instruction_start();
  const int pc_offset =
      isolate_->heap()->construct_stub_create_deopt_pc_offset().value();
  intptr_t pc_value = static_cast<intptr_t>(start + pc_offset);
  if (is_topmost) {
    // Only the pc of the topmost frame needs to be signed since it is
    // authenticated at the end of the DeoptimizationEntry builtin.
    output_frame->SetPc(PointerAuthentication::SignAndCheckPC(
        isolate(), pc_value, frame_writer.frame()->GetTop()));
  } else {
    output_frame->SetPc(pc_value);
  }
 
  // Update constant pool.
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    intptr_t constant_pool_value =
        static_cast<intptr_t>(construct_stub->constant_pool());
    output_frame->SetConstantPool(constant_pool_value);
    if (is_topmost) {
      Register constant_pool_reg =
          JavaScriptFrame::constant_pool_pointer_register();
      output_frame->SetRegister(constant_pool_reg.code(), constant_pool_value);
    }
  }
 
  // Clear the context register. The context might be a de-materialized object
  // and will be materialized by {Runtime_NotifyDeoptimized}. For additional
  // safety we use Tagged<Smi>(0) instead of the potential {arguments_marker}
  // here.
  if (is_topmost) {
    intptr_t context_value = static_cast<intptr_t>(Smi::zero().ptr());
    Register context_reg = JavaScriptFrame::context_register();
    output_frame->SetRegister(context_reg.code(), context_value);
 
    // Set the continuation for the topmost frame.
    DCHECK_EQ(DeoptimizeKind::kLazy, deopt_kind_);
    Tagged<Code> continuation =
        isolate_->builtins()->code(Builtin::kNotifyDeoptimized);
    output_frame->SetContinuation(
        static_cast<intptr_t>(continuation->instruction_start()));
  }
}
 
void Deoptimizer::DoComputeConstructInvokeStubFrame(
    TranslatedFrame* translated_frame, int frame_index) {
  TranslatedFrame::iterator value_iterator = translated_frame->begin();
  const bool is_topmost = (output_count_ - 1 == frame_index);
  // The construct frame could become topmost only if we inlined a constructor
  // call which does a tail call (otherwise the tail callee's frame would be
  // the topmost one). So it could only be the DeoptimizeKind::kLazy case.
  CHECK(!is_topmost || deopt_kind_ == DeoptimizeKind::kLazy);
  DCHECK_EQ(translated_frame->kind(), TranslatedFrame::kConstructInvokeStub);
  DCHECK_EQ(translated_frame->height(), 0);
 
  FastConstructStubFrameInfo frame_info =
      FastConstructStubFrameInfo::Precise(is_topmost);
  const uint32_t output_frame_size = frame_info.frame_size_in_bytes();
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(),
           "  translating construct invoke stub => variable_frame_size=%d, "
           "frame_size=%d\n",
           frame_info.frame_size_in_bytes_without_fixed(), output_frame_size);
  }
 
  // Allocate and store the output frame description.
  FrameDescription* output_frame =
      FrameDescription::Create(output_frame_size, 0, isolate());
  FrameWriter frame_writer(this, output_frame, verbose_trace_scope());
  DCHECK(frame_index > 0 && frame_index < output_count_);
  DCHECK_NULL(output_[frame_index]);
  output_[frame_index] = output_frame;
 
  // The top address of the frame is computed from the previous frame's top and
  // this frame's size.
  const intptr_t top_address =
      output_[frame_index - 1]->GetTop() - output_frame_size;
  output_frame->SetTop(top_address);
 
  // The allocated receiver of a construct stub frame is passed as the
  // receiver parameter through the translation. It might be encoding
  // a captured object, so we need save it for later.
  TranslatedFrame::iterator receiver_iterator = value_iterator;
  value_iterator++;
 
  // Read caller's PC from the previous frame.
  const intptr_t caller_pc = output_[frame_index - 1]->GetPc();
  frame_writer.PushApprovedCallerPc(caller_pc);
 
  // Read caller's FP from the previous frame, and set this frame's FP.
  const intptr_t caller_fp = output_[frame_index - 1]->GetFp();
  frame_writer.PushCallerFp(caller_fp);
 
  const intptr_t fp_value = top_address + frame_writer.top_offset();
  output_frame->SetFp(fp_value);
  if (is_topmost) {
    Register fp_reg = JavaScriptFrame::fp_register();
    output_frame->SetRegister(fp_reg.code(), fp_value);
  }
 
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    // Read the caller's constant pool from the previous frame.
    const intptr_t caller_cp = output_[frame_index - 1]->GetConstantPool();
    frame_writer.PushCallerConstantPool(caller_cp);
  }
  intptr_t marker = StackFrame::TypeToMarker(StackFrame::FAST_CONSTRUCT);
  frame_writer.PushRawValue(marker, "fast construct stub sentinel\n");
  frame_writer.PushTranslatedValue(value_iterator++, "context");
  frame_writer.PushTranslatedValue(receiver_iterator, "implicit receiver");
 
  // The FastConstructFrame needs to be aligned in some architectures.
  ReadOnlyRoots roots(isolate());
  for (int i = 0; i < ArgumentPaddingSlots(1); ++i) {
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  if (is_topmost) {
    for (int i = 0; i < ArgumentPaddingSlots(1); ++i) {
      frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
    }
    // Ensure the result is restored back when we return to the stub.
    Register result_reg = kReturnRegister0;
    intptr_t result = input_->GetRegister(result_reg.code());
    frame_writer.PushRawValue(result, "subcall result\n");
  }
 
  CHECK_EQ(translated_frame->end(), value_iterator);
  CHECK_EQ(0u, frame_writer.top_offset());
 
  // Compute this frame's PC.
  Tagged<Code> construct_stub = isolate_->builtins()->code(
      Builtin::kInterpreterPushArgsThenFastConstructFunction);
  Address start = construct_stub->instruction_start();
  const int pc_offset =
      isolate_->heap()->construct_stub_invoke_deopt_pc_offset().value();
  intptr_t pc_value = static_cast<intptr_t>(start + pc_offset);
  if (is_topmost) {
    // Only the pc of the topmost frame needs to be signed since it is
    // authenticated at the end of the DeoptimizationEntry builtin.
    output_frame->SetPc(PointerAuthentication::SignAndCheckPC(
        isolate(), pc_value, frame_writer.frame()->GetTop()));
  } else {
    output_frame->SetPc(pc_value);
  }
 
  // Update constant pool.
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    intptr_t constant_pool_value =
        static_cast<intptr_t>(construct_stub->constant_pool());
    output_frame->SetConstantPool(constant_pool_value);
    if (is_topmost) {
      Register constant_pool_reg =
          JavaScriptFrame::constant_pool_pointer_register();
      output_frame->SetRegister(constant_pool_reg.code(), constant_pool_value);
    }
  }
 
  // Clear the context register. The context might be a de-materialized object
  // and will be materialized by {Runtime_NotifyDeoptimized}. For additional
  // safety we use Tagged<Smi>(0) instead of the potential {arguments_marker}
  // here.
  if (is_topmost) {
    intptr_t context_value = static_cast<intptr_t>(Smi::zero().ptr());
    Register context_reg = JavaScriptFrame::context_register();
    output_frame->SetRegister(context_reg.code(), context_value);
 
    // Set the continuation for the topmost frame.
    DCHECK_EQ(DeoptimizeKind::kLazy, deopt_kind_);
    Tagged<Code> continuation =
        isolate_->builtins()->code(Builtin::kNotifyDeoptimized);
    output_frame->SetContinuation(
        static_cast<intptr_t>(continuation->instruction_start()));
  }
}
 
namespace {
 
bool BuiltinContinuationModeIsJavaScript(BuiltinContinuationMode mode) {
  switch (mode) {
    case BuiltinContinuationMode::STUB:
      return false;
    case BuiltinContinuationMode::JAVASCRIPT:
    case BuiltinContinuationMode::JAVASCRIPT_WITH_CATCH:
    case BuiltinContinuationMode::JAVASCRIPT_HANDLE_EXCEPTION:
      return true;
  }
  UNREACHABLE();
}
 
StackFrame::Type BuiltinContinuationModeToFrameType(
    BuiltinContinuationMode mode) {
  switch (mode) {
    case BuiltinContinuationMode::STUB:
      return StackFrame::BUILTIN_CONTINUATION;
    case BuiltinContinuationMode::JAVASCRIPT:
      return StackFrame::JAVASCRIPT_BUILTIN_CONTINUATION;
    case BuiltinContinuationMode::JAVASCRIPT_WITH_CATCH:
      return StackFrame::JAVASCRIPT_BUILTIN_CONTINUATION_WITH_CATCH;
    case BuiltinContinuationMode::JAVASCRIPT_HANDLE_EXCEPTION:
      return StackFrame::JAVASCRIPT_BUILTIN_CONTINUATION_WITH_CATCH;
  }
  UNREACHABLE();
}
 
}  // namespace
 
Builtin Deoptimizer::TrampolineForBuiltinContinuation(
    BuiltinContinuationMode mode, bool must_handle_result) {
  switch (mode) {
    case BuiltinContinuationMode::STUB:
      return must_handle_result ? Builtin::kContinueToCodeStubBuiltinWithResult
                                : Builtin::kContinueToCodeStubBuiltin;
    case BuiltinContinuationMode::JAVASCRIPT:
    case BuiltinContinuationMode::JAVASCRIPT_WITH_CATCH:
    case BuiltinContinuationMode::JAVASCRIPT_HANDLE_EXCEPTION:
      return must_handle_result
                 ? Builtin::kContinueToJavaScriptBuiltinWithResult
                 : Builtin::kContinueToJavaScriptBuiltin;
  }
  UNREACHABLE();
}
 
#if V8_ENABLE_WEBASSEMBLY
TranslatedValue Deoptimizer::TranslatedValueForWasmReturnKind(
    std::optional<wasm::ValueKind> wasm_call_return_kind) {
  if (wasm_call_return_kind) {
    switch (wasm_call_return_kind.value()) {
      case wasm::kI32:
        return TranslatedValue::NewInt32(
            &translated_state_,
            static_cast<int32_t>(input_->GetRegister(kReturnRegister0.code())));
      case wasm::kI64:
        return TranslatedValue::NewInt64ToBigInt(
            &translated_state_,
            static_cast<int64_t>(input_->GetRegister(kReturnRegister0.code())));
      case wasm::kF32:
        return TranslatedValue::NewFloat(
            &translated_state_,
            Float32(*reinterpret_cast<float*>(
                input_->GetDoubleRegister(wasm::kFpReturnRegisters[0].code())
                    .get_bits_address())));
      case wasm::kF64:
        return TranslatedValue::NewDouble(
            &translated_state_,
            input_->GetDoubleRegister(wasm::kFpReturnRegisters[0].code()));
      case wasm::kRefNull:
      case wasm::kRef:
        return TranslatedValue::NewTagged(
            &translated_state_,
            Tagged<Object>(input_->GetRegister(kReturnRegister0.code())));
      default:
        UNREACHABLE();
    }
  }
  return TranslatedValue::NewTagged(&translated_state_,
                                    ReadOnlyRoots(isolate()).undefined_value());
}
#endif  // V8_ENABLE_WEBASSEMBLY
 
// BuiltinContinuationFrames capture the machine state that is expected as input
// to a builtin, including both input register values and stack parameters. When
// the frame is reactivated (i.e. the frame below it returns), a
// ContinueToBuiltin stub restores the register state from the frame and tail
// calls to the actual target builtin, making it appear that the stub had been
// directly called by the frame above it. The input values to populate the frame
// are taken from the deopt's FrameState.
//
// Frame translation happens in two modes, EAGER and LAZY. In EAGER mode, all of
// the parameters to the Builtin are explicitly specified in the TurboFan
// FrameState node. In LAZY mode, there is always one fewer parameters specified
// in the FrameState than expected by the Builtin. In that case, construction of
// BuiltinContinuationFrame adds the final missing parameter during
// deoptimization, and that parameter is always on the stack and contains the
// value returned from the callee of the call site triggering the LAZY deopt
// (e.g. rax on x64). This requires that continuation Builtins for LAZY deopts
// must have at least one stack parameter.
//
//                TO
//    |          ....           |
//    +-------------------------+
//    | arg padding (arch dept) |<- at most 1*kSystemPointerSize
//    +-------------------------+
//    |     builtin param 0     |<- FrameState input value n becomes
//    +-------------------------+
//    |           ...           |
//    +-------------------------+
//    |     builtin param m     |<- FrameState input value n+m-1, or in
//    +-----needs-alignment-----+   the LAZY case, return LAZY result value
//    | ContinueToBuiltin entry |
//    +-------------------------+
// |  |    saved frame (FP)     |
// |  +=====needs=alignment=====+<- fpreg
// |  |constant pool (if ool_cp)|
// v  +-------------------------+
//    |BUILTIN_CONTINUATION mark|
//    +-------------------------+
//    |  JSFunction (or zero)   |<- only if JavaScript builtin
//    +-------------------------+
//    |  frame height above FP  |
//    +-------------------------+
//    |         context         |<- this non-standard context slot contains
//    +-------------------------+   the context, even for non-JS builtins.
//    |      builtin index      |
//    +-------------------------+
//    | builtin input GPR reg0  |<- populated from deopt FrameState using
//    +-------------------------+   the builtin's CallInterfaceDescriptor
//    |          ...            |   to map a FrameState's 0..n-1 inputs to
//    +-------------------------+   the builtin's n input register params.
//    | builtin input GPR regn  |
//    +-------------------------+
//    | reg padding (arch dept) |
//    +-----needs--alignment----+
//    | res padding (arch dept) |<- only if {is_topmost}; result is pop'd by
//    +-------------------------+<- kNotifyDeopt ASM stub and moved to acc
//    |      result  value      |<- reg, as ContinueToBuiltin stub expects.
//    +-----needs-alignment-----+<- spreg
//
void Deoptimizer::DoComputeBuiltinContinuation(
    TranslatedFrame* translated_frame, int frame_index,
    BuiltinContinuationMode mode) {
  TranslatedFrame::iterator result_iterator = translated_frame->end();
 
  bool is_js_to_wasm_builtin_continuation = false;
#if V8_ENABLE_WEBASSEMBLY
  is_js_to_wasm_builtin_continuation =
      translated_frame->kind() == TranslatedFrame::kJSToWasmBuiltinContinuation;
  if (is_js_to_wasm_builtin_continuation) {
    // For JSToWasmBuiltinContinuations, add a TranslatedValue with the result
    // of the Wasm call, extracted from the input FrameDescription.
    // This TranslatedValue will be written in the output frame in place of the
    // hole and we'll use ContinueToCodeStubBuiltin in place of
    // ContinueToCodeStubBuiltinWithResult.
    TranslatedValue result = TranslatedValueForWasmReturnKind(
        translated_frame->wasm_call_return_kind());
    translated_frame->Add(result);
  }
#endif  // V8_ENABLE_WEBASSEMBLY
 
  TranslatedFrame::iterator value_iterator = translated_frame->begin();
 
  const BytecodeOffset bytecode_offset = translated_frame->bytecode_offset();
  Builtin builtin = Builtins::GetBuiltinFromBytecodeOffset(bytecode_offset);
  CallInterfaceDescriptor continuation_descriptor =
      Builtins::CallInterfaceDescriptorFor(builtin);
 
  const RegisterConfiguration* config = RegisterConfiguration::Default();
 
  const bool is_bottommost = (0 == frame_index);
  const bool is_topmost = (output_count_ - 1 == frame_index);
 
  const int parameters_count = translated_frame->height();
  BuiltinContinuationFrameInfo frame_info =
      BuiltinContinuationFrameInfo::Precise(parameters_count,
                                            continuation_descriptor, config,
                                            is_topmost, deopt_kind_, mode);
 
  const unsigned output_frame_size = frame_info.frame_size_in_bytes();
  const unsigned output_frame_size_above_fp =
      frame_info.frame_size_in_bytes_above_fp();
 
  // Validate types of parameters. They must all be tagged except for argc and
  // the dispatch handle for JS builtins.
  bool has_argc = false;
  const int register_parameter_count =
      continuation_descriptor.GetRegisterParameterCount();
  for (int i = 0; i < register_parameter_count; ++i) {
    MachineType type = continuation_descriptor.GetParameterType(i);
    int code = continuation_descriptor.GetRegisterParameter(i).code();
    // Only tagged and int32 arguments are supported, and int32 only for the
    // arguments count and dispatch handle on JavaScript builtins.
    if (type == MachineType::Int32()) {
      CHECK(code == kJavaScriptCallArgCountRegister.code() ||
            code == kJavaScriptCallDispatchHandleRegister.code());
      has_argc = true;
    } else {
      // Any other argument must be a tagged value.
      CHECK(IsAnyTagged(type.representation()));
    }
  }
  CHECK_EQ(BuiltinContinuationModeIsJavaScript(mode), has_argc);
 
  if (verbose_tracing_enabled()) {
    PrintF(trace_scope()->file(),
           "  translating BuiltinContinuation to %s,"
           " => register_param_count=%d,"
           " stack_param_count=%d, frame_size=%d\n",
           Builtins::name(builtin), register_parameter_count,
           frame_info.stack_parameter_count(), output_frame_size);
  }
 
  FrameDescription* output_frame = FrameDescription::Create(
      output_frame_size, frame_info.stack_parameter_count(), isolate());
  output_[frame_index] = output_frame;
  FrameWriter frame_writer(this, output_frame, verbose_trace_scope());
 
  // The top address of the frame is computed from the previous frame's top and
  // this frame's size.
  const intptr_t top_address =
      is_bottommost ? caller_frame_top_ - output_frame_size
                    : output_[frame_index - 1]->GetTop() - output_frame_size;
  output_frame->SetTop(top_address);
 
  // Get the possible JSFunction for the case that this is a
  // JavaScriptBuiltinContinuationFrame, which needs the JSFunction pointer
  // like a normal JavaScriptFrame.
  const intptr_t maybe_function = value_iterator->GetRawValue().ptr();
  ++value_iterator;
 
  ReadOnlyRoots roots(isolate());
  const int padding = ArgumentPaddingSlots(frame_info.stack_parameter_count());
  for (int i = 0; i < padding; ++i) {
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  if (mode == BuiltinContinuationMode::STUB) {
    DCHECK_EQ(continuation_descriptor.GetStackArgumentOrder(),
              StackArgumentOrder::kDefault);
    for (uint32_t i = 0; i < frame_info.translated_stack_parameter_count();
         ++i, ++value_iterator) {
      frame_writer.PushTranslatedValue(value_iterator, "stack parameter");
    }
    if (frame_info.frame_has_result_stack_slot()) {
      if (is_js_to_wasm_builtin_continuation) {
        frame_writer.PushTranslatedValue(result_iterator,
                                         "return result on lazy deopt\n");
      } else {
        DCHECK_EQ(result_iterator, translated_frame->end());
        frame_writer.PushRawObject(
            roots.the_hole_value(),
            "placeholder for return result on lazy deopt\n");
      }
    }
  } else {
    // JavaScript builtin.
    if (frame_info.frame_has_result_stack_slot()) {
      frame_writer.PushRawObject(
          roots.the_hole_value(),
          "placeholder for return result on lazy deopt\n");
    }
    switch (mode) {
      case BuiltinContinuationMode::STUB:
        UNREACHABLE();
      case BuiltinContinuationMode::JAVASCRIPT:
        break;
      case BuiltinContinuationMode::JAVASCRIPT_WITH_CATCH: {
        frame_writer.PushRawObject(roots.the_hole_value(),
                                   "placeholder for exception on lazy deopt\n");
      } break;
      case BuiltinContinuationMode::JAVASCRIPT_HANDLE_EXCEPTION: {
        intptr_t accumulator_value =
            input_->GetRegister(kInterpreterAccumulatorRegister.code());
        frame_writer.PushRawObject(Tagged<Object>(accumulator_value),
                                   "exception (from accumulator)\n");
      } break;
    }
    frame_writer.PushStackJSArguments(
        value_iterator, frame_info.translated_stack_parameter_count());
  }
 
  DCHECK_EQ(output_frame->GetLastArgumentSlotOffset(),
            frame_writer.top_offset());
 
  std::vector<TranslatedFrame::iterator> register_values;
  int total_registers = config->num_general_registers();
  register_values.resize(total_registers, {value_iterator});
 
  for (int i = 0; i < register_parameter_count; ++i, ++value_iterator) {
    int code = continuation_descriptor.GetRegisterParameter(i).code();
    register_values[code] = value_iterator;
  }
 
  // The context register is always implicit in the CallInterfaceDescriptor but
  // its register must be explicitly set when continuing to the builtin. Make
  // sure that it's harvested from the translation and copied into the register
  // set (it was automatically added at the end of the FrameState by the
  // instruction selector).
  Tagged<Object> context = value_iterator->GetRawValue();
  const intptr_t value = context.ptr();
  TranslatedFrame::iterator context_register_value = value_iterator++;
  register_values[kContextRegister.code()] = context_register_value;
  output_frame->SetRegister(kContextRegister.code(), value);
 
  // Set caller's PC (JSFunction continuation).
  if (is_bottommost) {
    frame_writer.PushBottommostCallerPc(caller_pc_);
  } else {
    frame_writer.PushApprovedCallerPc(output_[frame_index - 1]->GetPc());
  }
 
  // Read caller's FP from the previous frame, and set this frame's FP.
  const intptr_t caller_fp =
      is_bottommost ? caller_fp_ : output_[frame_index - 1]->GetFp();
  frame_writer.PushCallerFp(caller_fp);
 
  const intptr_t fp_value = top_address + frame_writer.top_offset();
  output_frame->SetFp(fp_value);
 
  DCHECK_EQ(output_frame_size_above_fp, frame_writer.top_offset());
 
  if (V8_EMBEDDED_CONSTANT_POOL_BOOL) {
    // Read the caller's constant pool from the previous frame.
    const intptr_t caller_cp =
        is_bottommost ? caller_constant_pool_
                      : output_[frame_index - 1]->GetConstantPool();
    frame_writer.PushCallerConstantPool(caller_cp);
  }
 
  // A marker value is used in place of the context.
  const intptr_t marker =
      StackFrame::TypeToMarker(BuiltinContinuationModeToFrameType(mode));
  frame_writer.PushRawValue(marker,
                            "context (builtin continuation sentinel)\n");
 
  if (BuiltinContinuationModeIsJavaScript(mode)) {
    frame_writer.PushRawValue(maybe_function, "JSFunction\n");
  } else {
    frame_writer.PushRawValue(0, "unused\n");
  }
 
  // The delta from the SP to the FP; used to reconstruct SP in
  // Isolate::UnwindAndFindHandler.
  frame_writer.PushRawObject(Smi::FromInt(output_frame_size_above_fp),
                             "frame height at deoptimization\n");
 
  // The context even if this is a stub continuation frame. We can't use the
  // usual context slot, because we must store the frame marker there.
  frame_writer.PushTranslatedValue(context_register_value,
                                   "builtin JavaScript context\n");
 
  // The builtin to continue to.
  frame_writer.PushRawObject(Smi::FromInt(static_cast<int>(builtin)),
                             "builtin index\n");
 
  const int allocatable_register_count =
      config->num_allocatable_general_registers();
  for (int i = 0; i < allocatable_register_count; ++i) {
    int code = config->GetAllocatableGeneralCode(i);
    base::ScopedVector<char> str(128);
    if (verbose_tracing_enabled()) {
      if (BuiltinContinuationModeIsJavaScript(mode) &&
          code == kJavaScriptCallArgCountRegister.code()) {
        SNPrintF(
            str,
            "tagged argument count %s (will be untagged by continuation)\n",
            RegisterName(Register::from_code(code)));
      } else {
        SNPrintF(str, "builtin register argument %s\n",
                 RegisterName(Register::from_code(code)));
      }
    }
    frame_writer.PushTranslatedValue(
        register_values[code], verbose_tracing_enabled() ? str.begin() : "");
  }
 
  // Some architectures must pad the stack frame with extra stack slots
  // to ensure the stack frame is aligned.
  const int padding_slot_count =
      BuiltinContinuationFrameConstants::PaddingSlotCount(
          allocatable_register_count);
  for (int i = 0; i < padding_slot_count; ++i) {
    frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
  }
 
  if (is_topmost) {
    for (int i = 0; i < ArgumentPaddingSlots(1); ++i) {
      frame_writer.PushRawObject(roots.the_hole_value(), "padding\n");
    }
 
    // Ensure the result is restored back when we return to the stub.
    // For JS-to-Wasm builtin continuations the returns are handled differently
    // and we can't push untagged return values onto the stack as they would be
    // visited during a GC and treated as tagged stack slots.
    if (frame_info.frame_has_result_stack_slot() &&
        !is_js_to_wasm_builtin_continuation) {
      Register result_reg = kReturnRegister0;
      frame_writer.PushRawValue(input_->GetRegister(result_reg.code()),
                                "callback result\n");
    } else {
      frame_writer.PushRawObject(roots.undefined_value(), "callback result\n");
    }
  }
 
  CHECK_EQ(result_iterator, value_iterator);
  CHECK_EQ(0u, frame_writer.top_offset());
 
  // Clear the context register. The context might be a de-materialized object
  // and will be materialized by {Runtime_NotifyDeoptimized}. For additional
  // safety we use Tagged<Smi>(0) instead of the potential {arguments_marker}
  // here.
  if (is_topmost) {
    intptr_t context_value = static_cast<intptr_t>(Smi::zero().ptr());
    Register context_reg = JavaScriptFrame::context_register();
    output_frame->SetRegister(context_reg.code(), context_value);
  }
 
  // Ensure the frame pointer register points to the callee's frame. The builtin
  // will build its own frame once we continue to it.
  Register fp_reg = JavaScriptFrame::fp_register();
  output_frame->SetRegister(fp_reg.code(), fp_value);
  // For JSToWasmBuiltinContinuations use ContinueToCodeStubBuiltin, and not
  // ContinueToCodeStubBuiltinWithResult because we don't want to overwrite the
  // return value that we have already set.
  Tagged<Code> continue_to_builtin =
      isolate()->builtins()->code(TrampolineForBuiltinContinuation(
          mode, frame_info.frame_has_result_stack_slot() &&
                    !is_js_to_wasm_builtin_continuation));
  intptr_t pc =
      static_cast<intptr_t>(continue_to_builtin->instruction_start()) +
      isolate()->heap()->deopt_pc_offset_after_adapt_shadow_stack().value();
  if (is_topmost) {
    // Only the pc of the topmost frame needs to be signed since it is
    // authenticated at the end of the DeoptimizationEntry builtin.
    const intptr_t top_most_pc = PointerAuthentication::SignAndCheckPC(
        isolate(), pc, frame_writer.frame()->GetTop());
    output_frame->SetPc(top_most_pc);
  } else {
    output_frame->SetPc(pc);
  }
 
  Tagged<Code> continuation =
      isolate()->builtins()->code(Builtin::kNotifyDeoptimized);
  output_frame->SetContinuation(
      static_cast<intptr_t>(continuation->instruction_start()));
}
 
void Deoptimizer::MaterializeHeapObjects() {
  translated_state_.Prepare(static_cast<Address>(stack_fp_));
  if (v8_flags.deopt_every_n_times > 0) {
    // Doing a GC here will find problems with the deoptimized frames.
    isolate_->heap()->CollectAllGarbage(GCFlag::kNoFlags,
                                        GarbageCollectionReason::kTesting);
  }
 
  for (auto& materialization : values_to_materialize_) {
    DirectHandle<Object> value = materialization.value_->GetValue();
 
    if (verbose_tracing_enabled()) {
      PrintF(trace_scope()->file(),
             "Materialization [" V8PRIxPTR_FMT "] <- " V8PRIxPTR_FMT " ;  ",
             static_cast<intptr_t>(materialization.output_slot_address_),
             (*value).ptr());
      ShortPrint(*value, trace_scope()->file());
      PrintF(trace_scope()->file(), "\n");
    }
 
    *(reinterpret_cast<Address*>(materialization.output_slot_address_)) =
        (*value).ptr();
  }
 
  for (auto& fbv_materialization : feedback_vector_to_materialize_) {
    DirectHandle<Object> closure = fbv_materialization.value_->GetValue();
    DCHECK(IsJSFunction(*closure));
    Tagged<Object> feedback_vector =
        Cast<JSFunction>(*closure)->raw_feedback_cell()->value();
    CHECK(IsFeedbackVector(feedback_vector));
    *(reinterpret_cast<Address*>(fbv_materialization.output_slot_address_)) =
        feedback_vector.ptr();
  }
 
  translated_state_.VerifyMaterializedObjects();
 
  bool feedback_updated = translated_state_.DoUpdateFeedback();
  if (verbose_tracing_enabled() && feedback_updated) {
    FILE* file = trace_scope()->file();
    Deoptimizer::DeoptInfo info = Deoptimizer::GetDeoptInfo();
    PrintF(file, "Feedback updated from deoptimization at ");
    OFStream outstr(file);
    info.position.Print(outstr, compiled_code_);
    PrintF(file, ", %s\n", DeoptimizeReasonToString(info.deopt_reason));
  }
 
  isolate_->materialized_object_store()->Remove(
      static_cast<Address>(stack_fp_));
}
 
void Deoptimizer::QueueValueForMaterialization(
    Address output_address, Tagged<Object> obj,
    const TranslatedFrame::iterator& iterator) {
  if (obj == ReadOnlyRoots(isolate_).arguments_marker()) {
    values_to_materialize_.push_back({output_address, iterator});
  }
}
 
void Deoptimizer::QueueFeedbackVectorForMaterialization(
    Address output_address, const TranslatedFrame::iterator& iterator) {
  feedback_vector_to_materialize_.push_back({output_address, iterator});
}
 
unsigned Deoptimizer::ComputeInputFrameAboveFpFixedSize() const {
  unsigned fixed_size = CommonFrameConstants::kFixedFrameSizeAboveFp;
  IF_WASM(DCHECK_IMPLIES, function_.is_null(), v8_flags.wasm_deopt);
  DCHECK_IMPLIES(function_.is_null(), compiled_code_->parameter_count() == 0);
  fixed_size += ComputeIncomingArgumentSize(compiled_code_);
  return fixed_size;
}
 
namespace {
 
// Get the actual deopt call PC from the return address of the deopt, which
// points to immediately after the deopt call).
//
// See also the Deoptimizer constructor.
Address GetDeoptCallPCFromReturnPC(Address return_pc, Tagged<Code> code) {
  DCHECK_GT(Deoptimizer::kEagerDeoptExitSize, 0);
  DCHECK_GT(Deoptimizer::kLazyDeoptExitSize, 0);
  Tagged<DeoptimizationData> deopt_data =
      Cast<DeoptimizationData>(code->deoptimization_data());
  Address deopt_start =
      code->instruction_start() + deopt_data->DeoptExitStart().value();
  int eager_deopt_count = deopt_data->EagerDeoptCount().value();
  Address lazy_deopt_start =
      deopt_start + eager_deopt_count * Deoptimizer::kEagerDeoptExitSize;
  // The deoptimization exits are sorted so that lazy deopt exits appear
  // after eager deopts.
  static_assert(static_cast<int>(DeoptimizeKind::kLazy) ==
                    static_cast<int>(kLastDeoptimizeKind),
                "lazy deopts are expected to be emitted last");
  if (return_pc <= lazy_deopt_start) {
    return return_pc - Deoptimizer::kEagerDeoptExitSize;
  } else {
    return return_pc - Deoptimizer::kLazyDeoptExitSize;
  }
}
 
}  // namespace
 
unsigned Deoptimizer::ComputeInputFrameSize() const {
  // The fp-to-sp delta already takes the context, constant pool pointer and the
  // function into account so we have to avoid double counting them.
  unsigned fixed_size_above_fp = ComputeInputFrameAboveFpFixedSize();
  unsigned result = fixed_size_above_fp + fp_to_sp_delta_;
  DCHECK(CodeKindCanDeoptimize(compiled_code_->kind()));
  unsigned stack_slots = compiled_code_->stack_slots();
  if (compiled_code_->is_maglevved() && !deoptimizing_throw_) {
    // Maglev code can deopt in deferred code which has spilled registers across
    // the call. These will be included in the fp_to_sp_delta, but the expected
    // frame size won't include them, so we need to check for less-equal rather
    // than equal. For deoptimizing throws, these will have already been trimmed
    // off.
    CHECK_LE(fixed_size_above_fp + (stack_slots * kSystemPointerSize) -
                 CommonFrameConstants::kFixedFrameSizeAboveFp,
             result);
    // With slow asserts we can check this exactly, by looking up the safepoint.
    if (v8_flags.enable_slow_asserts) {
      Address deopt_call_pc = GetDeoptCallPCFromReturnPC(from_, compiled_code_);
      MaglevSafepointTable table(isolate_, deopt_call_pc, compiled_code_);
      MaglevSafepointEntry safepoint = table.FindEntry(deopt_call_pc);
      unsigned extra_spills = safepoint.num_extra_spill_slots();
      CHECK_EQ(fixed_size_above_fp + (stack_slots * kSystemPointerSize) -
                   CommonFrameConstants::kFixedFrameSizeAboveFp +
                   extra_spills * kSystemPointerSize,
               result);
    }
  } else {
    unsigned outgoing_size = 0;
    CHECK_EQ(fixed_size_above_fp + (stack_slots * kSystemPointerSize) -
                 CommonFrameConstants::kFixedFrameSizeAboveFp + outgoing_size,
             result);
  }
  return result;
}
 
// static
unsigned Deoptimizer::ComputeIncomingArgumentSize(Tagged<Code> code) {
  int parameter_slots = code->parameter_count();
  return parameter_slots * kSystemPointerSize;
}
 
Deoptimizer::DeoptInfo Deoptimizer::GetDeoptInfo(Tagged<Code> code,
                                                 Address pc) {
  CHECK(code->instruction_start() <= pc && pc <= code->instruction_end());
  SourcePosition last_position = SourcePosition::Unknown();
  DeoptimizeReason last_reason = DeoptimizeReason::kUnknown;
  uint32_t last_node_id = 0;
  int last_deopt_id = kNoDeoptimizationId;
  int mask = RelocInfo::ModeMask(RelocInfo::DEOPT_REASON) |
             RelocInfo::ModeMask(RelocInfo::DEOPT_ID) |
             RelocInfo::ModeMask(RelocInfo::DEOPT_SCRIPT_OFFSET) |
             RelocInfo::ModeMask(RelocInfo::DEOPT_INLINING_ID) |
             RelocInfo::ModeMask(RelocInfo::DEOPT_NODE_ID);
  for (RelocIterator it(code, mask); !it.done(); it.next()) {
    RelocInfo* info = it.rinfo();
    if (info->pc() >= pc) break;
    if (info->rmode() == RelocInfo::DEOPT_SCRIPT_OFFSET) {
      int script_offset = static_cast<int>(info->data());
      it.next();
      DCHECK(it.rinfo()->rmode() == RelocInfo::DEOPT_INLINING_ID);
      int inlining_id = static_cast<int>(it.rinfo()->data());
      last_position = SourcePosition(script_offset, inlining_id);
    } else if (info->rmode() == RelocInfo::DEOPT_ID) {
      last_deopt_id = static_cast<int>(info->data());
    } else if (info->rmode() == RelocInfo::DEOPT_REASON) {
      last_reason = static_cast<DeoptimizeReason>(info->data());
    } else if (info->rmode() == RelocInfo::DEOPT_NODE_ID) {
      last_node_id = static_cast<uint32_t>(info->data());
    }
  }
  return DeoptInfo(last_position, last_reason, last_node_id, last_deopt_id);
}
 
}  // namespace internal
}  // namespace v8