[fastcall] Return value after deopt after fast call is undefined

gahaas · V8 LUCI CQ · commit 32a6c8d4eb15 · 2025-06-06T03:04:54.000-07:00
Even if the return type of an API function is `void`, there is still a return value in JavaScript, undefined. This CL hard-codes the return value in the assembly code of the `DeoptimizationEntry_LazyAfterFastCall` builtin. Ideally the return value is handled in a continuation builtin, as suggested in crbug.com/418936518, but that turned out to be more difficult than expected. R=leszeks@chromium.org Bug: 422099361 Change-Id: I2d98deeff6a27b51cff9b312246816982ddd7dd1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6623291 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#100706}
diff --git a/src/builtins/arm/builtins-arm.cc b/src/builtins/arm/builtins-arm.cc
@@ -4840,6 +4840,12 @@ void Builtins::Generate_DeoptimizationEntry_LazyAfterFastCall(
   __ PopAll(kCalleeSaveFPRegisters);
   __ LeaveFrame(StackFrame::BUILTIN);
   __ bind(&no_exception);
+  // Deoptimization expects that the return value of the API call is in the
+  // return register. As we only allow deoptimization if the return type is
+  // void, the return value is always `undefined`.
+  // TODO(crbug.com/418936518): Handle the return value in an actual
+  // deoptimization continuation.
+  __ LoadRoot(kReturnRegister0, RootIndex::kUndefinedValue);
   __ TailCallBuiltin(Builtin::kDeoptimizationEntry_Lazy);
 }
 
diff --git a/src/builtins/arm64/builtins-arm64.cc b/src/builtins/arm64/builtins-arm64.cc
@@ -5436,6 +5436,12 @@ void Builtins::Generate_DeoptimizationEntry_LazyAfterFastCall(
   __ PopAll(kCalleeSaveFPRegisters);
   __ LeaveFrame(StackFrame::INTERNAL);
   __ bind(&no_exception);
+  // Deoptimization expects that the return value of the API call is in the
+  // return register. As we only allow deoptimization if the return type is
+  // void, the return value is always `undefined`.
+  // TODO(crbug.com/418936518): Handle the return value in an actual
+  // deoptimization continuation.
+  __ LoadRoot(kReturnRegister0, RootIndex::kUndefinedValue);
   __ TailCallBuiltin(Builtin::kDeoptimizationEntry_Lazy);
 }
 
diff --git a/src/builtins/ia32/builtins-ia32.cc b/src/builtins/ia32/builtins-ia32.cc
@@ -5330,6 +5330,12 @@ void Builtins::Generate_DeoptimizationEntry_LazyAfterFastCall(
   __ LeaveFrame(StackFrame::INTERNAL);
 
   __ bind(&no_exception);
+  // Deoptimization expects that the return value of the API call is in the
+  // return register. As we only allow deoptimization if the return type is
+  // void, the return value is always `undefined`.
+  // TODO(crbug.com/418936518): Handle the return value in an actual
+  // deoptimization continuation.
+  __ LoadRoot(kReturnRegister0, RootIndex::kUndefinedValue);
   __ TailCallBuiltin(Builtin::kDeoptimizationEntry_Lazy);
 }
 
diff --git a/src/builtins/x64/builtins-x64.cc b/src/builtins/x64/builtins-x64.cc
@@ -5125,6 +5125,14 @@ void Builtins::Generate_DeoptimizationEntry_LazyAfterFastCall(
   __ LeaveFrame(StackFrame::INTERNAL);
 
   __ bind(&no_exception);
+  // LINT.IfChange(DeoptAfterFastCallSetReturnValue)
+  // Deoptimization expects that the return value of the API call is in the
+  // return register. As we only allow deoptimization if the return type is
+  // void, the return value is always `undefined`.
+  // TODO(crbug.com/418936518): Handle the return value in an actual
+  // deoptimization continuation.
+  __ LoadRoot(kReturnRegister0, RootIndex::kUndefinedValue);
+  // LINT.ThenChange()
   __ TailCallBuiltin(Builtin::kDeoptimizationEntry_Lazy);
 }
 
diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
@@ -719,6 +719,7 @@ class FastApiCallReducerAssembler : public JSCallReducerAssembler {
         static_cast<unsigned>(
             function_template_info_.c_functions(broker()).size()));
 
+    // LINT.IfChange
     // TODO(crbug.com/418936518): Support deopt for functions with return value.
     Node* error_message = jsgraph()->SmiConstant(
         static_cast<int>(AbortReason::kUnsupportedDeopt));
@@ -730,6 +731,11 @@ class FastApiCallReducerAssembler : public JSCallReducerAssembler {
             : CreateStubBuiltinContinuationFrameState(
                   jsgraph(), Builtin::kAbort, ContextInput(), &error_message, 1,
                   FrameStateInput(), ContinuationFrameStateMode::LAZY);
+    // The `DeoptimizationEntry_LazyAfterFastCall` builtin currently sets the
+    // return value unconditionally to `undefined`. If a continuation builtin is
+    // set up here, then the entry builtin should not overwrite the return
+    // value.
+    // LINT.ThenChange(/src/builtins/x64/builtins-x64.cc:DeoptAfterFastCallSetReturnValue)
 
     // Callback data value for fast Api calls. Unlike slow Api calls, the fast
     // variant passes callback data directly.
