[turbofan] Implement the call protocol properly for direct calls.

src/compiler/linkage.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/code-stubs.h"
 #include "src/compiler.h"
 #include "src/compiler/common-operator.h"
 #include "src/compiler/frame.h"
 #include "src/compiler/linkage.h"
 #include "src/compiler/node.h"
@@ skipping 365 matching lines @@
       CallDescriptor::kNeedsFrameState,  // flags
       "lazy-bailout");
 }
 
 
 CallDescriptor* Linkage::GetJSCallDescriptor(Zone* zone, bool is_osr,
                                              int js_parameter_count,
                                              CallDescriptor::Flags flags) {
   const size_t return_count = 1;
   const size_t context_count = 1;
-  const size_t parameter_count = js_parameter_count + context_count;
+  const size_t num_args_count = 1;
+  const size_t parameter_count =
+      js_parameter_count + num_args_count + context_count;
 
   LocationSignature::Builder locations(zone, return_count, parameter_count);
   MachineSignature::Builder types(zone, return_count, parameter_count);
 
   // All JS calls have exactly one return value.
   locations.AddReturn(regloc(kReturnRegister0));
   types.AddReturn(kMachAnyTagged);
 
   // All parameters to JS calls go on the stack.
   for (int i = 0; i < js_parameter_count; i++) {
     int spill_slot_index = i - js_parameter_count;
     locations.AddParam(LinkageLocation::ForCallerFrameSlot(spill_slot_index));
     types.AddParam(kMachAnyTagged);
   }
+
+  // Add JavaScript call argument count.
+  locations.AddParam(regloc(kJavaScriptCallArgCountRegister));
+  types.AddParam(kMachInt32);
+
   // Add context.
   locations.AddParam(regloc(kContextRegister));
   types.AddParam(kMachAnyTagged);
 
   // The target for JS function calls is the JSFunction object.
   MachineType target_type = kMachAnyTagged;
   // TODO(titzer): When entering into an OSR function from unoptimized code,
   // the JSFunction is not in a register, but it is on the stack in an
   // unaddressable spill slot. We hack this in the OSR prologue. Fix.
   LinkageLocation target_loc = regloc(kJSFunctionRegister);
@@ skipping 126 matching lines @@
 }
 
 
 LinkageLocation Linkage::GetOsrValueLocation(int index) const {
   CHECK(incoming_->IsJSFunctionCall());
   int parameter_count = static_cast<int>(incoming_->JSParameterCount() - 1);
   int first_stack_slot = OsrHelper::FirstStackSlotIndex(parameter_count);
 
   if (index == kOsrContextSpillSlotIndex) {
     // Context. Use the parameter location of the context spill slot.
-    // Parameter (arity + 1) is special for the context of the function frame.
-    int context_index = 1 + 1 + parameter_count;  // target + receiver + params
+    // Parameter (arity + 2) is special for the context of the function frame.
+    int context_index =
+        1 + 1 + 1 + parameter_count;  // target + receiver + params + #args
     return incoming_->GetInputLocation(context_index);
   } else if (index >= first_stack_slot) {
     // Local variable stored in this (callee) stack.
     int spill_index =
         index - first_stack_slot + StandardFrameConstants::kFixedSlotCount;
     return LinkageLocation::ForCalleeFrameSlot(spill_index);
   } else {
     // Parameter. Use the assigned location from the incoming call descriptor.
     int parameter_index = 1 + index;  // skip index 0, which is the target.
     return incoming_->GetInputLocation(parameter_index);
   }
 }
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8