[vm/arm64] Refactor leaf runtime call sequence.

Leaf runtime calls a silently clobbering R23 and R25 registers, which
causes bugs when these calls happen from write barriers (which are not
expected to clobber anything outside of R25).

We introduce a special helper class to handle saving and restoring
necessary registers.

The bug originally reported by Joe Lin <[email protected]>
who proposed a fix[1]. This CL builds on top of that fix and tries to
make it more safe by forcing users to use a more strict API.

[1] https://dart-review.googlesource.com/c/sdk/+/162300

TEST=vm/dart/write_barrier_register_clobber_test

Change-Id: I93e0a13a3c4c38ad28210b35750a66e615e3e44a
Cq-Include-Trybots: luci.dart.try:vm-kernel-linux-release-simarm64-try,vm-kernel-precomp-linux-release-simarm64-try
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/162191
Reviewed-by: Martin Kustermann <[email protected]>
Commit-Queue: Vyacheslav Egorov <[email protected]>

Author: mraleph

runtime/tests/vm/dart/write_barrier_register_clobber_test.dart

@@ -0,0 +1,81 @@
+// Copyright (c) 2020, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// This test attempts to verify that write barrier slow path does not
+// clobber any live values.
+
+import 'dart:_internal' show VMInternalsForTesting;
+
+import 'package:expect/expect.dart';
+
+class Old {
+  var f;
+  Old(this.f);
+}
+
+@pragma('vm:never-inline')
+int crashy(int v, List<Old> oldies) {
+  // This test attempts to create a lot of live values which would live across
+  // write barrier invocation so that when write-barrier calls runtime and
+  // clobbers a register this is detected.
+  var young = Object();
+  var len = oldies.length;
+  var i = 0;
+  var v00 = v + 0;
+  var v01 = v + 1;
+  var v02 = v + 2;
+  var v03 = v + 3;
+  var v04 = v + 4;
+  var v05 = v + 5;
+  var v06 = v + 6;
+  var v07 = v + 7;
+  var v08 = v + 8;
+  var v09 = v + 9;
+  var v10 = v + 10;
+  var v11 = v + 11;
+  var v12 = v + 12;
+  var v13 = v + 13;
+  var v14 = v + 14;
+  var v15 = v + 15;
+  var v16 = v + 16;
+  var v17 = v + 17;
+  var v18 = v + 18;
+  var v19 = v + 19;
+  while (i < len) {
+    // Eventually this will overflow store buffer and call runtime to acquire
+    // a new block.
+    oldies[i++].f = young;
+  }
+  return v00 +
+      v01 +
+      v02 +
+      v03 +
+      v04 +
+      v05 +
+      v06 +
+      v07 +
+      v08 +
+      v09 +
+      v10 +
+      v11 +
+      v12 +
+      v13 +
+      v14 +
+      v15 +
+      v16 +
+      v17 +
+      v18 +
+      v19;
+}
+
+void main(List<String> args) {
+  final init = args.contains('impossible') ? 1 : 0;
+  final oldies = List<Old>.generate(100000, (i) => Old(""));
+  VMInternalsForTesting.collectAllGarbage();
+  VMInternalsForTesting.collectAllGarbage();
+  Expect.equals(crashy(init, oldies), 190);
+  for (var o in oldies) {
+    Expect.isTrue(o.f is! String);
+  }
+}

runtime/tests/vm/dart_2/write_barrier_register_clobber_test.dart

@@ -0,0 +1,81 @@
+// Copyright (c) 2020, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// This test attempts to verify that write barrier slow path does not
+// clobber any live values.
+
+import 'dart:_internal' show VMInternalsForTesting;
+
+import 'package:expect/expect.dart';
+
+class Old {
+  var f;
+  Old(this.f);
+}
+
+@pragma('vm:never-inline')
+int crashy(int v, List<Old> oldies) {
+  // This test attempts to create a lot of live values which would live across
+  // write barrier invocation so that when write-barrier calls runtime and
+  // clobbers a register this is detected.
+  var young = Object();
+  var len = oldies.length;
+  var i = 0;
+  var v00 = v + 0;
+  var v01 = v + 1;
+  var v02 = v + 2;
+  var v03 = v + 3;
+  var v04 = v + 4;
+  var v05 = v + 5;
+  var v06 = v + 6;
+  var v07 = v + 7;
+  var v08 = v + 8;
+  var v09 = v + 9;
+  var v10 = v + 10;
+  var v11 = v + 11;
+  var v12 = v + 12;
+  var v13 = v + 13;
+  var v14 = v + 14;
+  var v15 = v + 15;
+  var v16 = v + 16;
+  var v17 = v + 17;
+  var v18 = v + 18;
+  var v19 = v + 19;
+  while (i < len) {
+    // Eventually this will overflow store buffer and call runtime to acquire
+    // a new block.
+    oldies[i++].f = young;
+  }
+  return v00 +
+      v01 +
+      v02 +
+      v03 +
+      v04 +
+      v05 +
+      v06 +
+      v07 +
+      v08 +
+      v09 +
+      v10 +
+      v11 +
+      v12 +
+      v13 +
+      v14 +
+      v15 +
+      v16 +
+      v17 +
+      v18 +
+      v19;
+}
+
+void main(List<String> args) {
+  final init = args.contains('impossible') ? 1 : 0;
+  final oldies = List<Old>.generate(100000, (i) => Old(""));
+  VMInternalsForTesting.collectAllGarbage();
+  VMInternalsForTesting.collectAllGarbage();
+  Expect.equals(crashy(init, oldies), 190);
+  for (var o in oldies) {
+    Expect.isTrue(o.f is! String);
+  }
+}

runtime/vm/compiler/assembler/assembler_arm64.cc

@@ -1485,7 +1485,7 @@ void Assembler::TransitionNativeToGenerated(Register state,
   StoreToOffset(state, THR, target::Thread::exit_through_ffi_offset());
 }
 
-void Assembler::EnterCallRuntimeFrame(intptr_t frame_size) {
+void Assembler::EnterCallRuntimeFrame(intptr_t frame_size, bool is_leaf) {
   Comment("EnterCallRuntimeFrame");
   EnterFrame(0);
   if (!(FLAG_precompiled_mode && FLAG_use_bare_instructions)) {
@@ -1510,19 +1510,30 @@ void Assembler::EnterCallRuntimeFrame(intptr_t frame_size) {
     Push(reg);
   }
 
-  ReserveAlignedFrameSpace(frame_size);
+  if (!is_leaf) {  // Leaf calling sequence aligns the stack itself.
+    ReserveAlignedFrameSpace(frame_size);
+  } else {
+    PushPair(kCallLeafRuntimeCalleeSaveScratch1,
+             kCallLeafRuntimeCalleeSaveScratch2);
+  }
 }
 
-void Assembler::LeaveCallRuntimeFrame() {
+void Assembler::LeaveCallRuntimeFrame(bool is_leaf) {
   // SP might have been modified to reserve space for arguments
   // and ensure proper alignment of the stack frame.
   // We need to restore it before restoring registers.
+  const intptr_t fixed_frame_words_without_pc_and_fp =
+      target::frame_layout.dart_fixed_frame_size - 2;
   const intptr_t kPushedRegistersSize =
-      kDartVolatileCpuRegCount * target::kWordSize +
-      kDartVolatileFpuRegCount * target::kWordSize +
-      (target::frame_layout.dart_fixed_frame_size - 2) *
-          target::kWordSize;  // From EnterStubFrame (excluding PC / FP)
+      kDartVolatileFpuRegCount * sizeof(double) +
+      (kDartVolatileCpuRegCount + (is_leaf ? 2 : 0) +
+       fixed_frame_words_without_pc_and_fp) *
+          target::kWordSize;
   AddImmediate(SP, FP, -kPushedRegistersSize);
+  if (is_leaf) {
+    PopPair(kCallLeafRuntimeCalleeSaveScratch1,
+            kCallLeafRuntimeCalleeSaveScratch2);
+  }
   for (int i = kDartLastVolatileCpuReg; i >= kDartFirstVolatileCpuReg; i--) {
     const Register reg = static_cast<Register>(i);
     Pop(reg);
@@ -1547,6 +1558,37 @@ void Assembler::CallRuntime(const RuntimeEntry& entry,
   entry.Call(this, argument_count);
 }
 
+void Assembler::CallRuntimeScope::Call(intptr_t argument_count) {
+  assembler_->CallRuntime(entry_, argument_count);
+}
+
+Assembler::CallRuntimeScope::~CallRuntimeScope() {
+  if (preserve_registers_) {
+    assembler_->LeaveCallRuntimeFrame(entry_.is_leaf());
+    if (restore_code_reg_) {
+      assembler_->Pop(CODE_REG);
+    }
+  }
+}
+
+Assembler::CallRuntimeScope::CallRuntimeScope(Assembler* assembler,
+                                              const RuntimeEntry& entry,
+                                              intptr_t frame_size,
+                                              bool preserve_registers,
+                                              const Address* caller)
+    : assembler_(assembler),
+      entry_(entry),
+      preserve_registers_(preserve_registers),
+      restore_code_reg_(caller != nullptr) {
+  if (preserve_registers_) {
+    if (caller != nullptr) {
+      assembler_->Push(CODE_REG);
+      assembler_->ldr(CODE_REG, *caller);
+    }
+    assembler_->EnterCallRuntimeFrame(frame_size, entry.is_leaf());
+  }
+}
+
 void Assembler::EnterStubFrame() {
   EnterDartFrame(0);
 }

runtime/vm/compiler/assembler/assembler_arm64.h

@@ -1651,10 +1651,51 @@ class Assembler : public AssemblerBase {
   void EnterOsrFrame(intptr_t extra_size, Register new_pp = kNoRegister);
   void LeaveDartFrame(RestorePP restore_pp = kRestoreCallerPP);
 
-  void EnterCallRuntimeFrame(intptr_t frame_size);
-  void LeaveCallRuntimeFrame();
   void CallRuntime(const RuntimeEntry& entry, intptr_t argument_count);
 
+  // Helper method for performing runtime calls from callers requiring manual
+  // register preservation is required (e.g. outside IL instructions marked
+  // as calling).
+  class CallRuntimeScope : public ValueObject {
+   public:
+    CallRuntimeScope(Assembler* assembler,
+                     const RuntimeEntry& entry,
+                     intptr_t frame_size,
+                     bool preserve_registers = true)
+        : CallRuntimeScope(assembler,
+                           entry,
+                           frame_size,
+                           preserve_registers,
+                           /*caller=*/nullptr) {}
+
+    CallRuntimeScope(Assembler* assembler,
+                     const RuntimeEntry& entry,
+                     intptr_t frame_size,
+                     Address caller,
+                     bool preserve_registers = true)
+        : CallRuntimeScope(assembler,
+                           entry,
+                           frame_size,
+                           preserve_registers,
+                           &caller) {}
+
+    void Call(intptr_t argument_count);
+
+    ~CallRuntimeScope();
+
+   private:
+    CallRuntimeScope(Assembler* assembler,
+                     const RuntimeEntry& entry,
+                     intptr_t frame_size,
+                     bool preserve_registers,
+                     const Address* caller);
+
+    Assembler* const assembler_;
+    const RuntimeEntry& entry_;
+    const bool preserve_registers_;
+    const bool restore_code_reg_;
+  };
+
   // Set up a stub frame so that the stack traversal code can easily identify
   // a stub frame.
   void EnterStubFrame();
@@ -2402,6 +2443,11 @@ class Assembler : public AssemblerBase {
                              CanBeSmi can_be_smi,
                              BarrierFilterMode barrier_filter_mode);
 
+  // Note: leaf call sequence uses some abi callee save registers as scratch
+  // so they should be manually preserved.
+  void EnterCallRuntimeFrame(intptr_t frame_size, bool is_leaf);
+  void LeaveCallRuntimeFrame(bool is_leaf);
+
   friend class dart::FlowGraphCompiler;
   std::function<void(Register reg)> generate_invoke_write_barrier_wrapper_;
   std::function<void()> generate_invoke_array_write_barrier_;

runtime/vm/compiler/runtime_api.cc

@@ -278,6 +278,10 @@ word RuntimeEntry::OffsetFromThread() const {
   return target::Thread::OffsetFromThread(runtime_entry_);
 }
 
+bool RuntimeEntry::is_leaf() const {
+  return runtime_entry_->is_leaf();
+}
+
 namespace target {
 
 const word kOldPageSize = dart::kOldPageSize;

runtime/vm/compiler/runtime_api.h

@@ -233,6 +233,8 @@ class RuntimeEntry : public ValueObject {
 
   word OffsetFromThread() const;
 
+  bool is_leaf() const;
+
  protected:
   RuntimeEntry(const dart::RuntimeEntry* runtime_entry,
                RuntimeEntryCallInternal call)