[vm/compiler] Avoid speculative conversion in ffi Pointer.asTypedList

alexmarkov · Commit Bot · commit e4942db83e2a · 2022-02-01T16:49:56.000Z
On 32-bit ARM in AOT mode Pointer.asTypedList is generated so that there is a LoadField from Pointer.data_field which has kUnboxedFfiIntPtr representation (uint32) and then the value is passed to a StoreInstanceField for TypedDataBase.data_field which has kUnboxedIntPtr representation (int32). As a result, a speculative uint32->int32 IntConverter instruction is inserted by SelectRepresentations pass. AOT doesn't support deoptimization so code generation crashes after retrying without speculative inlining. This change fixes the type incompatibility by loading value with LoadUntagged and then converting it with ConvertUntaggedToUnboxed(kUnboxedIntPtr). TEST=ffi/regress_flutter97301_test Fixes flutter/flutter#97301 Change-Id: I4a00d4ac7978b4775add0ddae510841a2b4cbae0 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/230956 Reviewed-by: Daco Harkes <dacoharkes@google.com> Reviewed-by: Martin Kustermann <kustermann@google.com> Commit-Queue: Alexander Markov <alexmarkov@google.com>
diff --git a/runtime/vm/compiler/frontend/kernel_to_il.cc b/runtime/vm/compiler/frontend/kernel_to_il.cc
@@ -1582,7 +1582,8 @@ FlowGraph* FlowGraphBuilder::BuildGraphOfRecognizedMethod(
       // Initialize the result's data pointer field.
       body += LoadLocal(typed_data_object);
       body += LoadLocal(arg_pointer);
-      body += LoadNativeField(Slot::Pointer_data_field());
+      body += LoadUntagged(compiler::target::Pointer::data_field_offset());
+      body += ConvertUntaggedToUnboxed(kUnboxedIntPtr);
       body += StoreNativeField(Slot::TypedDataBase_data_field(),
                                StoreInstanceFieldInstr::Kind::kInitializing,
                                kNoStoreBarrier);
diff --git a/tests/ffi/regress_flutter97301_test.dart b/tests/ffi/regress_flutter97301_test.dart
@@ -0,0 +1,21 @@
+// Copyright (c) 2022, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+//
+// Verifies that there are no deoptimizing IntConverter instructions
+// used when converting Pointer to TypedData.
+// Regression test for https://github.com/flutter/flutter/issues/97301.
+
+import "dart:ffi";
+import "package:ffi/ffi.dart";
+
+@pragma("vm:never-inline")
+Pointer<Uint32> foo() => calloc(4);
+
+main() {
+  final Pointer<Uint32> offsetsPtr = foo();
+
+  for (var i = 0; i < 2; i++) {
+    print(offsetsPtr.asTypedList(1));
+  }
+}
diff --git a/tests/ffi_2/regress_flutter97301_test.dart b/tests/ffi_2/regress_flutter97301_test.dart
@@ -0,0 +1,23 @@
+// Copyright (c) 2022, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+//
+// Verifies that there are no deoptimizing IntConverter instructions
+// used when converting Pointer to TypedData.
+// Regression test for https://github.com/flutter/flutter/issues/97301.
+
+// @dart = 2.9
+
+import "dart:ffi";
+import "package:ffi/ffi.dart";
+
+@pragma("vm:never-inline")
+Pointer<Uint32> foo() => calloc(4);
+
+main() {
+  final Pointer<Uint32> offsetsPtr = foo();
+
+  for (var i = 0; i < 2; i++) {
+    print(offsetsPtr.asTypedList(1));
+  }
+}
