[vm, ffi] Don't return to [stub] FfiCallbackTrampoline after DLRT_ExitTemporaryIsolate.

rmacnak-google · Commit Queue · commit 06a88023be4b · 2025-03-26T09:34:09.000-07:00
By time we return from DLRT_ExitTemporaryIsolate, VM shutdown may have completed, including deleting the VM isolate heap containing the stub. Instead tail-call to DLRT_ExitTemporaryIsolate, so it may return directly to the foreign caller. TEST=ffi/async_void_function_callbacks_test Bug: #53248 Change-Id: I674ed672ea4a105ad6f72a86f6aedae7db1040dc Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/417963 Reviewed-by: Daco Harkes <dacoharkes@google.com> Commit-Queue: Ryan Macnak <rmacnak@google.com>
diff --git a/runtime/vm/compiler/stub_code_compiler_arm.cc b/runtime/vm/compiler/stub_code_compiler_arm.cc
@@ -442,15 +442,16 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
 
   // Exit the temporary isolate.
   {
-    __ EnterFrame(1 << FP, 0);
-    __ ReserveAlignedFrameSpace(0);
-
     GenerateLoadFfiCallbackMetadataRuntimeFunction(
-        FfiCallbackMetadata::kExitTemporaryIsolate, R4);
+        FfiCallbackMetadata::kExitTemporaryIsolate, R0);
 
-    __ blx(R4);
+    CLOBBERS_LR(__ PopList((1 << LR) | (1 << THR) | (1 << R4) | (1 << R5)));
 
-    __ LeaveFrame(1 << FP);
+    // Tail-call DLRT_ExitTemporaryIsolate. It is not safe to return to this
+    // stub, since it might be deleted once DLRT_ExitTemporaryIsolate proceeds
+    // enough for VM shutdown.
+    __ bx(R0);
+    __ Breakpoint();
   }
 
   __ Bind(&done);
diff --git a/runtime/vm/compiler/stub_code_compiler_arm64.cc b/runtime/vm/compiler/stub_code_compiler_arm64.cc
@@ -620,10 +620,6 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
 
   // Exit the temporary isolate.
   {
-    __ SetupDartSP();
-    __ EnterFrame(0);
-    __ ReserveAlignedFrameSpace(0);
-
 #if defined(DART_TARGET_OS_FUCHSIA)
     // TODO(https://dartbug.com/52579): Remove.
     if (FLAG_precompiled_mode) {
@@ -640,13 +636,15 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
         FfiCallbackMetadata::kExitTemporaryIsolate, R4);
 #endif
 
-    __ mov(CSP, SP);
-    __ blr(R4);
-    __ mov(SP, CSP);
-    __ mov(THR, R0);
+    // Pop LR and THR from the real stack (CSP).
+    CLOBBERS_LR(__ ldp(
+        THR, LR, Address(CSP, 2 * target::kWordSize, Address::PairPostIndex)));
 
-    __ LeaveFrame();
-    __ RestoreCSP();
+    // Tail-call DLRT_ExitTemporaryIsolate. It is not safe to return to this
+    // stub, since it might be deleted once DLRT_ExitTemporaryIsolate proceeds
+    // enough for VM shutdown.
+    __ br(R4);
+    __ brk(0);
   }
 
   __ Bind(&done);
diff --git a/runtime/vm/compiler/stub_code_compiler_ia32.cc b/runtime/vm/compiler/stub_code_compiler_ia32.cc
@@ -349,14 +349,20 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
 
   // Exit the temporary isolate.
   {
-    __ EnterFrame(0);
-    __ ReserveAlignedFrameSpace(0);
+    // Pop the trampoline type into ECX.
+    __ popl(ECX);
+
+    // Restore callee-saved registers.
+    __ popl(EBX);
+    __ popl(THR);
 
+    // Tail-call DLRT_ExitTemporaryIsolate. It is not safe to return to this
+    // stub, since it might be deleted once DLRT_ExitTemporaryIsolate proceeds
+    // enough for VM shutdown.
     __ movl(EAX,
             Immediate(reinterpret_cast<int64_t>(DLRT_ExitTemporaryIsolate)));
-    __ CallCFunction(EAX);
-
-    __ LeaveFrame();
+    __ jmp(EAX);
+    __ int3();
   }
 
   __ Bind(&done);
diff --git a/runtime/vm/compiler/stub_code_compiler_riscv.cc b/runtime/vm/compiler/stub_code_compiler_riscv.cc
@@ -474,16 +474,12 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
 
   // Exit the temporary isolate.
   {
-    __ EnterFrame(0);
-    __ ReserveAlignedFrameSpace(0);
-
-    Label call;
-
 #if defined(DART_TARGET_OS_FUCHSIA)
     // TODO(https://dartbug.com/52579): Remove.
     if (FLAG_precompiled_mode) {
       GenerateLoadBSSEntry(BSS::Relocation::DLRT_ExitTemporaryIsolate, T1, T2);
     } else {
+      Label call;
       const intptr_t kPCRelativeLoadOffset = 12;
       intptr_t start = __ CodeSize();
       __ auipc(T1, 0);
@@ -496,16 +492,20 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
 #else
       __ Emit64(reinterpret_cast<int64_t>(&DLRT_ExitTemporaryIsolate));
 #endif
+      __ Bind(&call);
     }
 #else
     GenerateLoadFfiCallbackMetadataRuntimeFunction(
         FfiCallbackMetadata::kExitTemporaryIsolate, T1);
 #endif  // defined(DART_TARGET_OS_FUCHSIA)
 
-    __ Bind(&call);
-    __ jalr(T1);
+    __ PopRegisterPair(RA, THR);
 
-    __ LeaveFrame();
+    // Tail-call DLRT_ExitTemporaryIsolate. It is not safe to return to this
+    // stub, since it might be deleted once DLRT_ExitTemporaryIsolate proceeds
+    // enough for VM shutdown.
+    __ jr(T1);
+    __ ebreak();
   }
 
   __ Bind(&done);
diff --git a/runtime/vm/compiler/stub_code_compiler_x64.cc b/runtime/vm/compiler/stub_code_compiler_x64.cc
@@ -592,12 +592,14 @@ void StubCodeCompiler::GenerateFfiCallbackTrampolineStub() {
         FfiCallbackMetadata::kExitTemporaryIsolate, RAX);
 #endif  // defined(DART_TARGET_OS_FUCHSIA)
 
-    __ EnterFrame(0);
-    __ ReserveAlignedFrameSpace(0);
-
-    __ CallCFunction(RAX);
-
-    __ LeaveFrame();
+    // Restore THR (callee-saved).
+    __ popq(THR);
+
+    // Tail-call DLRT_ExitTemporaryIsolate. It is not safe to return to this
+    // stub, since it might be deleted once DLRT_ExitTemporaryIsolate proceeds
+    // enough for VM shutdown.
+    __ jmp(RAX);
+    __ int3();
   }
 
   __ Bind(&done);
