[vm] Verify transitions in generated code

The transitions in C++ have asserts which run in debug mode to validate
that the transitions are happening in the right order.

The transitions in the generated code had no equivalent. This CL
introduces the equivalent for the generated code.

The transitions to generated code are misnamed currently. They come
from either VM or Native, not only Native. For example the FFI
callbacks and call return sequence can already transition from native
into the VM when entering the safepoint.

These checks don't catch the invalid FFI callbacks.
Bug: #60021
These are caught when looking up the FFI metadata:
https://dart-review.googlesource.com/c/sdk/+/407023

This CL omits to implement the check in ia32, since ia32 is scheduled
for removal.

The check is only enabled in debug mode. The asserts for the C++ are
also only run in debug mode. And enabling this check in release for
AOT regresses the parent CL benchmark by ~30% on Mac Arm64.

TEST=test/ffi

Change-Id: Ieaf1e43533baae294af37b2e171b68bd314fdbe0
Cq-Include-Trybots: dart/try:vm-aot-android-release-arm64c-try,vm-aot-android-release-arm_x64-try,vm-aot-asan-linux-release-x64-try,vm-aot-linux-debug-x64-try,vm-aot-linux-debug-x64c-try,vm-aot-mac-release-arm64-try,vm-aot-mac-release-x64-try,vm-aot-msan-linux-release-x64-try,vm-aot-obfuscate-linux-release-x64-try,vm-aot-optimization-level-linux-release-x64-try,vm-aot-tsan-linux-release-x64-try,vm-aot-ubsan-linux-release-x64-try,vm-aot-win-debug-arm64-try,vm-aot-win-debug-x64-try,vm-aot-win-debug-x64c-try,vm-appjit-linux-debug-x64-try,vm-asan-linux-release-arm64-try,vm-asan-linux-release-x64-try,vm-checked-mac-release-arm64-try,vm-ffi-android-debug-arm-try,vm-ffi-android-debug-arm64c-try,vm-ffi-qemu-linux-release-arm-try,vm-ffi-qemu-linux-release-riscv64-try,vm-fuchsia-release-arm64-try,vm-fuchsia-release-x64-try,vm-linux-debug-ia32-try,vm-linux-debug-x64-try,vm-linux-debug-x64c-try,vm-mac-debug-arm64-try,vm-mac-debug-x64-try,vm-msan-linux-release-arm64-try,vm-msan-linux-release-x64-try,vm-reload-linux-debug-x64-try,vm-reload-rollback-linux-debug-x64-try,vm-tsan-linux-release-arm64-try,vm-tsan-linux-release-x64-try,vm-ubsan-linux-release-arm64-try,vm-ubsan-linux-release-x64-try,vm-win-debug-arm64-try,vm-win-debug-x64-try,vm-win-debug-x64c-try,vm-win-release-ia32-try
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/407021
Reviewed-by: Liam Appelbe <[email protected]>
Reviewed-by: Slava Egorov <[email protected]>

Author: dcharkes

runtime/vm/compiler/assembler/assembler_arm.cc

@@ -623,6 +623,7 @@ void Assembler::TransitionGeneratedToNative(Register destination_address,
                 target::Thread::exit_through_ffi_offset());
   Register tmp2 = exit_through_ffi;
 
+  VerifyInGenerated(tmp1);
   // Mark that the thread is executing native code.
   StoreToOffset(destination_address, THR, target::Thread::vm_tag_offset());
   LoadImmediate(tmp1, target::Thread::native_execution_state());
@@ -700,6 +701,7 @@ void Assembler::TransitionNativeToGenerated(Register addr,
 #endif
   }
 
+  VerifyNotInGenerated(TMP);
   // Mark that the thread is executing Dart code.
   if (set_tag) {
     LoadImmediate(state, target::Thread::vm_tag_dart_id());
@@ -714,6 +716,32 @@ void Assembler::TransitionNativeToGenerated(Register addr,
   StoreToOffset(state, THR, target::Thread::exit_through_ffi_offset());
 }
 
+void Assembler::VerifyInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in generated.
+  Comment("VerifyInGenerated");
+  ldr(scratch, Address(THR, target::Thread::execution_state_offset()));
+  Label ok;
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  BranchIf(EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
+void Assembler::VerifyNotInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in native or VM.
+  Comment("VerifyNotInGenerated");
+  ldr(scratch, Address(THR, target::Thread::execution_state_offset()));
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  Label ok;
+  BranchIf(NOT_EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
 void Assembler::clrex() {
   int32_t encoding = (kSpecialCondition << kConditionShift) | B26 | B24 | B22 |
                      B21 | B20 | (0xff << 12) | B4 | 0xf;

runtime/vm/compiler/assembler/assembler_arm.h

@@ -623,6 +623,8 @@ class Assembler : public AssemblerBase {
                                    bool exit_safepoint,
                                    bool ignore_unwind_in_progress = false,
                                    bool set_tag = true);
+  void VerifyInGenerated(Register scratch);
+  void VerifyNotInGenerated(Register scratch);
   void EnterFullSafepoint(Register scratch0, Register scratch1);
   void ExitFullSafepoint(Register scratch0,
                          Register scratch1,

runtime/vm/compiler/assembler/assembler_arm64.cc

@@ -1591,6 +1591,7 @@ void Assembler::TransitionGeneratedToNative(Register destination,
                 target::Thread::exit_through_ffi_offset());
   Register tmp = new_exit_through_ffi;
 
+  VerifyInGenerated(tmp);
   // Mark that the thread is executing native code.
   StoreToOffset(destination, THR, target::Thread::vm_tag_offset());
   LoadImmediate(tmp, target::Thread::native_execution_state());
@@ -1680,6 +1681,7 @@ void Assembler::TransitionNativeToGenerated(Register state,
 #endif
   }
 
+  VerifyNotInGenerated(TMP);
   // Mark that the thread is executing Dart code.
   if (set_tag) {
     LoadImmediate(state, target::Thread::vm_tag_dart_id());
@@ -1694,6 +1696,32 @@ void Assembler::TransitionNativeToGenerated(Register state,
   StoreToOffset(state, THR, target::Thread::exit_through_ffi_offset());
 }
 
+void Assembler::VerifyInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in generated.
+  Comment("VerifyInGenerated");
+  ldr(scratch, Address(THR, target::Thread::execution_state_offset()));
+  Label ok;
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  BranchIf(EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
+void Assembler::VerifyNotInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in native or VM.
+  Comment("VerifyNotInGenerated");
+  ldr(scratch, Address(THR, target::Thread::execution_state_offset()));
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  Label ok;
+  BranchIf(NOT_EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
 void Assembler::CallRuntime(const RuntimeEntry& entry,
                             intptr_t argument_count) {
   ASSERT(!entry.is_leaf());

runtime/vm/compiler/assembler/assembler_arm64.h

@@ -2113,6 +2113,8 @@ class Assembler : public AssemblerBase {
                                    bool exit_safepoint,
                                    bool ignore_unwind_in_progress = false,
                                    bool set_tag = true);
+  void VerifyInGenerated(Register scratch);
+  void VerifyNotInGenerated(Register scratch);
   void EnterFullSafepoint(Register scratch);
   void ExitFullSafepoint(Register scratch, bool ignore_unwind_in_progress);
 

runtime/vm/compiler/assembler/assembler_riscv.cc

@@ -4381,6 +4381,12 @@ void Assembler::TransitionGeneratedToNative(Register destination,
      Address(THR, target::Thread::exit_through_ffi_offset()));
   Register tmp = new_exit_through_ffi;
 
+#if defined(DEBUG)
+  ASSERT(T2 != TMP2);
+  mv(T2, TMP2);  // BranchIf in VerifyInGenerated clobbers TMP2.
+  VerifyInGenerated(tmp);
+  mv(TMP2, T2);
+#endif
   // Mark that the thread is executing native code.
   sx(destination, Address(THR, target::Thread::vm_tag_offset()));
   li(tmp, target::Thread::native_execution_state());
@@ -4413,6 +4419,7 @@ void Assembler::TransitionNativeToGenerated(Register state,
 #endif
   }
 
+  VerifyNotInGenerated(state);
   // Mark that the thread is executing Dart code.
   if (set_tag) {
     li(state, target::Thread::vm_tag_dart_id());
@@ -4426,6 +4433,32 @@ void Assembler::TransitionNativeToGenerated(Register state,
   sx(ZR, Address(THR, target::Thread::exit_through_ffi_offset()));
 }
 
+void Assembler::VerifyInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in generated.
+  Comment("VerifyInGenerated");
+  lx(scratch, Address(THR, target::Thread::execution_state_offset()));
+  Label ok;
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  BranchIf(EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
+void Assembler::VerifyNotInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in native or VM.
+  Comment("VerifyNotInGenerated");
+  lx(scratch, Address(THR, target::Thread::execution_state_offset()));
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  Label ok;
+  BranchIf(NOT_EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
 void Assembler::EnterFullSafepoint(Register state) {
   // We generate the same number of instructions whether or not the slow-path is
   // forced. This simplifies GenerateJitCallbackTrampolines.

runtime/vm/compiler/assembler/assembler_riscv.h

@@ -1454,6 +1454,8 @@ class Assembler : public MicroAssembler {
                                    bool exit_safepoint,
                                    bool ignore_unwind_in_progress = false,
                                    bool set_tag = true);
+  void VerifyInGenerated(Register scratch);
+  void VerifyNotInGenerated(Register scratch);
   void EnterFullSafepoint(Register scratch);
   void ExitFullSafepoint(Register scratch, bool ignore_unwind_in_progress);
 

runtime/vm/compiler/assembler/assembler_x64.cc

@@ -190,6 +190,8 @@ void Assembler::TransitionGeneratedToNative(Register destination_address,
                          compiler::target::Thread::exit_through_ffi_offset()),
        new_exit_through_ffi);
 
+  VerifyInGenerated(TMP);
+  // Mark that the thread is executing native code.
   movq(Assembler::VMTagAddress(), destination_address);
   movq(Address(THR, target::Thread::execution_state_offset()),
        Immediate(target::Thread::native_execution_state()));
@@ -259,10 +261,10 @@ void Assembler::ExitFullSafepoint(bool ignore_unwind_in_progress) {
   Bind(&done);
 }
 
-void Assembler::TransitionNativeToGenerated(bool leave_safepoint,
+void Assembler::TransitionNativeToGenerated(bool exit_safepoint,
                                             bool ignore_unwind_in_progress,
                                             bool set_tag) {
-  if (leave_safepoint) {
+  if (exit_safepoint) {
     ExitFullSafepoint(ignore_unwind_in_progress);
   } else {
     // flag only makes sense if we are leaving safepoint
@@ -278,6 +280,8 @@ void Assembler::TransitionNativeToGenerated(bool leave_safepoint,
 #endif
   }
 
+  VerifyNotInGenerated(TMP);
+  // Mark that the thread is executing Dart code.
   if (set_tag) {
     movq(Assembler::VMTagAddress(),
          Immediate(target::Thread::vm_tag_dart_id()));
@@ -293,6 +297,32 @@ void Assembler::TransitionNativeToGenerated(bool leave_safepoint,
        compiler::Immediate(0));
 }
 
+void Assembler::VerifyInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in generated.
+  Comment("VerifyInGenerated");
+  movq(scratch, Address(THR, target::Thread::execution_state_offset()));
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  Label ok;
+  BranchIf(EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
+void Assembler::VerifyNotInGenerated(Register scratch) {
+#if defined(DEBUG)
+  // Verify the thread is in native or VM.
+  Comment("VerifyNotInGenerated");
+  movq(scratch, Address(THR, target::Thread::execution_state_offset()));
+  CompareImmediate(scratch, target::Thread::generated_execution_state());
+  Label ok;
+  BranchIf(NOT_EQUAL, &ok, Assembler::kNearJump);
+  Breakpoint();
+  Bind(&ok);
+#endif
+}
+
 void Assembler::EmitQ(int reg,
                       const Address& address,
                       int opcode,

runtime/vm/compiler/assembler/assembler_x64.h

@@ -324,9 +324,11 @@ class Assembler : public AssemblerBase {
                                    Register new_exit_frame,
                                    Register new_exit_through_ffi,
                                    bool enter_safepoint);
-  void TransitionNativeToGenerated(bool leave_safepoint,
+  void TransitionNativeToGenerated(bool exit_safepoint,
                                    bool ignore_unwind_in_progress = false,
                                    bool set_tag = true);
+  void VerifyInGenerated(Register scratch);
+  void VerifyNotInGenerated(Register scratch);
 
 // Register-register, register-address and address-register instructions.
 #define RR(width, name, ...)                                                   \

runtime/vm/compiler/backend/il_riscv.cc

@@ -1550,7 +1550,7 @@ void FfiCallInstr::EmitNativeCode(FlowGraphCompiler* compiler) {
       __ jalr(target);
 
       // Update information in the thread object and leave the safepoint.
-      __ TransitionNativeToGenerated(temp1, /*leave_safepoint=*/true);
+      __ TransitionNativeToGenerated(temp1, /*exit_safepoint=*/true);
     } else {
       // We cannot trust that this code will be executable within a safepoint.
       // Therefore we delegate the responsibility of entering/exiting the

runtime/vm/compiler/backend/il_x64.cc

@@ -1348,7 +1348,7 @@ void FfiCallInstr::EmitNativeCode(FlowGraphCompiler* compiler) {
       __ CallCFunction(target_address, /*restore_rsp=*/true);
 
       // Update information in the thread object and leave the safepoint.
-      __ TransitionNativeToGenerated(/*leave_safepoint=*/true);
+      __ TransitionNativeToGenerated(/*exit_safepoint=*/true);
     } else {
       // We cannot trust that this code will be executable within a safepoint.
       // Therefore we delegate the responsibility of entering/exiting the