[vm] Use dual mapping of code pages on certain OS versions

mraleph · Commit Queue · commit d194fcecafc8 · 2025-06-12T20:46:54.000-07:00
Heap references always point into R/RW mapping (this simplifies the marker) and entry points are retargeted into RX. To simplify implementation we assume that there are no image pages created - which means we can always go from Instructions to the start of the page and check where it is dual mapped to. TEST=vm/dart/macos_dual_mapping_smoke_test and manually on physical device Change-Id: Idbe02b7b695b3c048072cf92f7d062f5ab6e1beb Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/433940 Reviewed-by: Siva Annamalai <asiva@google.com> Reviewed-by: Alexander Markov <alexmarkov@google.com> Commit-Queue: Slava Egorov <vegorov@google.com>
diff --git a/runtime/platform/utils_macos.cc b/runtime/platform/utils_macos.cc
@@ -141,10 +141,15 @@ int32_t DarwinVersionInternal() {
   int32_t minor_version = 0;
 
 #if defined(DART_HOST_OS_IOS)
-  // We do not expect to run on version of iOS <12.0 so we can assume that
-  // kernel version is off by 6 from iOS version (e.g. kernel 18.0 is iOS 12.0).
-  // This only holds starting from iOS 4.0.
-  major_version = kernel_major_version - 6;
+  if (kernel_major_version >= 25) {
+    // Starting from iOS 26 kernel versions are 1 behind OS version.
+    major_version = kernel_major_version + 1;
+  } else {
+    // We do not expect to run on version of iOS <12.0 so we can assume that
+    // kernel version is off by 6 from iOS version (e.g. kernel 18.0 is
+    // iOS 12.0). This only holds starting from iOS 4.0.
+    major_version = kernel_major_version - 6;
+  }
   if (major_version >= 15) {
     // After iOS 15 minor version of kernel is the same as minor version of
     // the iOS release. Before iOS 15 these numbers were not in sync. However
diff --git a/runtime/platform/utils_macos.h b/runtime/platform/utils_macos.h
@@ -31,6 +31,7 @@ int32_t DarwinVersion();
   }
 
 DEFINE_IS_OS_FUNCS(18_4, 180400)
+DEFINE_IS_OS_FUNCS(26_0, 260000)
 
 #else
 
diff --git a/runtime/tests/vm/dart/macos_dual_mapping_smoke_script.dart b/runtime/tests/vm/dart/macos_dual_mapping_smoke_script.dart
@@ -0,0 +1,26 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:convert';
+import 'dart:ffi';
+
+int foo(int v) {
+  return v + 41;
+}
+
+void main(List<String> args) {
+  // Use some FFI callbacks to test that image pages are correctly setup.
+  final nativeCallable = NativeCallable<Int32 Function(Int32)>.isolateLocal(
+    foo,
+    exceptionalReturn: 0,
+  );
+  final result = nativeCallable.nativeFunction.asFunction<int Function(int)>()(
+    1,
+  );
+  nativeCallable.close();
+
+  final String encoded = base64.encode(args[0].codeUnits);
+  final String decoded = String.fromCharCodes(base64.decode(encoded));
+  print('$result$decoded');
+}
diff --git a/runtime/tests/vm/dart/macos_dual_mapping_smoke_test.dart b/runtime/tests/vm/dart/macos_dual_mapping_smoke_test.dart
@@ -0,0 +1,91 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// OtherResources=macos_dual_mapping_smoke_script.dart
+
+// Tests that dual mapping works on Mac OS. This is a smoke test for
+// functionality enabled in development mode on iOS 26 devices.
+//
+// To test this code path we use --force_dual_mapping_of_code_pages which
+// assumes that VM does not execute from a snapshot. Hence the need to run
+// from Kernel directly.
+
+import 'dart:io' show Platform, File;
+
+import 'package:expect/expect.dart';
+import 'package:path/path.dart' as path;
+import 'snapshot_test_helper.dart';
+
+compileAndRunMinimalDillTest(List<String> extraCompilationArgs) async {
+  final testScriptUri = Platform.script.resolve(
+    'macos_dual_mapping_smoke_script.dart',
+  );
+  final message = 'Round_trip_message';
+  final expectedResponse = '42$message';
+
+  await withTempDir((String temp) async {
+    final minimalDillPath = path.join(temp, 'test.dill');
+    await runGenKernel('BUILD DILL FILE', [
+      '--no-link-platform',
+      ...extraCompilationArgs,
+      '--output=$minimalDillPath',
+      testScriptUri.toFilePath(),
+    ]);
+
+    {
+      final result = await runDart('RUN FROM DILL FILE', [
+        minimalDillPath,
+        message,
+      ]);
+      expectOutput(expectedResponse, result);
+    }
+
+    final String unsignedDartExecutable;
+    final entitlementsInfo = (await runBinary(
+      'CHECKING ENTITLEMENTS',
+      'codesign',
+      ['-d', '--entitlements', '-', '--xml', Platform.executable],
+      allowNonZeroExitCode: true,
+    )).processResult;
+    Expect.isTrue(entitlementsInfo.stderr.startsWith('Executable='));
+    if (entitlementsInfo.stdout.contains('<?xml') &&
+        !entitlementsInfo.stdout.contains(
+          'com.apple.security.cs.allow-unsigned-executable-memory',
+        )) {
+      // Non-empty entitlements without
+      // com.apple.security.cs.allow-unsigned-executable-memory will make
+      // this test fail so strip them.
+      unsignedDartExecutable = path.join(temp, 'dart');
+      File(Platform.executable).copySync(unsignedDartExecutable);
+      await runBinary('REMOVING SIGNATURE', 'codesign', [
+        '--remove-signature',
+        unsignedDartExecutable,
+      ]);
+      await runBinary('RESIGNING', 'codesign', [
+        '-s',
+        '-',
+        unsignedDartExecutable,
+      ]);
+    } else {
+      unsignedDartExecutable = Platform.executable;
+    }
+
+    {
+      final result = await runDart('RUN FROM DILL FILE', [
+        '--force_dual_mapping_of_code_pages',
+        minimalDillPath,
+        message,
+      ], dartExecutable: unsignedDartExecutable);
+      expectOutput(expectedResponse, result);
+    }
+  });
+}
+
+void main() async {
+  // Only supported on MacOS.
+  if (!Platform.isMacOS || isAOTRuntime) {
+    return;
+  }
+  await compileAndRunMinimalDillTest([]);
+}
diff --git a/runtime/tests/vm/dart/snapshot_test_helper.dart b/runtime/tests/vm/dart/snapshot_test_helper.dart
@@ -54,14 +54,15 @@ Future<Result> runDart(
   String prefix,
   List<String> arguments, {
   bool printOut = true,
+  String? dartExecutable,
 }) {
   final augmentedArguments = <String>[]
     ..addAll(Platform.executableArguments)
     ..add('--verbosity=warning')
     ..addAll(arguments);
   return runBinary(
     prefix,
-    Platform.executable,
+    dartExecutable ?? Platform.executable,
     augmentedArguments,
     printOut: printOut,
   );
@@ -100,6 +101,7 @@ Future<Result> runBinary(
   Map<String, String>? environment,
   bool runInShell = false,
   bool printOut = true,
+  bool allowNonZeroExitCode = false,
 }) async {
   print("+ $binary " + arguments.join(" "));
   final processResult = await Process.run(
@@ -127,7 +129,7 @@ Command stderr:
 ${processResult.stderr}''');
   }
 
-  if (result.processResult.exitCode != 0) {
+  if (!allowNonZeroExitCode && result.processResult.exitCode != 0) {
     reportError(
       result,
       '[$prefix] Process finished with non-zero exit code ${result.processResult.exitCode}',
diff --git a/runtime/tests/vm/vm.status b/runtime/tests/vm/vm.status
@@ -336,6 +336,9 @@ dart/stacktrace_mixin_application_test: SkipByDesign # Relies symbol names in st
 [ $compiler == dart2analyzer || $compiler == dart2js ]
 dart/data_uri*test: Skip # Data uri's not supported by dart2js or the analyzer.
 
+[ $compiler != dartk || $runtime != vm || $system != macos ]
+dart/macos_dual_mapping_smoke: SkipByDesign
+
 [ $mode == debug || $runtime != dart_precompiled || $system == android ]
 dart/emit_aot_size_info_flag_test: SkipByDesign # This test is for VM AOT only and is quite slow (so we don't run it in debug mode).
 dart/split_aot_kernel_generation2_test: SkipByDesign # This test is for VM AOT only and is quite slow (so we don't run it in debug mode).
diff --git a/runtime/vm/code_patcher_ia32.cc b/runtime/vm/code_patcher_ia32.cc
@@ -190,7 +190,8 @@ void CodePatcher::PatchStaticCallAt(uword return_address,
   auto zone = thread->zone();
   const Instructions& instrs = Instructions::Handle(zone, code.instructions());
   thread->isolate_group()->RunWithStoppedMutators([&]() {
-    WritableInstructionsScope writable(instrs.PayloadStart(), instrs.Size());
+    WritableInstructionsScope writable(instrs.WritablePayloadStart(),
+                                       instrs.Size());
     ASSERT(code.ContainsInstructionAt(return_address));
     StaticCall call(return_address, code);
     call.set_target(new_target);
@@ -233,7 +234,8 @@ void CodePatcher::PatchInstanceCallAtWithMutatorsStopped(
   ASSERT(caller_code.ContainsInstructionAt(return_address));
   const Instructions& instrs =
       Instructions::Handle(zone, caller_code.instructions());
-  WritableInstructionsScope writable(instrs.PayloadStart(), instrs.Size());
+  WritableInstructionsScope writable(instrs.WritablePayloadStart(),
+                                     instrs.Size());
   InstanceCall call(return_address, caller_code);
   call.set_data(data);
   call.set_target(target);
diff --git a/runtime/vm/compiler/relocation_test.cc b/runtime/vm/compiler/relocation_test.cc
@@ -260,6 +260,7 @@ struct RelocatorTestHelper {
       }
 
       if (FLAG_write_protect_code) {
+        ASSERT(!VirtualMemory::ShouldDualMapExecutablePages());
         const uword address = UntaggedObject::ToAddr(instructions.ptr());
         const auto size = instructions.ptr()->untag()->HeapSize();
         VirtualMemory::Protect(reinterpret_cast<void*>(address), size,
diff --git a/runtime/vm/debugger_ia32.cc b/runtime/vm/debugger_ia32.cc
@@ -31,7 +31,8 @@ void CodeBreakpoint::PatchCode() {
   const Instructions& instrs = Instructions::Handle(zone, code.instructions());
   Code& stub_target = Code::Handle(zone);
   thread->isolate_group()->RunWithStoppedMutators([&]() {
-    WritableInstructionsScope writable(instrs.PayloadStart(), instrs.Size());
+    WritableInstructionsScope writable(instrs.WritablePayloadStart(),
+                                       instrs.Size());
     switch (breakpoint_kind_) {
       case UntaggedPcDescriptors::kIcCall: {
         stub_target = StubCode::ICCallBreakpoint().ptr();
@@ -61,7 +62,8 @@ void CodeBreakpoint::RestoreCode() {
   const Code& code = Code::Handle(zone, code_);
   const Instructions& instrs = Instructions::Handle(zone, code.instructions());
   thread->isolate_group()->RunWithStoppedMutators([&]() {
-    WritableInstructionsScope writable(instrs.PayloadStart(), instrs.Size());
+    WritableInstructionsScope writable(instrs.WritablePayloadStart(),
+                                       instrs.Size());
     switch (breakpoint_kind_) {
       case UntaggedPcDescriptors::kIcCall:
       case UntaggedPcDescriptors::kUnoptStaticCall:
diff --git a/runtime/vm/ffi_callback_metadata.cc b/runtime/vm/ffi_callback_metadata.cc
@@ -118,7 +118,7 @@ VirtualMemory* FfiCallbackMetadata::AllocateTrampolinePage() {
   // is_executable=true so that pages get allocated with MAP_JIT flag if
   // necessary. Otherwise OS will kill us with a codesigning violation if
   // hardened runtime is enabled.
-  const bool is_executable = true;
+  const bool is_executable = !VirtualMemory::ShouldDualMapExecutablePages();
 #else
   const bool is_executable = false;
 #endif
diff --git a/runtime/vm/heap/page.cc b/runtime/vm/heap/page.cc
@@ -293,10 +293,11 @@ void Page::ResetProgressBar() {
 
 void Page::WriteProtect(bool read_only) {
   ASSERT(!is_image());
-
   VirtualMemory::Protection prot;
   if (read_only) {
-    if (is_executable()) {
+    // When dual mapping code pages we don't change protection on RX page, but
+    // flip RW to R and back.
+    if (is_executable() && !VirtualMemory::ShouldDualMapExecutablePages()) {
       prot = VirtualMemory::kReadExecute;
     } else {
       prot = VirtualMemory::kReadOnly;
diff --git a/runtime/vm/heap/page.h b/runtime/vm/heap/page.h
@@ -105,6 +105,9 @@ class Page {
   uword start() const { return memory_->start(); }
   uword end() const { return memory_->end(); }
   bool Contains(uword addr) const { return memory_->Contains(addr); }
+  intptr_t OffsetToExecutableAlias() const {
+    return memory_->OffsetToExecutableAlias();
+  }
 
   uword object_start() const {
     return is_new() ? new_object_start() : old_object_start();
diff --git a/runtime/vm/heap/pages.cc b/runtime/vm/heap/pages.cc
@@ -1534,6 +1534,12 @@ uword PageSpace::AllocateSnapshotLockedSlow(FreeList* freelist, intptr_t size) {
 }
 
 void PageSpace::SetupImagePage(void* pointer, uword size, bool is_executable) {
+  if (VirtualMemory::ShouldDualMapExecutablePages()) {
+    // See |Instructions::PayloadStart| for more details about this restriction.
+    FATAL(
+        "Dual mapping of executable pages assumes no image pages in the heap");
+  }
+
   // Setup a Page so precompiled Instructions can be traversed.
   // Instructions are contiguous at [pointer, pointer + size). Page
   // expects to find objects at [memory->start() + ObjectStartOffset,
diff --git a/runtime/vm/object.cc b/runtime/vm/object.cc
@@ -18714,7 +18714,8 @@ CodePtr Code::FinalizeCode(FlowGraphCompiler* compiler,
 
     // Copy the instructions into the instruction area and apply all fixups.
     // Embedded pointers are still in handles at this point.
-    MemoryRegion region(reinterpret_cast<void*>(instrs.PayloadStart()),
+    MemoryRegion region(reinterpret_cast<void*>(
+                            Instructions::WritablePayloadStart(instrs.ptr())),
                         instrs.Size());
     assembler->FinalizeInstructions(region);
 
@@ -18741,10 +18742,15 @@ CodePtr Code::FinalizeCode(FlowGraphCompiler* compiler,
     // Write protect instructions and, if supported by OS, use dual mapping
     // for execution.
     if (FLAG_write_protect_code) {
+      // Note: when dual mapping is used we have separate RX and RW mappings.
+      // RX mapping never changes protection while RW mapping flips between
+      // R and RW.
       uword address = UntaggedObject::ToAddr(instrs.ptr());
       VirtualMemory::Protect(reinterpret_cast<void*>(address),
                              instrs.ptr()->untag()->HeapSize(),
-                             VirtualMemory::kReadExecute);
+                             VirtualMemory::ShouldDualMapExecutablePages()
+                                 ? VirtualMemory::kReadOnly
+                                 : VirtualMemory::kReadExecute);
     }
 
     // Hook up Code and Instructions objects.
@@ -18766,7 +18772,7 @@ CodePtr Code::FinalizeCode(FlowGraphCompiler* compiler,
     }
 #endif
 
-    CPU::FlushICache(instrs.PayloadStart(), instrs.Size());
+    CPU::FlushICache(region.start(), region.size());
   }
 
 #if defined(INCLUDE_IL_PRINTER)
diff --git a/runtime/vm/object.h b/runtime/vm/object.h
@@ -5790,10 +5790,29 @@ class Instructions : public Object {
     return SizeBits::decode(instr->untag()->size_and_flags_);
   }
 
+  // When dual mapping all GC references (e.g. instruction fields inside
+  // Code) point into R/RW mapping. Entry points however all point into RX
+  // memory. This makes marking simpler: because marker does not need to
+  // translate RX mapping into RW mapping.
   uword PayloadStart() const { return PayloadStart(ptr()); }
   uword MonomorphicEntryPoint() const { return MonomorphicEntryPoint(ptr()); }
   uword EntryPoint() const { return EntryPoint(ptr()); }
   static uword PayloadStart(const InstructionsPtr instr) {
+    if (VirtualMemory::ShouldDualMapExecutablePages()) {
+      // Caveat: we assume that dual mapping is currently only enabled in iOS
+      // in Flutter development mode. This mode does not use snapshots which
+      // include image pages which means we can assume that all Instruction
+      // objects are allocated on VM owned pages.
+      // There is a check in |PageSpace::SetupImagePage| which enforces this.
+      auto page = Page::Of(instr);
+      RELEASE_ASSERT(page->Contains(reinterpret_cast<uword>(instr->untag())));
+      return reinterpret_cast<uword>(instr->untag()) +
+             page->OffsetToExecutableAlias() + HeaderSize();
+    }
+    return reinterpret_cast<uword>(instr->untag()) + HeaderSize();
+  }
+
+  static word WritablePayloadStart(const InstructionsPtr instr) {
     return reinterpret_cast<uword>(instr->untag()) + HeaderSize();
   }
 
diff --git a/runtime/vm/virtual_memory.cc b/runtime/vm/virtual_memory.cc
diff --git a/runtime/vm/virtual_memory.h b/runtime/vm/virtual_memory.h
diff --git a/runtime/vm/virtual_memory_posix.cc b/runtime/vm/virtual_memory_posix.cc

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ int32_t DarwinVersion();`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`DEFINE_IS_OS_FUNCS(18_4, 180400)`
	`34`	`+DEFINE_IS_OS_FUNCS(26_0, 260000)`
`34`	`35`
`35`	`36`	`#else`
`36`	`37`
Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,7 @@ struct RelocatorTestHelper {`
`260`	`260`	`}`
`261`	`261`
`262`	`262`	`if (FLAG_write_protect_code) {`
	`263`	`+ ASSERT(!VirtualMemory::ShouldDualMapExecutablePages());`
`263`	`264`	`const uword address = UntaggedObject::ToAddr(instructions.ptr());`
`264`	`265`	`const auto size = instructions.ptr()->untag()->HeapSize();`
`265`	`266`	`VirtualMemory::Protect(reinterpret_cast<void*>(address), size,`