[vm] Fix profiler crash caused by the profiler observing a partially-executed load-multiple in the ARM simulators.

TEST=dartfuzz
Bug: #60876
Bug: #60810
Bug: #60850
Change-Id: I11c43412970ee3fa161326661684bc8ccf7153eb
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/441641
Commit-Queue: Ryan Macnak <[email protected]>
Reviewed-by: Derek Xu <[email protected]>
Reviewed-by: Tess Strickland <[email protected]>

Author: rmacnak-google

runtime/vm/compiler/assembler/assembler_riscv.cc

@@ -4691,8 +4691,10 @@ void Assembler::LeaveDartFrame() {
   }
   set_constant_pool_allowed(false);
   subi(SP, FP, 2 * target::kWordSize);
-  lx(FP, Address(SP, 0 * target::kWordSize));
+  // Update RA first so the profiler can identify the frame as the entry frame
+  // after FP is updated but before the return instruction.
   lx(RA, Address(SP, 1 * target::kWordSize));
+  lx(FP, Address(SP, 0 * target::kWordSize));
   addi(SP, SP, 2 * target::kWordSize);
 }
 

runtime/vm/simulator_arm.cc

@@ -1348,18 +1348,33 @@ void Simulator::HandleRList(Instr* instr, bool load) {
     if (instr->HasW()) {
       set_register(rn, rn_val);
     }
-    int reg = 0;
-    while (rlist != 0) {
-      if ((rlist & 1) != 0) {
-        if (load) {
-          set_register(static_cast<Register>(reg), ReadW(address, instr));
-        } else {
-          WriteW(address, get_register(static_cast<Register>(reg)), instr);
+
+    if (rlist == ((1 << FP) | (1 << PC))) {
+      // Special case `ldmia {fp, pc}` for LeaveDartFrame so that the profiler
+      // does not get confused by observing the update to fp before pc when our
+      // caller is the entry stub, i.e., failing to identify the entry frame. On
+      // real hardware, the profiler's signal handler cannot observe a partially
+      // executued load-multiple instruction.
+      int32_t new_fp = ReadW(address, instr);
+      address += 4;
+      int32_t new_pc = ReadW(address, instr);
+      address += 4;
+      set_register(PC, new_pc);
+      set_register(FP, new_fp);
+    } else {
+      int reg = 0;
+      while (rlist != 0) {
+        if ((rlist & 1) != 0) {
+          if (load) {
+            set_register(static_cast<Register>(reg), ReadW(address, instr));
+          } else {
+            WriteW(address, get_register(static_cast<Register>(reg)), instr);
+          }
+          address += 4;
         }
-        address += 4;
+        reg++;
+        rlist >>= 1;
       }
-      reg++;
-      rlist >>= 1;
     }
     ASSERT(end_address == address);
   }

runtime/vm/simulator_arm64.cc

@@ -2407,8 +2407,18 @@ void Simulator::DecodeLoadStoreRegPair(Instr* instr) {
       }
       // Write to register.
       if (instr->Bit(31) == 1) {
-        set_register(instr, rt, val1, R31IsZR);
-        set_register(instr, rt2, val2, R31IsZR);
+        if (rt == FP && rt2 == LR) {
+          // Special case `ldp fp, lr` for LeaveDartFrame so that the profiler
+          // does not get confused by observing the update to fp before lr when
+          // our caller is the entry stub, i.e., failing to identify the entry
+          // frame. On real hardware, the profiler's signal handler cannot
+          // observe a partially executed load-pair instruction.
+          set_register(instr, rt2, val2, R31IsZR);
+          set_register(instr, rt, val1, R31IsZR);
+        } else {
+          set_register(instr, rt, val1, R31IsZR);
+          set_register(instr, rt2, val2, R31IsZR);
+        }
       } else {
         set_wregister(rt, static_cast<int32_t>(val1), R31IsZR);
         set_wregister(rt2, static_cast<int32_t>(val2), R31IsZR);