ffi: Out-of-bound access marshaling structs by value with size and alignment less than word size

[rmacnak-google]

Consider

struct S9 { 
  uint8_t a0;
  uint8_t a1;
  uint8_t a2;
  uint8_t a3;
  uint8_t a4;
  uint8_t a5;
  uint8_t a6;
  uint8_t a7;
  uint8_t a8;
};
extern void Callee(S9);
void Caller(S9* s) {
  Callee(*s);
}

on ARM64. dart:ffi marshals the struct by using two word-sized loads to fill x0 and x1. The struct has only 1-byte alignment, so the last member might be at a page boundary, so using a word load instead of byte load may trigger an access violation.

On Windows ARM64, even if the load succeds, MSVC expects the upper 56 bits of x1 to be zeroed. (As the callee, Clang does not. Both MSVC and Clang ensure these upper bits are zero as the caller.) Using an unsigned byte load during marshaling would ensure the upper bits are zero as MSVC expects.

[dcharkes]

Nice find @rmacnak-google !

This will need some massaging in kernel_to_il.cc and il_xxx.cc to make the loads/stores in various places respect bounds.

[dcharkes]

Current results feed shows this failing or flaking on most archs/oses:

https://dart-current-results.web.app/#/filter=ffi/function_struct_by_value_out_of_bounds_test&showAll

[rmacnak-google]

Oh, I should allocate a guard page explicitly instead of assuming the next page is unallocated.

[a-siva]

This is still failing on vm-fuchsia-release-x64 log

[rmacnak-google]

This is expected to fail on all ABIs except IA32 and Windows X64. I have a CL in progress to handle these cases.