[vm/ffi] Fix Pointer deferred materialization on deopt

`Pointer`s were not handled in deferred materialization of objects
on deoptimizations. This lead to the address field being written as a
tagged value, causing the actual address to be smitagged.
Subsequent uses of those addresses would lead to segfaults.

This CL handles the `Pointer`s manually to deal with the untagged
address.

`--trace-deoptimization-verbose` before this CL:

```
Deoptimizing [...]
    _typedDataBase@8050071 <- Pointer: address=0x7ffff7488081
    null Field @ offset(8) <- 140736616678128
    null Field @ offset(16) <- TypeArguments: (H39d2e3b4) [Type: Never]
```

after this CL:

```
Deoptimizing [...]
    _typedDataBase@8050071 <- Pointer: address=0x7fa2c0a88081
    pointer@data <- 0x7fa29c16c0e0
    pointer@type_args <- TypeArguments: (H39d2e3b4) [Type: Never]
```

TEST=runtime/tests/vm/dart/regress_54871_test.dart
TEST=tests/ffi/structs_test.dart with --hot-reload-rollback-test-mode
     and --optimization-counter-threshold=50

Closes: #54871
Change-Id: I13b6404c8b098643b8ac0f59ee8e9bc635f33b8d
Cq-Include-Trybots: luci.dart.try:vm-reload-rollback-linux-debug-x64-try,vm-reload-rollback-linux-release-x64-try
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/352300
Reviewed-by: Martin Kustermann <[email protected]>
Commit-Queue: Daco Harkes <[email protected]>

Author: dcharkes

runtime/tests/vm/dart/regress_54871_test.dart

@@ -0,0 +1,36 @@
+// Copyright (c) 2024, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// Regression test for https://dartbug.com/54871.
+
+import 'dart:ffi';
+import 'dart:_internal';
+
+const address = 0xaabbccdd;
+bool deoptimize = false;
+
+main() {
+  for (int i = 0; i < 100000; ++i) {
+    foo();
+  }
+  deoptimize = true;
+  foo();
+}
+
+@pragma('vm:never-inline')
+void foo() {
+  final pointer = Pointer<Void>.fromAddress(address);
+  useInteger(pointer.address);
+  final pointerAddress = pointer.address;
+  if (address != pointerAddress) {
+    throw '$address vs $pointerAddress';
+  }
+}
+
+@pragma('vm:never-inline')
+void useInteger(int address) {
+  if (deoptimize) {
+    VMInternalsForTesting.deoptimizeFunctionsOnStack();
+  }
+}

runtime/vm/deferred_objects.cc

@@ -11,6 +11,7 @@
 #include "vm/deopt_instructions.h"
 #include "vm/flags.h"
 #include "vm/object.h"
+#include "vm/object_store.h"
 
 namespace dart {
 
@@ -350,6 +351,29 @@ void DeferredObject::Fill() {
         }
       }
     } break;
+    case kPointerCid: {
+      auto* const zone = Thread::Current()->zone();
+      const int kDataIndex = 0;
+      const int kTypeArgIndex = 1;
+      ASSERT(field_count_ == 2);
+      ASSERT(Smi::Cast(Object::Handle(zone, GetFieldOffset(kDataIndex)))
+                 .AsInt64Value() == PointerBase::data_offset());
+      ASSERT(Smi::Cast(Object::Handle(zone, GetFieldOffset(kTypeArgIndex)))
+                 .AsInt64Value() == Pointer::type_arguments_offset());
+
+      const auto& pointer = Pointer::Cast(*object_);
+      const size_t address =
+          Integer::Cast(Object::Handle(zone, GetValue(kDataIndex)))
+              .AsInt64Value();
+      pointer.SetNativeAddress(address);
+      const auto& type_args = TypeArguments::Handle(
+          zone, IsolateGroup::Current()->object_store()->type_argument_never());
+      pointer.SetTypeArguments(type_args);
+      if (FLAG_trace_deoptimization_verbose) {
+        OS::PrintErr("    pointer@data <- 0x%" Px "\n", address);
+        OS::PrintErr("    pointer@type_args <- %s\n", type_args.ToCString());
+      }
+    } break;
     case kRecordCid: {
       const Record& record = Record::Cast(*object_);
 

runtime/vm/object.cc

@@ -26099,7 +26099,7 @@ PointerPtr Pointer::New(uword native_address, Heap::Space space) {
   Thread* thread = Thread::Current();
   Zone* zone = thread->zone();
 
-  TypeArguments& type_args = TypeArguments::Handle(
+  const auto& type_args = TypeArguments::Handle(
       zone, IsolateGroup::Current()->object_store()->type_argument_never());
 
   const Class& cls =