Bug 1100237 - Flush icache after change-heap patching (r=bbouvier)
authorLuke Wagner <luke@mozilla.com>
Mon, 17 Nov 2014 13:10:26 -0600
changeset 216294 4f1382061059ad75c5ca4daf13db3f40424576e7
parent 216293 bb0bfabda47c5a1a101e608205e8ae2ee33107b7
child 216295 34859490061a145e795c439286cf8820c340ccd8
push id27845
push userkwierso@gmail.com
push dateWed, 19 Nov 2014 02:08:01 +0000
treeherdermozilla-central@64e7a6391916 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbbouvier
bugs1100237
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1100237 - Flush icache after change-heap patching (r=bbouvier)
js/src/asmjs/AsmJSModule.cpp
js/src/jit-test/tests/asm.js/testBug1100237.js
--- a/js/src/asmjs/AsmJSModule.cpp
+++ b/js/src/asmjs/AsmJSModule.cpp
@@ -1587,16 +1587,19 @@ AsmJSModule::changeHeap(Handle<ArrayBuff
 
     // Content JS should not be able to run (and change heap) from within an
     // interrupt callback, but in case it does, fail to change heap. Otherwise,
     // the heap can change at every single instruction which would prevent
     // future optimizations like heap-base hoisting.
     if (interrupted_)
         return false;
 
+    AutoFlushICache afc("AsmJSModule::changeHeap");
+    setAutoFlushICacheRange();
+
     restoreHeapToInitialState(maybeHeap_);
     initHeap(newHeap, cx);
     return true;
 }
 
 void
 AsmJSModule::setProfilingEnabled(bool enabled, JSContext *cx)
 {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug1100237.js
@@ -0,0 +1,33 @@
+load(libdir + "asm.js");
+
+var byteLength = Function.prototype.call.bind(
+    Object.getOwnPropertyDescriptor(ArrayBuffer.prototype, "byteLength").get
+);
+var m = asmCompile("glob", "s", "b", `
+    "use asm";
+    var I32 = glob.Int32Array;
+    var i32 = new I32(b);
+    var len = glob.byteLength;
+    function ch(b2) {
+        if (len(b2) & 0xffffff || len(b2) <= 0xffffff || len(b2) > 80000000) {
+            return false;
+        }
+        i32 = new I32(b2);
+        b = b2;
+        return true
+    }
+    function get(i) {
+        i = i | 0;
+        return i32[i >> 2] | 0
+    }
+    return {
+        get: get,
+        changeHeap: ch
+    }
+`);
+var buf1 = new ArrayBuffer(16777216)
+var { get, changeHeap } = asmLink(m, this, null, buf1)
+assertEq(changeHeap(new ArrayBuffer(33554432)), true)
+assertEq(get(), 0)
+assertEq(changeHeap(buf1), true);
+get();