Bug 1068684 - remove asm.js length restriction on SharedArrayBuffer. r=luke
authorLars T Hansen <lhansen@mozilla.com>
Fri, 31 Oct 2014 13:37:11 +0100
changeset 213397 677c24618e336c15b7d2f202d188cd59bf01da48
parent 213396 73fd8303deaba1bdc4ba099b9493c8540ea8e884
child 213398 0c31008f237b1e89ee11db93b30c68f90017b175
push id27748
push userryanvm@gmail.com
push dateFri, 31 Oct 2014 20:14:33 +0000
treeherdermozilla-central@12ac66e2c016 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1068684
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1068684 - remove asm.js length restriction on SharedArrayBuffer. r=luke
js/src/vm/SharedArrayObject.cpp
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -88,19 +88,20 @@ static const uint32_t maxLive = 1000;
 
 SharedArrayRawBuffer *
 SharedArrayRawBuffer::New(JSContext *cx, uint32_t length)
 {
     // The value (uint32_t)-1 is used as a signal in various places,
     // so guard against it on principle.
     MOZ_ASSERT(length != (uint32_t)-1);
 
-    // Enforced by SharedArrayBufferObject::New(cx, length).
-    MOZ_ASSERT(IsValidAsmJSHeapLength(length));
-
+    // Add a page for the header and round to a page boundary.
+    uint32_t allocSize = (length + 2*AsmJSPageSize - 1) & ~(AsmJSPageSize - 1);
+    if (allocSize <= length)
+        return nullptr;
 #ifdef JS_CODEGEN_X64
     // Test >= to guard against the case where multiple extant runtimes
     // race to allocate.
     if (++numLive >= maxLive) {
         JSRuntime *rt = cx->runtime();
         if (rt->largeAllocationFailureCallback)
             rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData);
         if (numLive >= maxLive) {
@@ -110,32 +111,27 @@ SharedArrayRawBuffer::New(JSContext *cx,
     }
     // Get the entire reserved region (with all pages inaccessible)
     void *p = MapMemory(SharedArrayMappedSize, false);
     if (!p) {
         numLive--;
         return nullptr;
     }
 
-    size_t validLength = AsmJSPageSize + length;
-    if (!MarkValidRegion(p, validLength)) {
+    if (!MarkValidRegion(p, allocSize)) {
         UnmapMemory(p, SharedArrayMappedSize);
         numLive--;
         return nullptr;
     }
 #   if defined(MOZ_VALGRIND) && defined(VALGRIND_DISABLE_ADDR_ERROR_REPORTING_IN_RANGE)
     // Tell Valgrind/Memcheck to not report accesses in the inaccessible region.
-    VALGRIND_DISABLE_ADDR_ERROR_REPORTING_IN_RANGE((unsigned char*)p + validLength,
-                                                   SharedArrayMappedSize-validLength);
+    VALGRIND_DISABLE_ADDR_ERROR_REPORTING_IN_RANGE((unsigned char*)p + allocSize,
+                                                   SharedArrayMappedSize - allocSize);
 #   endif
 #else
-    uint32_t allocSize = length + AsmJSPageSize;
-    if (allocSize <= length)
-        return nullptr;
-
     void *p = MapMemory(allocSize, true);
     if (!p)
         return nullptr;
 #endif
     uint8_t *buffer = reinterpret_cast<uint8_t*>(p) + AsmJSPageSize;
     uint8_t *base = buffer - sizeof(SharedArrayRawBuffer);
     return new (base) SharedArrayRawBuffer(buffer, length);
 }
@@ -234,28 +230,16 @@ SharedArrayBufferObject::class_construct
         return false;
     args.rval().setObject(*bufobj);
     return true;
 }
 
 SharedArrayBufferObject *
 SharedArrayBufferObject::New(JSContext *cx, uint32_t length)
 {
-    if (!IsValidAsmJSHeapLength(length)) {
-        mozilla::UniquePtr<char[], JS::FreePolicy> msg;
-        if (length > INT32_MAX)
-            msg.reset(JS_smprintf("SharedArrayBuffer byteLength 0x%x is too large", length));
-        else
-            msg.reset(JS_smprintf("SharedArrayBuffer byteLength 0x%x is not a valid length. The next valid "
-                                  "length is 0x%x", length, RoundUpToNextValidAsmJSHeapLength(length)));
-        if (msg)
-            JS_ReportError(cx, msg.get());
-        return nullptr;
-    }
-
     SharedArrayRawBuffer *buffer = SharedArrayRawBuffer::New(cx, length);
     if (!buffer)
         return nullptr;
 
     return New(cx, buffer);
 }
 
 SharedArrayBufferObject *