Bug 1293312 - Baldr: handle big offsets in unaligned loads/stores (r=sunfish)
authorLuke Wagner <luke@mozilla.com>
Mon, 08 Aug 2016 21:44:36 -0500
changeset 308851 b31cd488ed6e741c78cf40d97e08b31f560449cd
parent 308850 bd03c5af655d4fcd00c6764be4e4d92ff74efcd3
child 308852 59d426e1165ab0cd81c0624b046559c43a015950
push id30550
push usercbook@mozilla.com
push dateWed, 10 Aug 2016 13:55:02 +0000
treeherdermozilla-central@c12bb83ad278 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssunfish
bugs1293312
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1293312 - Baldr: handle big offsets in unaligned loads/stores (r=sunfish) MozReview-Commit-ID: 6szRIg3LrjI
js/src/jit-test/tests/wasm/basic-memory.js
js/src/jit/arm/CodeGenerator-arm.cpp
--- a/js/src/jit-test/tests/wasm/basic-memory.js
+++ b/js/src/jit-test/tests/wasm/basic-memory.js
@@ -249,16 +249,30 @@ for (var ind = 0; ind < 2; ind++) {
     for (let index of [0, 1, 2, 3, 0x7fffffff, 0x80000000, 0x80000001]) {
         testLoadOOB('i32', '8_s', index, offset, align);
         testLoadOOB('i32', '16_s', index, offset, align);
         testLoadOOB('i32', '', index, offset, align);
         testLoadOOB('f32', '', index, offset, align);
         testLoadOOB('f64', '', index, offset, align);
     }
 
+    // Ensure out of bounds when the offset is greater than the immediate range.
+    index = 0;
+    for (let offset of [0x80000000, 0xfffffffe, 0xffffffff]) {
+        testLoadOOB('i32', '8_s', index, offset, 1);
+        testLoadOOB('i32', '16_s', index, offset, 1);
+        testLoadOOB('i32', '16_s', index, offset, 2);
+        testLoadOOB('i32', '', index, offset, 1);
+        testLoadOOB('i32', '', index, offset, 4);
+        testLoadOOB('f32', '', index, offset, 1);
+        testLoadOOB('f32', '', index, offset, 4);
+        testLoadOOB('f64', '', index, offset, 1);
+        testLoadOOB('f64', '', index, offset, 8);
+    }
+
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (f64.store offset=0 (i32.const 0) (i32.const 0))))'), TypeError, mismatchError("i32", "f64"));
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (f64.store offset=0 (i32.const 0) (f32.const 0))))'), TypeError, mismatchError("f32", "f64"));
 
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (f32.store offset=0 (i32.const 0) (i32.const 0))))'), TypeError, mismatchError("i32", "f32"));
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (f32.store offset=0 (i32.const 0) (f64.const 0))))'), TypeError, mismatchError("f64", "f32"));
 
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (i32.store offset=0 (i32.const 0) (f32.const 0))))'), TypeError, mismatchError("f32", "i32"));
     assertErrorMessage(() => wasmEvalText('(module (memory 1) (func (i32.store offset=0 (i32.const 0) (f64.const 0))))'), TypeError, mismatchError("f64", "i32"));
--- a/js/src/jit/arm/CodeGenerator-arm.cpp
+++ b/js/src/jit/arm/CodeGenerator-arm.cpp
@@ -2417,17 +2417,21 @@ template<typename T>
 void
 CodeGeneratorARM::emitWasmUnalignedLoad(T* lir)
 {
     const MWasmLoad* mir = lir->mir();
 
     MOZ_ASSERT(!mir->barrierBefore() && !mir->barrierAfter(), "atomics NYI");
 
     uint32_t offset = mir->offset();
-    MOZ_ASSERT(offset <= INT32_MAX);
+    if (offset > INT32_MAX) {
+        // This is unreachable because of bounds checks.
+        masm.breakpoint();
+        return;
+    }
 
     Register ptr = ToRegister(lir->ptrCopy());
     if (offset)
         masm.ma_add(Imm32(offset), ptr);
 
     // Add HeapReg to ptr, so we can use base+index addressing in the byte loads.
     masm.ma_add(HeapReg, ptr);