Bug 1057248. r=jandem
authorLuke Wagner <luke@mozilla.com>
Mon, 25 Aug 2014 23:10:05 -0400
changeset 223241 2e67ec1837324d864454d874f871b007fd96d9cc
parent 223240 efe5844c9a5bffc4256808b9fca3eeb603b75969
child 223242 775a14a8e1903322c425e051448925ccc13125a0
push id3979
push userraliiev@mozilla.com
push dateMon, 13 Oct 2014 16:35:44 +0000
treeherdermozilla-beta@30f2cc610691 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1057248
milestone34.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1057248. r=jandem
js/src/jit-test/tests/asm.js/testBug1057248.js
js/src/vm/SharedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug1057248.js
@@ -0,0 +1,131 @@
+Random = {
+    weighted: function(wa) {
+        var a = [];
+        for (var i = 0; i < wa.length; ++i) {
+            for (var j = 0; j < wa[i]; ++j) {}
+        }
+    }
+}
+s = (function() {
+    Random.weighted([{
+            n() {}
+        }, {
+            n() {}
+        }, {
+            n() {}
+        }, {
+            w: 5,
+            n() {}
+        }
+    ])
+})()
+var builtinObjectNames = [];
+(function() {
+    function exploreDeeper(a, a) {
+        var s = Object.getOwnPropertyNames(a)
+        for (var j = 0; j < s.length; ++j) {
+            if (typeof h == "" && n != "") {}
+        }
+        builtinObjectNames.push()
+    }
+    exploreDeeper(Math, "")
+})(this, false)
+r = autoExpr(Random.weighted([]));
+r = autoExpr(Random.weighted([]));
+(Random.weighted([]));
+r = (Random.weighted([]))
+v = autoExpr(Random.weighted([]), true);
+r = autoExpr(Random.weighted([{
+        n() {}
+    }
+]), true)
+function autoExpr() {}
+function makeStatement() {}
+s = Random.weighted([{
+        n() {}
+    }
+])
+a = Random.weighted([{}, {}, {}, {}, {}, {
+        n() {}
+    }
+])
+a = Random.weighted([{
+        n() {}
+    }, {}, {}
+])
+var recursiveFunctions = [{
+        text: "(function(){{}})"
+    }, {
+        text: "(function(){if(0){}(1)})",
+        n() {}
+    }, {
+        text: "(function(){t:[]()})",
+        n() {}
+    }, {
+        text: "(function(){g()})",
+        n() {}
+    }
+];
+(function s() {
+    for (var i = 0; i < recursiveFunctions.length; ++i) {
+        a = recursiveFunctions[i];
+        var text = a.text
+        a = eval(text.replace(/@/, ""))
+    }
+    function g() {}
+    s = Random.weighted([{
+            w: 1,
+            n() {}
+        }, {
+            n() {}
+        }, //
+        {
+            n() {}
+        }, //
+        {
+            n() {}
+        }, {
+            w: 0,
+            n() {}
+        }, {
+            n() {}
+        }, {
+            n() {}
+        }, {
+            w: 1,
+            n() {}
+        }, {
+            w: makeStatement
+        }, {
+            w: 5
+        }
+    ])
+    t = function() {}
+    function c() {}
+})()
+function testMathyFunction(f, inputs) {
+    var r = [];
+    for (var j = 0; j < inputs.length; ++j) {
+        for (var k = 0; k < inputs.length; ++k) {
+            try {
+                f(inputs[j])
+            } catch (e) {}
+        }
+    }
+    uneval([])
+}
+mathy2 = (function(stdlib, foreign, heap) {
+    "use asm";
+    var Float32ArrayView = new stdlib.Float32Array(heap)
+        function f(i0) {
+            i0 = i0 | 0;
+            (Float32ArrayView[-i0 >> 2]) = 1.
+        }
+    return f
+})(this, {
+}, new SharedArrayBuffer(4096))
+testMathyFunction(mathy2, [-0])
+mathy5 = (function(y) {
+    ((function() {})(mathy2(y)()))
+})
+testMathyFunction(mathy5, [Math.PI])
\ No newline at end of file
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -67,37 +67,46 @@ MarkValidRegion(void *addr, size_t len)
     return true;
 #else
     if (mprotect(addr, len, PROT_READ | PROT_WRITE))
         return false;
     return true;
 #endif
 }
 
+#ifdef JS_CODEGEN_X64
+// Since this SharedArrayBuffer will likely be used for asm.js code, prepare it
+// for asm.js by mapping the 4gb protected zone described in AsmJSValidate.h.
+// Since we want to put the SharedArrayBuffer header immediately before the
+// heap but keep the heap page-aligned, allocate an extra page before the heap.
+static const uint64_t SharedArrayMappedSize = AsmJSMappedSize + AsmJSPageSize;
+static_assert(sizeof(SharedArrayRawBuffer) < AsmJSPageSize, "Page size not big enough");
+#endif
+
 SharedArrayRawBuffer *
 SharedArrayRawBuffer::New(uint32_t length)
 {
     // Enforced by SharedArrayBufferObject constructor.
     JS_ASSERT(IsValidAsmJSHeapLength(length));
 
 #ifdef JS_CODEGEN_X64
     // Get the entire reserved region (with all pages inaccessible)
-    void *p = MapMemory(AsmJSMappedSize, false);
+    void *p = MapMemory(SharedArrayMappedSize, false);
     if (!p)
         return nullptr;
 
     size_t validLength = AsmJSPageSize + length;
     if (!MarkValidRegion(p, validLength)) {
-        UnmapMemory(p, AsmJSMappedSize);
+        UnmapMemory(p, SharedArrayMappedSize);
         return nullptr;
     }
 #   if defined(MOZ_VALGRIND) && defined(VALGRIND_DISABLE_ADDR_ERROR_REPORTING_IN_RANGE)
     // Tell Valgrind/Memcheck to not report accesses in the inaccessible region.
     VALGRIND_DISABLE_ADDR_ERROR_REPORTING_IN_RANGE((unsigned char*)p + validLength,
-                                                   AsmJSMappedSize-validLength);
+                                                   SharedArrayMappedSize-validLength);
 #   endif
 #else
     uint32_t allocSize = length + AsmJSPageSize;
     if (allocSize <= length)
         return nullptr;
 
     void *p = MapMemory(allocSize, true);
     if (!p)
@@ -121,24 +130,22 @@ SharedArrayRawBuffer::dropReference()
     // Drop the reference to the buffer.
     uint32_t refcount = --this->refcount; // Atomic.
 
     // If this was the final reference, release the buffer.
     if (refcount == 0) {
         uint8_t *p = this->dataPointer() - AsmJSPageSize;
         JS_ASSERT(uintptr_t(p) % AsmJSPageSize == 0);
 #ifdef JS_CODEGEN_X64
-        UnmapMemory(p, AsmJSMappedSize);
+        UnmapMemory(p, SharedArrayMappedSize);
 #       if defined(MOZ_VALGRIND) \
            && defined(VALGRIND_ENABLE_ADDR_ERROR_REPORTING_IN_RANGE)
         // Tell Valgrind/Memcheck to recommence reporting accesses in the
         // previously-inaccessible region.
-        if (AsmJSMappedSize > 0) {
-            VALGRIND_ENABLE_ADDR_ERROR_REPORTING_IN_RANGE(p, AsmJSMappedSize);
-        }
+        VALGRIND_ENABLE_ADDR_ERROR_REPORTING_IN_RANGE(p, SharedArrayMappedSize);
 #       endif
 #else
         UnmapMemory(p, this->length + AsmJSPageSize);
 #endif
     }
 }
 
 /*