Bug 1203044 - IonMonkey: MIPS32: Atomics operations should throw on oob access. r=lth
authorHeiher <r@hev.cc>
Wed, 09 Sep 2015 02:00:00 +0200
changeset 294168 ec890000d297a49f755c8761a6e508e519dee267
parent 294167 8e35091f326bc4535a4525e4a49d84f5cdcef48f
child 294169 35502cb5d5b1f5fd83acaac08f0ca42ec189886e
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerslth
bugs1203044
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1203044 - IonMonkey: MIPS32: Atomics operations should throw on oob access. r=lth
js/src/jit/mips32/CodeGenerator-mips32.cpp
--- a/js/src/jit/mips32/CodeGenerator-mips32.cpp
+++ b/js/src/jit/mips32/CodeGenerator-mips32.cpp
@@ -1845,18 +1845,17 @@ CodeGeneratorMIPS::visitAsmJSLoadHeap(LA
             masm.ma_load(ToRegister(out), BaseIndex(HeapReg, ptrReg, TimesOne),
                          static_cast<LoadStoreSize>(size), isSigned ? SignExtend : ZeroExtend);
         }
         return;
     }
 
     BufferOffset bo = masm.ma_BoundsCheck(ScratchRegister);
 
-    Label outOfRange;
-    Label done;
+    Label done, outOfRange;
     masm.ma_b(ptrReg, ScratchRegister, &outOfRange, Assembler::AboveOrEqual, ShortJump);
     // Offset is ok, let's load value.
     if (isFloat) {
         if (size == 32)
             masm.loadFloat32(BaseIndex(HeapReg, ptrReg, TimesOne), ToFloatRegister(out));
         else
             masm.loadDouble(BaseIndex(HeapReg, ptrReg, TimesOne), ToFloatRegister(out));
     } else {
@@ -1869,17 +1868,20 @@ CodeGeneratorMIPS::visitAsmJSLoadHeap(LA
     if (isFloat) {
         if (size == 32)
             masm.loadFloat32(Address(GlobalReg, AsmJSNaN32GlobalDataOffset - AsmJSGlobalRegBias),
                              ToFloatRegister(out));
         else
             masm.loadDouble(Address(GlobalReg, AsmJSNaN64GlobalDataOffset - AsmJSGlobalRegBias),
                             ToFloatRegister(out));
     } else {
-        masm.move32(Imm32(0), ToRegister(out));
+        if (mir->isAtomicAccess())
+            masm.ma_b(gen->outOfBoundsLabel());
+        else
+            masm.move32(Imm32(0), ToRegister(out));
     }
     masm.bind(&done);
 
     masm.append(AsmJSHeapAccess(bo.getOffset()));
 }
 
 void
 CodeGeneratorMIPS::visitAsmJSStoreHeap(LAsmJSStoreHeap* ins)
@@ -1934,30 +1936,35 @@ CodeGeneratorMIPS::visitAsmJSStoreHeap(L
             masm.ma_store(ToRegister(value), BaseIndex(HeapReg, ptrReg, TimesOne),
                           static_cast<LoadStoreSize>(size), isSigned ? SignExtend : ZeroExtend);
         }
         return;
     }
 
     BufferOffset bo = masm.ma_BoundsCheck(ScratchRegister);
 
-    Label rejoin;
-    masm.ma_b(ptrReg, ScratchRegister, &rejoin, Assembler::AboveOrEqual, ShortJump);
+    Label done, outOfRange;
+    masm.ma_b(ptrReg, ScratchRegister, &outOfRange, Assembler::AboveOrEqual, ShortJump);
 
     // Offset is ok, let's store value.
     if (isFloat) {
         if (size == 32) {
             masm.storeFloat32(ToFloatRegister(value), BaseIndex(HeapReg, ptrReg, TimesOne));
         } else
             masm.storeDouble(ToFloatRegister(value), BaseIndex(HeapReg, ptrReg, TimesOne));
     } else {
         masm.ma_store(ToRegister(value), BaseIndex(HeapReg, ptrReg, TimesOne),
                       static_cast<LoadStoreSize>(size), isSigned ? SignExtend : ZeroExtend);
     }
-    masm.bind(&rejoin);
+    masm.ma_b(&done, ShortJump);
+    masm.bind(&outOfRange);
+    // Offset is out of range.
+    if (mir->isAtomicAccess())
+        masm.ma_b(gen->outOfBoundsLabel());
+    masm.bind(&done);
 
     masm.append(AsmJSHeapAccess(bo.getOffset()));
 }
 
 void
 CodeGeneratorMIPS::visitAsmJSCompareExchangeHeap(LAsmJSCompareExchangeHeap* ins)
 {
     MOZ_CRASH("NYI");