From 4110d2100546bf56a0a8f7edc6c40ae7690a589f Mon Sep 17 00:00:00 2001
From: Luke Wagner <luke@mozilla.com>
Date: Tue, 16 Dec 2014 08:59:53 -0600
Subject: [PATCH] Bug 1111327 - Fix AsmJSModule::clone to duplicate profiling
 labels (r=dougc)

--HG--
extra : rebase_source : fce96207623d1bc9c480694bd311d25e827d35f6
---
 js/src/asmjs/AsmJSModule.cpp                   | 15 +++++++++++++++
 js/src/asmjs/AsmJSModule.h                     |  2 +-
 js/src/jit-test/tests/asm.js/testBug1111327.js | 11 +++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/asm.js/testBug1111327.js

diff --git a/js/src/asmjs/AsmJSModule.cpp b/js/src/asmjs/AsmJSModule.cpp
index bc6c12930c0..72e94de8a3f 100644
--- a/js/src/asmjs/AsmJSModule.cpp
+++ b/js/src/asmjs/AsmJSModule.cpp
@@ -1496,6 +1496,11 @@ AsmJSModule::serializedSize() const
 uint8_t *
 AsmJSModule::serialize(uint8_t *cursor) const
 {
+    MOZ_ASSERT(!dynamicallyLinked_);
+    MOZ_ASSERT(!loadedFromCache_);
+    MOZ_ASSERT(!profilingEnabled_);
+    MOZ_ASSERT(!interrupted_);
+
     cursor = WriteBytes(cursor, &pod, sizeof(pod));
     cursor = WriteBytes(cursor, code_, pod.codeBytes_);
     cursor = SerializeName(cursor, globalArgumentName_);
@@ -1590,6 +1595,16 @@ AsmJSModule::clone(JSContext *cx, ScopedJSDeletePtr<AsmJSModule> *moduleOut) con
     out.loadedFromCache_ = loadedFromCache_;
     out.profilingEnabled_ = profilingEnabled_;
 
+    if (profilingEnabled_) {
+        if (!out.profilingLabels_.resize(profilingLabels_.length()))
+            return false;
+        for (size_t i = 0; i < profilingLabels_.length(); i++) {
+            out.profilingLabels_[i] = DuplicateString(cx, profilingLabels_[i].get());
+            if (!out.profilingLabels_[i])
+                return false;
+        }
+    }
+
     // We already know the exact extent of areas that need to be patched, just make sure we
     // flush all of them at once.
     out.setAutoFlushICacheRange();
diff --git a/js/src/asmjs/AsmJSModule.h b/js/src/asmjs/AsmJSModule.h
index e1a3bd42334..fc8098810fc 100644
--- a/js/src/asmjs/AsmJSModule.h
+++ b/js/src/asmjs/AsmJSModule.h
@@ -645,7 +645,7 @@ class AsmJSModule
         bool clone(ExclusiveContext *cx, Name *out) const;
     };
 
-    typedef mozilla::UniquePtr<char, JS::FreePolicy> ProfilingLabel;
+    typedef mozilla::UniquePtr<char[], JS::FreePolicy> ProfilingLabel;
 
 #if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
     // Function information to add to the VTune JIT profiler following linking.
diff --git a/js/src/jit-test/tests/asm.js/testBug1111327.js b/js/src/jit-test/tests/asm.js/testBug1111327.js
new file mode 100644
index 00000000000..dc1ff6c515b
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug1111327.js
@@ -0,0 +1,11 @@
+load(libdir + "asm.js");
+
+// Single-step profiling currently only works in the ARM simulator
+if (!getBuildConfiguration()["arm-simulator"])
+    quit();
+
+enableSPSProfiling();
+enableSingleStepProfiling();
+var m = asmCompile(USE_ASM + 'function f() {} return f');
+asmLink(m)();
+asmLink(m)();