Bug 913216: Mark the entire heap to be flushed as soon as we start modifing bounds checks. (r=luke)

js/src/jit/AsmJSModule.cpp

@@ -33,11 +33,13 @@ AsmJSModule::patchHeapAccesses(ArrayBufferObject *heap, JSContext *cx)
         JSC::X86Assembler::setPointer(heapAccesses_[i].patchOffsetAt(code_), heapOffset);
     }
 #elif defined(JS_CPU_ARM)
-    jit::IonContext ic(cx, NULL);
-    jit::AutoFlushCache afc("patchBoundsCheck");
+
     uint32_t bits = mozilla::CeilingLog2(heap->byteLength());
     for (unsigned i = 0; i < heapAccesses_.length(); i++)
         jit::Assembler::updateBoundsCheck(bits, (jit::Instruction*)(heapAccesses_[i].offset() + code_));
+    // We already know the exact extent of areas that need to be patched, just make sure we
+    // flush all of them at once.
+    jit::AutoFlushCache::updateTop(uintptr_t(code_), pod.codeBytes_);
 #endif
 }
 

js/src/jit/Ion.cpp

@@ -2589,7 +2589,7 @@ void
 AutoFlushCache::updateTop(uintptr_t p, size_t len)
 {
     IonContext *ictx = GetIonContext();
-    IonRuntime *irt = ictx->runtime->ionRuntime();
+    IonRuntime *irt = (ictx != NULL) ? ictx->runtime->ionRuntime() : NULL;
     if (!irt || !irt->flusher())
         JSC::ExecutableAllocator::cacheFlush((void*)p, len);
     else

js/src/jit/arm/Assembler-arm.cpp

@@ -2741,7 +2741,8 @@ void Assembler::updateBoundsCheck(uint32_t logHeapSize, Instruction *inst)
     // O2RegImmShift shift = reg.toO2RegImmShift();
 
     *inst = InstALU(ScratchRegister, InvalidReg, lsr(index, logHeapSize), op_mov, SetCond, Always);
-    AutoFlushCache::updateTop(uintptr_t(inst), 4);
+    // NOTE: we don't update the Auto Flush Cache!  this function is currently only called from
+    // within AsmJSModule::patchHeapAccesses, which does that for us.  Don't call this!
 }
 
 void