Bug 1100237 - Flush icache after change-heap patching (r=bbouvier)

2024-09-13 09:24:08 -07:00 · 2014-11-17 13:10:26 -06:00 · 2014-11-17 13:10:26 -06:00 · f4c6edc60b
commit f4c6edc60b
parent e4893474f0
2 changed files with 36 additions and 0 deletions
--- a/js/src/asmjs/AsmJSModule.cpp
+++ b/js/src/asmjs/AsmJSModule.cpp
@ -1592,6 +1592,9 @@ AsmJSModule::changeHeap(Handle<ArrayBufferObject*> newHeap, JSContext *cx)
    if (interrupted_)
        return false;

+    AutoFlushICache afc("AsmJSModule::changeHeap");
+    setAutoFlushICacheRange();
+
    restoreHeapToInitialState(maybeHeap_);
    initHeap(newHeap, cx);
    return true;
--- a/js/src/jit-test/tests/asm.js/testBug1100237.js
+++ b/js/src/jit-test/tests/asm.js/testBug1100237.js
@ -0,0 +1,33 @@
+load(libdir + "asm.js");
+
+var byteLength = Function.prototype.call.bind(
+    Object.getOwnPropertyDescriptor(ArrayBuffer.prototype, "byteLength").get
+);
+var m = asmCompile("glob", "s", "b", `
+    "use asm";
+    var I32 = glob.Int32Array;
+    var i32 = new I32(b);
+    var len = glob.byteLength;
+    function ch(b2) {
+        if (len(b2) & 0xffffff || len(b2) <= 0xffffff || len(b2) > 80000000) {
+            return false;
+        }
+        i32 = new I32(b2);
+        b = b2;
+        return true
+    }
+    function get(i) {
+        i = i | 0;
+        return i32[i >> 2] | 0
+    }
+    return {
+        get: get,
+        changeHeap: ch
+    }
+`);
+var buf1 = new ArrayBuffer(16777216)
+var { get, changeHeap } = asmLink(m, this, null, buf1)
+assertEq(changeHeap(new ArrayBuffer(33554432)), true)
+assertEq(get(), 0)
+assertEq(changeHeap(buf1), true);
+get();