Bug 1414852: Don't overflow offset from begin to untrusted wasm jit exit range; r?luke
MozReview-Commit-ID: 3RAq64ojenT
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/wasm/regress/nop-fill-jit-exit.js
@@ -0,0 +1,28 @@
+// |jit-test| --arm-asm-nop-fill=1
+//
+try {
+ enableSingleStepProfiling();
+ disableSingleStepProfiling();
+} catch (e) {
+ // Early quit on plateforms not supporting single step profiling.
+ quit();
+}
+
+load(libdir + "asm.js");
+
+var ffi = function(enable) {
+ enableGeckoProfiling();
+ enableSingleStepProfiling();
+}
+var f = asmLink(asmCompile('global', 'ffis',
+ USE_ASM + `
+ var ffi=ffis.ffi;
+ function f(i) {
+ i=i|0;
+ ffi(i|0);
+ } return f
+ `), null, {
+ ffi
+});
+f(0);
+f(+1);
--- a/js/src/wasm/WasmTypes.cpp
+++ b/js/src/wasm/WasmTypes.cpp
@@ -754,16 +754,18 @@ CodeRange::CodeRange(uint32_t funcIndex,
kind_(ImportJitExit)
{
MOZ_ASSERT(isImportJitExit());
MOZ_ASSERT(begin_ < ret_);
MOZ_ASSERT(ret_ < end_);
u.funcIndex_ = funcIndex;
u.jitExit.beginToUntrustedFPStart_ = offsets.untrustedFPStart - begin_;
u.jitExit.beginToUntrustedFPEnd_ = offsets.untrustedFPEnd - begin_;
+ MOZ_ASSERT(jitExitUntrustedFPStart() == offsets.untrustedFPStart);
+ MOZ_ASSERT(jitExitUntrustedFPEnd() == offsets.untrustedFPEnd);
}
CodeRange::CodeRange(Trap trap, CallableOffsets offsets)
: begin_(offsets.begin),
ret_(offsets.ret),
end_(offsets.end),
kind_(TrapExit)
{
--- a/js/src/wasm/WasmTypes.h
+++ b/js/src/wasm/WasmTypes.h
@@ -1016,18 +1016,18 @@ class CodeRange
uint32_t funcIndex_;
union {
struct {
uint32_t lineOrBytecode_;
uint8_t beginToNormalEntry_;
uint8_t beginToTierEntry_;
} func;
struct {
- uint8_t beginToUntrustedFPStart_;
- uint8_t beginToUntrustedFPEnd_;
+ uint16_t beginToUntrustedFPStart_;
+ uint16_t beginToUntrustedFPEnd_;
} jitExit;
};
};
Trap trap_;
} u;
Kind kind_ : 8;
public: