Closed Bug 1231624 Opened 10 years ago Closed 10 years ago

asm.js: SAB+Atomics gating was incorrectly removed by bug 1176214

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox45 --- fixed

People

(Reporter: lth, Assigned: lth)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

properly gate SAB+atomics in asm.js
14.75 KB, patch
luke
: review+
Details | Diff | Splinter Review
It looks like the asm.js changes on bug 1176214 may have cut away some good flesh with the bad; specifically the three sections that were #ifndef ENABLE_SHARED_ARRAY_BUFFER should probably not have been removed, as they implement necessary gating for shared memory in asm.js. Consider this test case: function m(stdlib, ffi, heap) { "use asm"; var aload = stdlib.Atomics.load; var i32 = new stdlib.Int32Array(heap); function f() { return 0; } return f; } var h = new ArrayBuffer(65536); var f = m(this, {}, h); This fails at link time because the heap is not a SharedArrayBuffer, a requirement imposed by the reference to Atomics.load, but it really should have failed during verification because Atomics.load is not available in the build (this is a JS engine build with ENABLE_SHARED_ARRAY_BUFFER disabled). I don't think this is a security or very damaging API leakage problem - SharedArrayBuffer is not available in JS-land to create a heap - but it would be good to fix this before the FF45 uplift on 2015-12-14 as it is technically a regression and some test suite is likely to fail. (Should also reinstate those portions of the gating.js test that would have caught this.)
Actually it looks like I really botched the asm.js changes when SharedTypedArray went away :( Lots of things don't hang together now. There are no outright bugs I think but there's a lot of pointless complexity.
Also contains a drive-by fix for an improperly guarded test case that is unrelated to this bug
Attachment #8697274 - Flags: review?(luke)
Blocks: 1231338
Comment on attachment 8697274 [details] [diff] [review] properly gate SAB+atomics in asm.js Review of attachment 8697274 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/asmjs/AsmJSModule.h @@ +981,5 @@ > pod.isSharedView_ = true; > for (size_t i=0 ; i < globals_.length() ; i++) { > Global& g = globals_[i]; > if (g.which() == Global::ArrayView) > g.makeViewShared(); Is it now necessary to makeViewsShared? Or could we just maintain the single bool in the AsmJSModule that says "the buffer for these views must be shared"? ::: js/src/asmjs/AsmJSValidate.cpp @@ +1397,1 @@ > { I think the curly can now be on the same line.
Attachment #8697274 - Flags: review?(luke) → review+
(In reply to Luke Wagner [:luke] from comment #3) > Comment on attachment 8697274 [details] [diff] [review] > properly gate SAB+atomics in asm.js > > Review of attachment 8697274 [details] [diff] [review]: > ----------------------------------------------------------------- > > Is it now necessary to makeViewsShared? I believe it is not. I removed the code (and a minor amount of machinery behind). > ::: js/src/asmjs/AsmJSValidate.cpp > @@ +1397,1 @@ > > { > > I think the curly can now be on the same line. Foo, I forgot to fix this before pushing. (Should never push during a meeting.)
https://hg.mozilla.org/mozilla-central/rev/5b395639df45
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: