asm.js: SAB+Atomics gating was incorrectly removed by bug 1176214

RESOLVED FIXED in Firefox 45

Status

()

Core
JavaScript Engine: JIT
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: lth, Assigned: lth)

Tracking

(Blocks: 1 bug)

unspecified
mozilla45
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
It looks like the asm.js changes on bug 1176214 may have cut away some good flesh with the bad; specifically the three sections that were #ifndef ENABLE_SHARED_ARRAY_BUFFER should probably not have been removed, as they implement necessary gating for shared memory in asm.js.

Consider this test case:

function m(stdlib, ffi, heap) {
    "use asm";
    var aload = stdlib.Atomics.load;
    var i32 = new stdlib.Int32Array(heap);
    function f() {
	return 0;
    }
    return f;
}
var h = new ArrayBuffer(65536);
var f = m(this, {}, h);

This fails at link time because the heap is not a SharedArrayBuffer, a requirement imposed by the reference to Atomics.load, but it really should have failed during verification because Atomics.load is not available in the build (this is a JS engine build with ENABLE_SHARED_ARRAY_BUFFER disabled).

I don't think this is a security or very damaging API leakage problem - SharedArrayBuffer is not available in JS-land to create a heap - but it would be good to fix this before the FF45 uplift on 2015-12-14 as it is technically a regression and some test suite is likely to fail.

(Should also reinstate those portions of the gating.js test that would have caught this.)
(Assignee)

Comment 1

3 years ago
Actually it looks like I really botched the asm.js changes when SharedTypedArray went away :(  Lots of things don't hang together now.  There are no outright bugs I think but there's a lot of pointless complexity.
(Assignee)

Comment 2

3 years ago
Created attachment 8697274 [details] [diff] [review]
properly gate SAB+atomics in asm.js

Also contains a drive-by fix for an improperly guarded test case that is unrelated to this bug
Attachment #8697274 - Flags: review?(luke)
(Assignee)

Updated

3 years ago
Blocks: 1231338

Comment 3

3 years ago
Comment on attachment 8697274 [details] [diff] [review]
properly gate SAB+atomics in asm.js

Review of attachment 8697274 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/asmjs/AsmJSModule.h
@@ +981,5 @@
>              pod.isSharedView_ = true;
>          for (size_t i=0 ; i < globals_.length() ; i++) {
>              Global& g = globals_[i];
>              if (g.which() == Global::ArrayView)
>                  g.makeViewShared();

Is it now necessary to makeViewsShared?  Or could we just maintain the single bool in the AsmJSModule that says "the buffer for these views must be shared"?

::: js/src/asmjs/AsmJSValidate.cpp
@@ +1397,1 @@
>      {

I think the curly can now be on the same line.
Attachment #8697274 - Flags: review?(luke) → review+
(Assignee)

Comment 5

3 years ago
(In reply to Luke Wagner [:luke] from comment #3)
> Comment on attachment 8697274 [details] [diff] [review]
> properly gate SAB+atomics in asm.js
> 
> Review of attachment 8697274 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Is it now necessary to makeViewsShared?  

I believe it is not.  I removed the code (and a minor amount of machinery behind).

> ::: js/src/asmjs/AsmJSValidate.cpp
> @@ +1397,1 @@
> >      {
> 
> I think the curly can now be on the same line.

Foo, I forgot to fix this before pushing.  (Should never push during a meeting.)

Comment 6

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5b395639df45
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.