Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: luke, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
The primary challenge here is that we can't use a global pinned register for the typed array, as we do on x64.  We also can't use the x64 "reserve 4GB so that out-of-bounds access never touches valid memory" trick because of the limited address space.  Baking in a constant isn't great because it means we'd have to clone/patch a module each time it was linked to a new global and it doesn't provide an efficient way to detect out-of-bounds (branching is measurably slow).  Instead, we'll use the x86 segmentation feature (like NaCL).  The main challenge is adding an entry to the LDT but, fortunately, NaCL is open-source:
  http://src.chromium.org/native_client/trunk/src/native_client/src/trusted/service_runtime/win/nacl_ldt.c
(Reporter)

Updated

5 years ago
Blocks: 840282
(Reporter)

Updated

5 years ago
Depends on: 845458
(Reporter)

Comment 1

4 years ago
Update: got the segment register scheme working on 32-bit OSX and passing the out-of-bounds torture tests:
http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/57df8e4c52cc

Now just need to add the analogous calls for other Win/Linux, fill in the missing Asm(Load|Store)* nodes and the exit stubs.
(Reporter)

Comment 2

4 years ago
As of:
http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/e2fd77ffd205
all the asm.js jit tests, emscripten shell tests pass and BananaBread runs in the browser.

I'll finish Windows on bug 840283.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.