The primary challenge here is that we can't use a global pinned register for the typed array, as we do on x64. We also can't use the x64 "reserve 4GB so that out-of-bounds access never touches valid memory" trick because of the limited address space. Baking in a constant isn't great because it means we'd have to clone/patch a module each time it was linked to a new global and it doesn't provide an efficient way to detect out-of-bounds (branching is measurably slow). Instead, we'll use the x86 segmentation feature (like NaCL). The main challenge is adding an entry to the LDT but, fortunately, NaCL is open-source: http://src.chromium.org/native_client/trunk/src/native_client/src/trusted/service_runtime/win/nacl_ldt.c
Update: got the segment register scheme working on 32-bit OSX and passing the out-of-bounds torture tests: http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/57df8e4c52cc Now just need to add the analogous calls for other Win/Linux, fill in the missing Asm(Load|Store)* nodes and the exit stubs.
As of: http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/e2fd77ffd205 all the asm.js jit tests, emscripten shell tests pass and BananaBread runs in the browser. I'll finish Windows on bug 840283.