Open Bug 983131 Opened 7 years ago Updated 11 months ago
Baldr: Add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount
After bug 979480 it becomes possible to allocate guard pages before the heap buffer. These could be protected so that a read or write causes a SIGSEGV and the signal handler could emulate an out of bounds access. This would allow bounds checks to be avoided when the index can be proven to no be negative by more than a small amount. For example, an access with a hoisted mask minus a small constant u8[i&m - c]. An alternative is to bias the heap base so that small negative offsets are not really out of bounds. For example u8[i&m - c + bias] where the bias would be common to most heap accesses so could be a common heap base offset and thus would not need to be computed on each heap access. The use of guard pages has the advantage of not requiring an extension to the asm.js common usage or syntax, and would give more compact asm.js code by avoiding the addition of the bias on each heap access. Handling the out-of-bounds access would be much slower in the signal handler but code would not be expected to hit this anyway.
Sounds great! To wit, this was a prerequisite for bug 865523 (except with a much larger pre-heap guard region). I see I resolved it WONTFIX, but I'm not sure why; I've always wondered how the 2-instruction sequence would compare to the current 3-instruction sequence.
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
Summary: Odinmonkey: add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount. → Baldr: Add pre-heap buffer guard pages to avoid bounds checks for accesses that are known not to be negative by more than a small amount.
You need to log in before you can comment on or make changes to this bug.