From 2e1ed1cb73042d5bf26b5b7f98cad5fe6a0c4403 Mon Sep 17 00:00:00 2001
From: "Nicolas B. Pierron" <nicolas.b.pierron@mozilla.com>
Date: Thu, 13 Feb 2014 03:07:52 -0800
Subject: [PATCH] Bug 970643 - Only toggle execution permissions on JIT code.
 r=luke

---
 .../assembler/jit/ExecutableAllocatorPosix.cpp |  5 ++++-
 .../assembler/jit/ExecutableAllocatorWin.cpp   |  3 ++-
 js/src/jit-test/tests/basic/bug970643.js       | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/bug970643.js

diff --git a/js/src/assembler/jit/ExecutableAllocatorPosix.cpp b/js/src/assembler/jit/ExecutableAllocatorPosix.cpp
index 5632483160fb..62c9d8cc2342 100644
--- a/js/src/assembler/jit/ExecutableAllocatorPosix.cpp
+++ b/js/src/assembler/jit/ExecutableAllocatorPosix.cpp
@@ -106,7 +106,10 @@ ExecutablePool::toggleAllCodeAsAccessible(bool accessible)
     size_t size = m_freePtr - begin;
 
     if (size) {
-        if (mprotect(begin, size, accessible ? PROT_READ | PROT_WRITE | PROT_EXEC : PROT_NONE))
+        int flags = accessible
+                    ? PROT_READ | PROT_WRITE | PROT_EXEC
+                    : PROT_READ | PROT_WRITE;
+        if (mprotect(begin, size, flags))
             MOZ_CRASH();
     }
 }
diff --git a/js/src/assembler/jit/ExecutableAllocatorWin.cpp b/js/src/assembler/jit/ExecutableAllocatorWin.cpp
index 0d28d10d0fc6..78e8aa3e1060 100644
--- a/js/src/assembler/jit/ExecutableAllocatorWin.cpp
+++ b/js/src/assembler/jit/ExecutableAllocatorWin.cpp
@@ -124,7 +124,8 @@ ExecutablePool::toggleAllCodeAsAccessible(bool accessible)
 
     if (size) {
         DWORD oldProtect;
-        if (!VirtualProtect(begin, size, accessible ? PAGE_EXECUTE_READWRITE : PAGE_NOACCESS, &oldProtect))
+        int flags = accessible ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
+        if (!VirtualProtect(begin, size, flags, &oldProtect))
             MOZ_CRASH();
     }
 }
diff --git a/js/src/jit-test/tests/basic/bug970643.js b/js/src/jit-test/tests/basic/bug970643.js
new file mode 100644
index 000000000000..844c59331934
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug970643.js
@@ -0,0 +1,18 @@
+// |jit-test| exitstatus: 6;
+
+setJitCompilerOption("baseline.usecount.trigger", 1);
+setJitCompilerOption("ion.usecount.trigger", 2);
+
+// The timepout function is made to trigger the interruption callback. The
+// interruption callback will protect the code while a GC might be
+// marking/updating pointers in it.
+var x = 0;
+function interrupt_gc() {
+  if (x++ >= 20)
+    return;
+  timeout(0.1, interrupt_gc);
+  while(x < 20)
+    gc();
+}
+
+interrupt_gc();