Bug 965880 - OdinMonkey: don't forget to AutoUnprotectCode and prepareForAsmJS (r=bbouvier)

js/src/asmjs/AsmJSLink.cpp

@@ -570,9 +570,19 @@ ChangeHeap(JSContext *cx, AsmJSModule &module, CallArgs args)
     }
 
     Rooted<ArrayBufferObject*> newBuffer(cx, &bufferArg.toObject().as<ArrayBufferObject>());
-    bool rval = module.changeHeap(newBuffer, cx);
+    uint32_t heapLength = newBuffer->byteLength();
+    if (heapLength & module.heapLengthMask() || heapLength < module.minHeapLength()) {
+        args.rval().set(BooleanValue(false));
+        return true;
+    }
 
-    args.rval().set(BooleanValue(rval));
+    MOZ_ASSERT(IsValidAsmJSHeapLength(heapLength));
+    MOZ_ASSERT(!IsDeprecatedAsmJSHeapLength(heapLength));
+
+    if (!ArrayBufferObject::prepareForAsmJS(cx, newBuffer, module.usesSignalHandlersForOOB()))
+        return false;
+
+    args.rval().set(BooleanValue(module.changeHeap(newBuffer, cx)));
     return true;
 }
 

js/src/asmjs/AsmJSModule.cpp

@@ -731,6 +731,8 @@ AsmJSModule::staticallyLink(ExclusiveContext *cx)
 void
 AsmJSModule::initHeap(Handle<ArrayBufferObjectMaybeShared *> heap, JSContext *cx)
 {
+    MOZ_ASSERT_IF(heap->is<ArrayBufferObject>(),
+                  heap->as<ArrayBufferObject>().isAsmJSArrayBuffer());
     MOZ_ASSERT(IsValidAsmJSHeapLength(heap->byteLength()));
     MOZ_ASSERT(dynamicallyLinked_);
     MOZ_ASSERT(!maybeHeap_);
@@ -772,6 +774,7 @@ AsmJSModule::initHeap(Handle<ArrayBufferObjectMaybeShared *> heap, JSContext *cx
 #endif
 }
 
+// This method assumes the caller has a live AutoUnprotectCode.
 void
 AsmJSModule::restoreHeapToInitialState(ArrayBufferObjectMaybeShared *maybePrevBuffer)
 {
@@ -793,6 +796,7 @@ AsmJSModule::restoreHeapToInitialState(ArrayBufferObjectMaybeShared *maybePrevBu
     heapDatum() = nullptr;
 }
 
+// This method assumes the caller has a live AutoUnprotectCode.
 void
 AsmJSModule::restoreToInitialState(ArrayBufferObjectMaybeShared *maybePrevBuffer,
                                    uint8_t *prevCode,
@@ -1550,7 +1554,7 @@ AsmJSModule::clone(JSContext *cx, ScopedJSDeletePtr<AsmJSModule> *moduleOut) con
 }
 
 bool
-AsmJSModule::changeHeap(Handle<ArrayBufferObject*> newBuffer, JSContext *cx)
+AsmJSModule::changeHeap(Handle<ArrayBufferObject*> newHeap, JSContext *cx)
 {
     // Content JS should not be able to run (and change heap) from within an
     // interrupt callback, but in case it does, fail to change heap. Otherwise,
@@ -1559,15 +1563,9 @@ AsmJSModule::changeHeap(Handle<ArrayBufferObject*> newBuffer, JSContext *cx)
     if (interrupted_)
         return false;
 
-    uint32_t heapLength = newBuffer->byteLength();
-    if (heapLength & pod.heapLengthMask_ || heapLength < pod.minHeapLength_)
-        return false;
-
-    MOZ_ASSERT(IsValidAsmJSHeapLength(heapLength));
-    MOZ_ASSERT(!IsDeprecatedAsmJSHeapLength(heapLength));
-
+    AutoUnprotectCode auc(cx, *this);
     restoreHeapToInitialState(maybeHeap_);
-    initHeap(newBuffer, cx);
+    initHeap(newHeap, cx);
     return true;
 }
 

js/src/asmjs/AsmJSModule.h

@@ -884,6 +884,10 @@ class AsmJSModule
     uint32_t minHeapLength() const {
         return pod.minHeapLength_;
     }
+    uint32_t heapLengthMask() const {
+        MOZ_ASSERT(pod.hasFixedMinHeapLength_);
+        return pod.heapLengthMask_;
+    }
     unsigned numFunctionCounts() const {
         return functionCounts_.length();
     }

js/src/jit-test/tests/asm.js/testResize.js

@@ -203,6 +203,7 @@ assertEq(changeHeap.toSource(), changeHeapSource);
 
 set(0, 42);
 set(4, 13);
+set(4, 13);
 assertEq(get(0), 42);
 assertEq(get(4), 13);
 set(BUF_CHANGE_MIN, 262);
@@ -213,6 +214,8 @@ assertEq(get(0), 0);
 assertEq(get(4), 0);
 set(BUF_CHANGE_MIN, 262);
 assertEq(get(BUF_CHANGE_MIN), 262);
+set(2*BUF_CHANGE_MIN, 262);
+assertEq(get(2*BUF_CHANGE_MIN), 0);
 changeHeap(buf1);
 assertEq(get(0), 42);
 assertEq(get(4), 13);