Bug 1507564: Bind code labels when generating lazy table stubs; r=luke

A lazy stub could generate CodeLabels on x86, because of a constant NaN generated for the entry's epilogue that ended up in a constant pool. We need to actually bind these code labels in general. Differential Revision: https://phabricator.services.mozilla.com/D12052 --HG-- extra : moz-landing-system : lando
2018-11-15 21:25:52 +00:00 · 2018-11-15 21:25:52 +00:00 · e50fdcd5ff
--- a/js/src/jit-test/tests/wasm/regress/lazy-table-nan.js
+++ b/js/src/jit-test/tests/wasm/regress/lazy-table-nan.js
@ -0,0 +1,10 @@
+let i = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
+(module
+    (func $f (result f32)
+        f32.const nan:0x42
+    )
+    (table (export "table") 10 anyfunc)
+    (elem (i32.const 0) $f)
+)
+`))).exports;
+i.table.get(0)();
--- a/js/src/wasm/WasmCode.cpp
+++ b/js/src/wasm/WasmCode.cpp
@ -764,7 +764,6 @@ LazyStubTier::createMany(HasGcTypes gcTypesConfigured, const Uint32Vector& funcE

    masm.finish();

-    MOZ_ASSERT(!masm.numCodeLabels());
    MOZ_ASSERT(masm.callSites().empty());
    MOZ_ASSERT(masm.callSiteTargets().empty());
    MOZ_ASSERT(masm.callFarJumps().empty());
@ -802,6 +801,10 @@ LazyStubTier::createMany(HasGcTypes gcTypesConfigured, const Uint32Vector& funcE
    masm.executableCopy(codePtr, /* flushICache = */ false);
    memset(codePtr + masm.bytesNeeded(), 0, codeLength - masm.bytesNeeded());

+    for (const CodeLabel& label : masm.codeLabels()) {
+        Assembler::Bind(codePtr, label);
+    }
+
    ExecutableAllocator::cacheFlush(codePtr, codeLength);
    if (!ExecutableAllocator::makeExecutable(codePtr, codeLength)) {
        return false;