From faf7aa07a515e16cda19d1c6f711db6f07e38657 Mon Sep 17 00:00:00 2001
From: Luke Wagner <luke@mozilla.com>
Date: Fri, 21 Feb 2014 11:05:36 -0600
Subject: [PATCH] Bug 975182 - OdinMonkey: when triggering operation callback,
 leave PROT_READ|PROT_WRITE (r=benj)

---
 js/src/jit-test/tests/asm.js/testBug975182.js | 18 ++++++++++++++++++
 js/src/jit/AsmJSSignalHandlers.cpp            |  4 ++--
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/asm.js/testBug975182.js

diff --git a/js/src/jit-test/tests/asm.js/testBug975182.js b/js/src/jit-test/tests/asm.js/testBug975182.js
new file mode 100644
index 000000000000..3ff0bb5bd326
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug975182.js
@@ -0,0 +1,18 @@
+Function("\
+    g = (function(t,foreign){\
+        \"use asm\";\
+        var ff = foreign.ff;\
+        function f() {\
+            +ff()\
+        }\
+        return f\
+    })(this, {\
+        ff: arguments.callee\
+    }, ArrayBuffer(4096))\
+")()
+function m(f) {
+    for (var j = 0; j < 6000; ++j) {
+        f();
+    }
+}
+m(g);
diff --git a/js/src/jit/AsmJSSignalHandlers.cpp b/js/src/jit/AsmJSSignalHandlers.cpp
index 040026306c03..2baa3cf928ff 100644
--- a/js/src/jit/AsmJSSignalHandlers.cpp
+++ b/js/src/jit/AsmJSSignalHandlers.cpp
@@ -1031,10 +1031,10 @@ js::TriggerOperationCallbackForAsmJSCode(JSRuntime *rt)
 
 #if defined(XP_WIN)
     DWORD oldProtect;
-    if (!VirtualProtect(module.codeBase(), module.functionBytes(), PAGE_NOACCESS, &oldProtect))
+    if (!VirtualProtect(module.codeBase(), module.functionBytes(), PAGE_READWRITE, &oldProtect))
         MOZ_CRASH();
 #else  // assume Unix
-    if (mprotect(module.codeBase(), module.functionBytes(), PROT_NONE))
+    if (mprotect(module.codeBase(), module.functionBytes(), PROT_READ|PROT_WRITE))
         MOZ_CRASH();
 #endif
 }