summaryrefslogtreecommitdiffstats
path: root/js
diff options
context:
space:
mode:
Diffstat (limited to 'js')
-rw-r--r--js/moz.configure24
-rw-r--r--js/src/gc/Nursery.cpp14
-rw-r--r--js/src/jit/MoveResolver.cpp99
-rw-r--r--js/src/jit/MoveResolver.h11
-rw-r--r--js/src/jsapi-tests/testJitMoveEmitterCycles.cpp94
5 files changed, 234 insertions, 8 deletions
diff --git a/js/moz.configure b/js/moz.configure
index 0eeb2fc52..eadd0e9ab 100644
--- a/js/moz.configure
+++ b/js/moz.configure
@@ -236,3 +236,27 @@ def ctypes_and_compile_environment(ctypes, compile_environment, _):
return ctypes and compile_environment
include('ffi.configure', when=ctypes_and_compile_environment)
+
+# Support various fuzzing options
+# ==============================================================
+with only_when('--enable-compile-environment'):
+ option('--enable-fuzzing', help='Enable fuzzing support')
+
+ @depends('--enable-fuzzing')
+ def enable_fuzzing(value):
+ if value:
+ return True
+
+ @depends(enable_fuzzing,
+ try_compile(body='__AFL_COMPILER;',
+ check_msg='for AFL compiler',
+ when='--enable-fuzzing'))
+ def enable_libfuzzer(fuzzing, afl):
+ if fuzzing and not afl:
+ return True
+
+ set_config('FUZZING', enable_fuzzing)
+ set_define('FUZZING', enable_fuzzing)
+
+ set_config('LIBFUZZER', enable_libfuzzer)
+ set_define('LIBFUZZER', enable_libfuzzer)
diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index bce2b74aa..aa50bf29e 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -121,6 +121,13 @@ js::Nursery::Nursery(JSRuntime* rt)
bool
js::Nursery::init(uint32_t maxNurseryBytes, AutoLockGC& lock)
{
+ if (!mallocedBuffers.init())
+ return false;
+
+ freeMallocedBuffersTask = js_new<FreeMallocedBuffersTask>(runtime()->defaultFreeOp());
+ if (!freeMallocedBuffersTask || !freeMallocedBuffersTask->init())
+ return false;
+
/* maxNurseryBytes parameter is rounded down to a multiple of chunk size. */
maxNurseryChunks_ = maxNurseryBytes >> ChunkShift;
@@ -128,16 +135,9 @@ js::Nursery::init(uint32_t maxNurseryBytes, AutoLockGC& lock)
if (maxNurseryChunks_ == 0)
return true;
- if (!mallocedBuffers.init())
- return false;
-
if (!cellsWithUid_.init())
return false;
- freeMallocedBuffersTask = js_new<FreeMallocedBuffersTask>(runtime()->defaultFreeOp());
- if (!freeMallocedBuffersTask || !freeMallocedBuffersTask->init())
- return false;
-
AutoMaybeStartBackgroundAllocation maybeBgAlloc;
updateNumChunksLocked(1, maybeBgAlloc, lock);
if (numChunks() == 0)
diff --git a/js/src/jit/MoveResolver.cpp b/js/src/jit/MoveResolver.cpp
index 5fd6c7bd5..383b45073 100644
--- a/js/src/jit/MoveResolver.cpp
+++ b/js/src/jit/MoveResolver.cpp
@@ -106,12 +106,111 @@ MoveResolver::findCycledMove(PendingMoveIterator* iter, PendingMoveIterator end,
return nullptr;
}
+#ifdef JS_CODEGEN_ARM
+static inline bool
+MoveIsDouble(const MoveOperand& move)
+{
+ if (!move.isFloatReg())
+ return false;
+ return move.floatReg().isDouble();
+}
+#endif
+
+#ifdef JS_CODEGEN_ARM
+static inline bool
+MoveIsSingle(const MoveOperand& move)
+{
+ if (!move.isFloatReg())
+ return false;
+ return move.floatReg().isSingle();
+}
+#endif
+
+#ifdef JS_CODEGEN_ARM
+bool
+MoveResolver::isDoubleAliasedAsSingle(const MoveOperand& move)
+{
+ if (!MoveIsDouble(move))
+ return false;
+
+ for (auto iter = pending_.begin(); iter != pending_.end(); ++iter) {
+ PendingMove* other = *iter;
+ if (other->from().aliases(move) && MoveIsSingle(other->from()))
+ return true;
+ if (other->to().aliases(move) && MoveIsSingle(other->to()))
+ return true;
+ }
+ return false;
+}
+#endif
+
+#ifdef JS_CODEGEN_ARM
+static MoveOperand
+SplitIntoLowerHalf(const MoveOperand& move)
+{
+ if (MoveIsDouble(move)) {
+ FloatRegister lowerSingle = move.floatReg().asSingle();
+ return MoveOperand(lowerSingle);
+ }
+
+ MOZ_ASSERT(move.isMemoryOrEffectiveAddress());
+ return move;
+}
+#endif
+
+#ifdef JS_CODEGEN_ARM
+static MoveOperand
+SplitIntoUpperHalf(const MoveOperand& move)
+{
+ if (MoveIsDouble(move)) {
+ FloatRegister lowerSingle = move.floatReg().asSingle();
+ FloatRegister upperSingle = VFPRegister(lowerSingle.code() + 1, VFPRegister::Single);
+ return MoveOperand(upperSingle);
+ }
+
+ MOZ_ASSERT(move.isMemoryOrEffectiveAddress());
+ return MoveOperand(move.base(), move.disp() + sizeof(float));
+}
+#endif
+
bool
MoveResolver::resolve()
{
resetState();
orderedMoves_.clear();
+#ifdef JS_CODEGEN_ARM
+ // Some of ARM's double registers alias two of its single registers,
+ // but the algorithm below assumes that every register can participate
+ // in at most one cycle. To satisfy the algorithm, any double registers
+ // that may conflict are split into their single-register halves.
+ //
+ // This logic is only applicable because ARM only uses registers d0-d15,
+ // all of which alias s0-s31. Double registers d16-d31 are unused.
+ // Therefore there is never a double move that cannot be split.
+ // If this changes in the future, the algorithm will have to be fixed.
+ for (auto iter = pending_.begin(); iter != pending_.end(); ++iter) {
+ PendingMove* pm = *iter;
+
+ if (isDoubleAliasedAsSingle(pm->from()) || isDoubleAliasedAsSingle(pm->to())) {
+ PendingMove* lower = movePool_.allocate();
+ if (!lower)
+ return false;
+
+ // Insert the new node before the current position to not affect iteration.
+ MoveOperand fromLower = SplitIntoLowerHalf(pm->from());
+ MoveOperand toLower = SplitIntoLowerHalf(pm->to());
+ new (lower) PendingMove(fromLower, toLower, MoveOp::FLOAT32);
+ pending_.insertBefore(pm, lower);
+
+ // Overwrite pm in place for the upper move. Iteration proceeds as normal.
+ MoveOperand fromUpper = SplitIntoUpperHalf(pm->from());
+ MoveOperand toUpper = SplitIntoUpperHalf(pm->to());
+ pm->overwrite(fromUpper, toUpper, MoveOp::FLOAT32);
+ }
+ }
+#endif
+
InlineList<PendingMove> stack;
// This is a depth-first-search without recursion, which tries to find
diff --git a/js/src/jit/MoveResolver.h b/js/src/jit/MoveResolver.h
index fad2ba9e3..db045cfcf 100644
--- a/js/src/jit/MoveResolver.h
+++ b/js/src/jit/MoveResolver.h
@@ -252,6 +252,13 @@ class MoveOp
bool aliases(const MoveOp& other) const {
return aliases(other.from()) || aliases(other.to());
}
+#ifdef JS_CODEGEN_ARM
+ void overwrite(MoveOperand& from, MoveOperand& to, Type type) {
+ from_ = from;
+ to_ = to;
+ type_ = type;
+ }
+#endif
};
class MoveResolver
@@ -299,6 +306,10 @@ class MoveResolver
// Internal reset function. Does not clear lists.
void resetState();
+#ifdef JS_CODEGEN_ARM
+ bool isDoubleAliasedAsSingle(const MoveOperand& move);
+#endif
+
public:
MoveResolver();
diff --git a/js/src/jsapi-tests/testJitMoveEmitterCycles.cpp b/js/src/jsapi-tests/testJitMoveEmitterCycles.cpp
index 416587293..c1c2baddd 100644
--- a/js/src/jsapi-tests/testJitMoveEmitterCycles.cpp
+++ b/js/src/jsapi-tests/testJitMoveEmitterCycles.cpp
@@ -6,6 +6,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#if defined(JS_SIMULATOR_ARM)
+
#include "jit/arm/Assembler-arm.h"
#include "jit/arm/MoveEmitter-arm.h"
#include "jit/arm/Simulator-arm.h"
@@ -528,5 +529,96 @@ BEGIN_TEST(testJitMoveEmitterCycles_autogen3)
return true;
}
END_TEST(testJitMoveEmitterCycles_autogen3)
+BEGIN_TEST(testJitMoveEmitterCycles_bug1299147_1)
+{
+ using namespace js;
+ using namespace js::jit;
+ LifoAlloc lifo(LIFO_ALLOC_PRIMARY_CHUNK_SIZE);
+ TempAllocator alloc(&lifo);
+ JitContext jc(cx, &alloc);
+ cx->runtime()->getJitRuntime(cx);
+ MacroAssembler masm;
+ MoveEmitter mover(masm);
+ MoveResolver mr;
+ mr.setAllocator(alloc);
+ Simulator* sim = Simulator::Current();
+ // S2 -> S0
+ // S2 -> S6
+ // S3 -> S1
+ // S3 -> S7
+ // D0 -> D1
+ // D0 -> D2
+ TRY(mr.addMove(MoveOperand(s2), MoveOperand(s0), MoveOp::FLOAT32));
+ TRY(mr.addMove(MoveOperand(s2), MoveOperand(s6), MoveOp::FLOAT32));
+ sim->set_s_register_from_float(2, 2);
+ TRY(mr.addMove(MoveOperand(s3), MoveOperand(s1), MoveOp::FLOAT32));
+ TRY(mr.addMove(MoveOperand(s3), MoveOperand(s7), MoveOp::FLOAT32));
+ sim->set_s_register_from_float(3, 4);
+ TRY(mr.addMove(MoveOperand(d0), MoveOperand(d1), MoveOp::FLOAT32));
+ TRY(mr.addMove(MoveOperand(d0), MoveOperand(d2), MoveOp::FLOAT32));
+ sim->set_d_register_from_double(0, 1);
+ // don't explode!
+ TRY(mr.resolve());
+ mover.emit(mr);
+ mover.finish();
+ masm.abiret();
+ JitCode* code = linkAndAllocate(cx, &masm);
+ sim->call(code->raw(), 1, 1);
+ float f;
+ double d;
+ sim->get_double_from_d_register(1, &d);
+ CHECK(d == 1);
+ sim->get_double_from_d_register(2, &d);
+ CHECK(d == 1);
+ sim->get_float_from_s_register(0, &f);
+ CHECK(int(f) == 2);
+ sim->get_float_from_s_register(6, &f);
+ CHECK(int(f) == 2);
+ sim->get_float_from_s_register(1, &f);
+ CHECK(int(f) == 4);
+ sim->get_float_from_s_register(7, &f);
+ CHECK(int(f) == 4);
+ return true;
+}
+END_TEST(testJitMoveEmitterCycles_bug1299147_1)
+BEGIN_TEST(testJitMoveEmitterCycles_bug1299147)
+{
+ using namespace js;
+ using namespace js::jit;
+ LifoAlloc lifo(LIFO_ALLOC_PRIMARY_CHUNK_SIZE);
+ TempAllocator alloc(&lifo);
+ JitContext jc(cx, &alloc);
+ cx->runtime()->getJitRuntime(cx);
+ MacroAssembler masm;
+ MoveEmitter mover(masm);
+ MoveResolver mr;
+ mr.setAllocator(alloc);
+ Simulator* sim = Simulator::Current();
+ // S2 -> S5
+ // S2 -> S6
+ // D0 -> D1
+ TRY(mr.addMove(MoveOperand(s2), MoveOperand(s5), MoveOp::FLOAT32));
+ TRY(mr.addMove(MoveOperand(s2), MoveOperand(s6), MoveOp::FLOAT32));
+ sim->set_s_register_from_float(2, 2);
+ TRY(mr.addMove(MoveOperand(d0), MoveOperand(d1), MoveOp::FLOAT32));
+ sim->set_d_register_from_double(0, 1);
+ // don't explode!
+ TRY(mr.resolve());
+ mover.emit(mr);
+ mover.finish();
+ masm.abiret();
+ JitCode* code = linkAndAllocate(cx, &masm);
+ sim->call(code->raw(), 1, 1);
+ float f;
+ double d;
+ sim->get_double_from_d_register(1, &d);
+ CHECK(d == 1);
+ sim->get_float_from_s_register(5, &f);
+ CHECK(int(f) == 2);
+ sim->get_float_from_s_register(6, &f);
+ CHECK(int(f) == 2);
+ return true;
+}
+END_TEST(testJitMoveEmitterCycles_bug1299147)
-#endif
+#endif // JS_SIMULATOR_ARM