Merged: [wasm] Avoid js-typed-lowering optimization for wasm Memory o…

…bjects Revision: 82503e9 BUG=chromium:717194 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bradnelson@chromium.org Change-Id: Iddb18b3933f53839ee08b56a7873668a2610dda1 Reviewed-on: https://chromium-review.googlesource.com/501467 Commit-Queue: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/branch-heads/5.9@{#39} Cr-Branched-From: fe9bb7e-refs/heads/5.9.211@{#1} Cr-Branched-From: 70ad237-refs/heads/master@{#44591}
v8 · May 10, 2017 · 45ebdd3 · 45ebdd3
1 parent ec88bd2
commit 45ebdd3
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 2 deletions.
diff --git a/src/compiler/js-typed-lowering.cc b/src/compiler/js-typed-lowering.cc
@@ -1205,7 +1205,8 @@ Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) {
   if (mbase.HasValue() && mbase.Value()->IsJSTypedArray()) {
     Handle<JSTypedArray> const array =
         Handle<JSTypedArray>::cast(mbase.Value());
-    if (!array->GetBuffer()->was_neutered()) {
+    if (!array->GetBuffer()->was_neutered() &&
+        !array->GetBuffer()->is_wasm_buffer()) {
       array->GetBuffer()->set_is_neuterable(false);
       BufferAccess const access(array->type());
       size_t const k =
@@ -1257,7 +1258,8 @@ Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) {
   if (mbase.HasValue() && mbase.Value()->IsJSTypedArray()) {
     Handle<JSTypedArray> const array =
         Handle<JSTypedArray>::cast(mbase.Value());
-    if (!array->GetBuffer()->was_neutered()) {
+    if (!array->GetBuffer()->was_neutered() &&
+        !array->GetBuffer()->is_wasm_buffer()) {
       array->GetBuffer()->set_is_neuterable(false);
       BufferAccess const access(array->type());
       size_t const k =

diff --git a/src/objects-inl.h b/src/objects-inl.h
@@ -6881,6 +6881,14 @@ void JSArrayBuffer::set_has_guard_region(bool value) {
   set_bit_field(HasGuardRegion::update(bit_field(), value));
 }
 
+bool JSArrayBuffer::is_wasm_buffer() {
+  return IsWasmBuffer::decode(bit_field());
+}
+
+void JSArrayBuffer::set_is_wasm_buffer(bool value) {
+  set_bit_field(IsWasmBuffer::update(bit_field(), value));
+}
+
 Object* JSArrayBufferView::byte_offset() const {
   if (WasNeutered()) return Smi::kZero;
   return Object::cast(READ_FIELD(this, kByteOffsetOffset));

diff --git a/src/objects.h b/src/objects.h
@@ -9364,6 +9364,11 @@ class JSArrayBuffer: public JSObject {
   inline bool has_guard_region();
   inline void set_has_guard_region(bool value);
 
+  // TODO(gdeepti): This flag is introduced to disable asm.js optimizations in
+  // js-typer-lowering.cc, remove when the asm.js case is fixed.
+  inline bool is_wasm_buffer();
+  inline void set_is_wasm_buffer(bool value);
+
   DECLARE_CAST(JSArrayBuffer)
 
   void Neuter();
@@ -9406,6 +9411,7 @@ class JSArrayBuffer: public JSObject {
   class WasNeutered : public BitField<bool, 3, 1> {};
   class IsShared : public BitField<bool, 4, 1> {};
   class HasGuardRegion : public BitField<bool, 5, 1> {};
+  class IsWasmBuffer : public BitField<bool, 6, 1> {};
 
  private:
   DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer);

diff --git a/src/wasm/wasm-module.cc b/src/wasm/wasm-module.cc
@@ -817,6 +817,7 @@ Handle<JSArrayBuffer> wasm::SetupArrayBuffer(Isolate* isolate,
   JSArrayBuffer::Setup(buffer, isolate, is_external, backing_store,
                        static_cast<int>(size));
   buffer->set_is_neuterable(false);
+  buffer->set_is_wasm_buffer(true);
   buffer->set_has_guard_region(enable_guard_regions);
 
   if (is_external) {
@@ -1224,6 +1225,7 @@ class InstantiationHelper {
     if (!memory_.is_null()) {
       // Set externally passed ArrayBuffer non neuterable.
       memory_->set_is_neuterable(false);
+      memory_->set_is_wasm_buffer(true);
 
       DCHECK_IMPLIES(EnableGuardRegions(),
                      module_->is_asm_js() || memory_->has_guard_region());

diff --git a/test/mjsunit/regress/wasm/regression-717194.js b/test/mjsunit/regress/wasm/regression-717194.js
@@ -0,0 +1,30 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+PAGE_SIZE = 0x10000;
+PAGES = 10;
+
+memory = new WebAssembly.Memory({initial: PAGES});
+buffer = memory.buffer;
+
+var func = (function (stdlib, env, heap) {
+    "use asm";
+
+    var array = new stdlib.Int32Array(heap);
+
+    return function () {
+        array[0] = 0x41424344;
+        array[1] = 0x45464748;
+    }
+}({Int32Array: Int32Array}, {}, buffer));
+
+for (var i = 0; i < 1000; ++i)
+    func();
+
+memory.grow(1);
+
+func();
+
+for(var i = 0; i < 2; ++i)
+    new ArrayBuffer(PAGE_SIZE * PAGES);