tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

bug1916581.js (2294B)

      1 function blackhole() {
      2  with ({});
      3 }
      4 
      5 // Atomics.load emits:
      6 //   arraybufferviewelements = MArrayBufferViewElements(typedarray)
      7 //   int64 = MLoadUnboxedScalar(arraybufferviewelements, index)
      8 //   bigint = MInt64ToBigInt(int64)
      9 //   <resume-after MInt64ToBigInt>
     10 //
     11 // TypedArray access with out-of-bounds supports emits:
     12 //   arraybufferviewelements = MArrayBufferViewElements(typedarray)
     13 //   value = MLoadTypedArrayElementHole(arraybufferviewelements, index)
     14 //
     15 // Both instructions use MArrayBufferViewElements, so instruction reordering
     16 // may move MLoadTypedArrayElementHole to shorten the life time of
     17 // MArrayBufferViewElements. But instruction reordering must not reorder
     18 // MInt64ToBigInt to happen after MLoadTypedArrayElementHole, because
     19 // MLoadTypedArrayElementHole uses a safe point and we require that all
     20 // instruction captured by a resume point are lowered before encoding the safe
     21 // point.
     22 //
     23 // BAD:
     24 //   arraybufferviewelements = MArrayBufferViewElements(typedarray)
     25 //   int64 = MLoadUnboxedScalar(arraybufferviewelements, index)
     26 //   value = MLoadTypedArrayElementHole(arraybufferviewelements, index)
     27 //   bigint = MInt64ToBigInt(int64)
     28 //
     29 // GOOD:
     30 //   arraybufferviewelements = MArrayBufferViewElements(typedarray)
     31 //   int64 = MLoadUnboxedScalar(arraybufferviewelements, index)
     32 //   bigint = MInt64ToBigInt(int64)
     33 //   value = MLoadTypedArrayElementHole(arraybufferviewelements, index)
     34 
     35 function f1() {
     36  const i64 = new BigInt64Array(1);
     37 
     38  for (let i = 0; i < 100; i++) {
     39    // Atomics.load has a resume point and MInt64ToBigInt.
     40    let x = Atomics.load(i64, 0);
     41 
     42    // MLoadTypedArrayElementHole with always out-of-bounds index.
     43    // MLoadTypedArrayElementHole has a safe point.
     44    let y = i64[2];
     45 
     46    blackhole(x, y);
     47  }
     48 }
     49 f1();
     50 
     51 function f2() {
     52  const i64 = new BigInt64Array(1);
     53 
     54  for (let i = 0; i < 100; i++) {
     55    let j = i & 3;
     56 
     57    // Add another use for |j|, so |y| doesn't add an MInt32ToIntPtr node
     58    // which can prevent instruction reordering.
     59    let z = i64[j];
     60 
     61    // Atomics.load has a resume point and MInt64ToBigInt.
     62    let x = Atomics.load(i64, 0);
     63 
     64    // MLoadTypedArrayElementHole with maybe out-of-bounds index.
     65    // MLoadTypedArrayElementHole has a safe point.
     66    let y = i64[j];
     67 
     68    blackhole(x, y, z);
     69  }
     70 }
     71 f2();