fix bugs with const access on x86

lib/Backend/Lower.cpp

@@ -8337,7 +8337,7 @@ Lowerer::LowerLdArrViewElem(IR::Instr * instr)
     IR::Opnd * src2 = instr->GetSrc2();
 
     IR::Instr * done;
-    if (indexOpnd || (uint32)src1->AsIndirOpnd()->GetOffset() >= 0x1000000)
+    if (indexOpnd || m_func->GetJnFunction()->GetAsmJsFunctionInfo()->AccessNeedsBoundCheck((uint32)src1->AsIndirOpnd()->GetOffset()))
     {
         // CMP indexOpnd, src2(arrSize)
         // JA $helper
@@ -8355,7 +8355,7 @@ Lowerer::LowerLdArrViewElem(IR::Instr * instr)
     }
     else
     {
-        // any access below 0x1000000 is safe
+        // any access below 0x10000 is safe
         instr->UnlinkDst();
         instr->UnlinkSrc1();
         if (src2)
@@ -8533,7 +8533,7 @@ Lowerer::LowerStArrViewElem(IR::Instr * instr)
     Assert(!dst->IsFloat64() || src1->IsFloat64());
 
     IR::Instr * done;
-    if (indexOpnd || (uint32)dst->AsIndirOpnd()->GetOffset() >= 0x1000000)
+    if (indexOpnd || m_func->GetJnFunction()->GetAsmJsFunctionInfo()->AccessNeedsBoundCheck((uint32)dst->AsIndirOpnd()->GetOffset()))
     {
         // CMP indexOpnd, src2(arrSize)
         // JA $helper
@@ -8548,7 +8548,7 @@ Lowerer::LowerStArrViewElem(IR::Instr * instr)
     }
     else
     {
-        // any constant access below 0x1000000 is safe, as that is the min heap size
+        // any constant access below 0x10000 is safe, as that is the min heap size
         instr->UnlinkDst();
         instr->UnlinkSrc1();
         done = instr;

lib/Backend/i386/LowererMDArch.cpp

@@ -916,15 +916,6 @@ LowererMDArch::LowerAsmJsLdElemHelper(IR::Instr * instr, bool isSimdLoad /*= fal
 
     Lowerer::InsertBranch(Js::OpCode::Br, loadLabel, helperLabel);
 
-    if (m_func->GetJnFunction()->GetAsmJsFunctionInfo()->IsHeapBufferConst())
-    {
-        src1->AsIndirOpnd()->ReplaceBaseOpnd(src1->AsIndirOpnd()->UnlinkIndexOpnd());
-        Js::Var* module = (Js::Var*)m_func->m_workItem->GetEntryPoint()->GetModuleAddress();
-        Js::ArrayBuffer* arrayBuffer = *(Js::ArrayBuffer**)(module + Js::AsmJsModuleMemory::MemoryTableBeginOffset);
-        Assert(arrayBuffer);
-        src1->AsIndirOpnd()->SetOffset((uintptr)arrayBuffer->GetBuffer(), true);
-    }
-
     if (isSimdLoad)
     {
         lowererMD->m_lowerer->GenerateRuntimeError(loadLabel, JSERR_ArgumentOutOfRange, IR::HelperOp_RuntimeRangeError);
@@ -992,14 +983,6 @@ LowererMDArch::LowerAsmJsStElemHelper(IR::Instr * instr, bool isSimdStore /*= fa
 
     Lowerer::InsertBranch(Js::OpCode::Br, doneLabel, storeLabel);
 
-    if (m_func->GetJnFunction()->GetAsmJsFunctionInfo()->IsHeapBufferConst())
-    {
-        dst->AsIndirOpnd()->ReplaceBaseOpnd(dst->AsIndirOpnd()->UnlinkIndexOpnd());
-        Js::Var* module = (Js::Var*)m_func->m_workItem->GetEntryPoint()->GetModuleAddress();
-        Js::ArrayBuffer* arrayBuffer = *(Js::ArrayBuffer**)(module + Js::AsmJsModuleMemory::MemoryTableBeginOffset);
-        Assert(arrayBuffer);
-        dst->AsIndirOpnd()->SetOffset((uintptr)arrayBuffer->GetBuffer(), true);
-    }
     return doneLabel;
 }
 

lib/Runtime/Language/AsmJSTypes.h

@@ -1082,6 +1082,11 @@ namespace Js
             mArgType = val;
         }
 
+        inline bool AccessNeedsBoundCheck(uint offset) const
+        {
+            // Normally, heap has min size of 0x10000, but if you use ChangeHeap, min heap size is increased to 0x1000000
+            return offset >= 0x1000000 || (IsHeapBufferConst() && offset >= 0x10000);
+        }
 
     };
 

test/AsmJs/constloads.baseline

@@ -0,0 +1,3 @@
+Successfully compiled asm.js code
+Successfully compiled asm.js code
+Passed

test/AsmJs/constloads.js

@@ -0,0 +1,37 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var asmHeap = new ArrayBuffer(33554432);
+var m = (function(stdlib, foreign, heap) { 'use asm';
+  var Uint8ArrayView = new stdlib.Uint8Array(heap);
+  function f()
+  {
+    var i2 = 0;
+    (Uint8ArrayView[33554431]) = i2;
+    return 0;
+  }
+  return f; })(this, {}, asmHeap)
+
+m();
+m();
+
+var asmHeap = new ArrayBuffer(65536);
+var m = (function(stdlib, foreign, heap) { 'use asm';
+  var Uint8ArrayView = new stdlib.Uint8Array(heap);
+  function f(d0, i1)
+  {
+    d0 = +d0;
+    i1 = i1|0;
+    var i2 = 0;
+    i2 = 524288;
+    (Uint8ArrayView[i2 >> 0]) = i2;
+    return ;
+  }
+  return f; })(this, {}, asmHeap)
+
+m();
+m();
+
+WScript.Echo("Passed");

test/AsmJs/rlexe.xml

@@ -778,4 +778,11 @@
       <compile-flags>-testtrace:asmjs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>constloads.js</files>
+      <baseline>constloads.baseline</baseline>
+      <compile-flags>-testtrace:asmjs -maic:1</compile-flags>
+    </default>
+  </test>
 </regress-exe>