aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-03-21 12:22:31 -0400
committerLeo Famulari <leo@famulari.name>2016-03-21 12:22:31 -0400
commit09ec508a4c14d1bc09622d98f796548d79ab0552 (patch)
tree86cc5a2a67d35ad796bfa33d67869d670d65822e /gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch
parent2dbed47f5c09347c9af42c5f5bacfccbc1ab4aff (diff)
parent71cafa0472a15f2234e24d3c6d8019ebb38685b0 (diff)
downloadguix-09ec508a4c14d1bc09622d98f796548d79ab0552.tar
guix-09ec508a4c14d1bc09622d98f796548d79ab0552.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch60
1 files changed, 60 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch
new file mode 100644
index 0000000000..96b83c118c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch
@@ -0,0 +1,60 @@
+Copied from upstream:
+https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/2839062f84fb
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1455119320 -3600
+# Node ID 2839062f84fb6cba2781ea8d59150f13d4813ddc
+# Parent 185b233ea03f3811404e3979b65ec86b29d13555
+Bug 1242279 - r=bhackett1024 a=sylvestre
+
+diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
+--- a/js/src/vm/TypeInference.cpp
++++ b/js/src/vm/TypeInference.cpp
+@@ -3961,16 +3961,22 @@ JSScript::maybeSweepTypes(AutoClearTypeI
+
+ unsigned num = TypeScript::NumTypeSets(this);
+ StackTypeSet* typeArray = types_->typeArray();
+
+ // Remove constraints and references to dead objects from stack type sets.
+ for (unsigned i = 0; i < num; i++)
+ typeArray[i].sweep(zone(), *oom);
+
++ if (oom->hadOOM()) {
++ // It's possible we OOM'd while copying freeze constraints, so they
++ // need to be regenerated.
++ hasFreezeConstraints_ = false;
++ }
++
+ // Update the recompile indexes in any IonScripts still on the script.
+ if (hasIonScript())
+ ionScript()->recompileInfoRef().shouldSweep(types);
+ }
+
+ void
+ TypeScript::destroy()
+ {
+diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h
+--- a/js/src/vm/TypeInference.h
++++ b/js/src/vm/TypeInference.h
+@@ -566,16 +566,19 @@ class AutoClearTypeInferenceStateOnOOM
+ : zone(zone), oom(false)
+ {}
+
+ ~AutoClearTypeInferenceStateOnOOM();
+
+ void setOOM() {
+ oom = true;
+ }
++ bool hadOOM() const {
++ return oom;
++ }
+ };
+
+ /* Superclass common to stack and heap type sets. */
+ class ConstraintTypeSet : public TypeSet
+ {
+ public:
+ /* Chain of constraints which propagate changes out from this type set. */
+ TypeConstraint* constraintList;
+