aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch93
1 files changed, 93 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
new file mode 100644
index 0000000000..042188ee9c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
@@ -0,0 +1,93 @@
+From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001
+From: Benjamin Bouvier <benj@benj.me>
+Date: Tue, 13 Oct 2015 19:22:47 +0200
+Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when
+ converting float32 to doubles; r=nbp, a=ritu, a=abillings
+
+--HG--
+extra : commitid : 51QGWZ84Mqx
+extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5
+extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65
+---
+ js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++
+ js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++
+ js/src/jit/TypePolicy.cpp | 2 ++
+ js/src/jit/ValueNumbering.cpp | 6 ++++++
+ 4 files changed, 37 insertions(+)
+ create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js
+ create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js
+
+diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js
+new file mode 100644
+index 0000000..458d7dd
+--- /dev/null
++++ b/js/src/jit-test/tests/ion/bug1107011-1.js
+@@ -0,0 +1,17 @@
++var f32 = new Float32Array(32);
++function f(n) {
++ var x;
++ if (n > 10000) {
++ x = 4.5;
++ } else {
++ x = f32[0];
++ }
++ f32[0] = (function() {
++ for(var f=0;f<4;++f) {
++ x=1;
++ }
++ })() < x;
++}
++for (var n = 0; n < 100; n++)
++ f(n);
++
+diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js
+new file mode 100644
+index 0000000..d59685e
+--- /dev/null
++++ b/js/src/jit-test/tests/ion/bug1107011-2.js
+@@ -0,0 +1,12 @@
++function foo() {
++ var x = 0, y = 0, a = new Float32Array(1);
++ function bar() {
++ x = y;
++ y = a[0];
++ }
++ for (var i = 0; i < 1000; i++) {
++ bar();
++ }
++}
++for (var i=0; i < 50; i++)
++ foo();
+diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
+index 4cea638..2510d50 100644
+--- a/js/src/jit/TypePolicy.cpp
++++ b/js/src/jit/TypePolicy.cpp
+@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op)
+ if (in->type() == MIRType_Float32) {
+ MToDouble* replace = MToDouble::New(alloc, in);
+ def->block()->insertBefore(def, replace);
++ if (def->isRecoveredOnBailout())
++ replace->setRecoveredOnBailout();
+ def->replaceOperand(op, replace);
+ }
+ }
+diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
+index da3e692..eb367e1 100644
+--- a/js/src/jit/ValueNumbering.cpp
++++ b/js/src/jit/ValueNumbering.cpp
+@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def)
+ return true;
+ }
+
++ // Skip optimizations on instructions which are recovered on bailout, to
++ // avoid mixing instructions which are recovered on bailouts with
++ // instructions which are not.
++ if (def->isRecoveredOnBailout())
++ return true;
++
+ // If this instruction has a dependency() into an unreachable block, we'll
+ // need to update AliasAnalysis.
+ MInstruction* dep = def->dependency();
+--
+2.5.0
+
generated by cgit v1.2.3 (git 2.45.0) at 2025-01-04 22:13:37 +0000