aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch93
1 files changed, 0 insertions, 93 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
deleted file mode 100644
index 042188ee9c..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001
-From: Benjamin Bouvier <benj@benj.me>
-Date: Tue, 13 Oct 2015 19:22:47 +0200
-Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when
- converting float32 to doubles; r=nbp, a=ritu, a=abillings
-
---HG--
-extra : commitid : 51QGWZ84Mqx
-extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5
-extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65
----
- js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++
- js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++
- js/src/jit/TypePolicy.cpp | 2 ++
- js/src/jit/ValueNumbering.cpp | 6 ++++++
- 4 files changed, 37 insertions(+)
- create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js
- create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js
-
-diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js
-new file mode 100644
-index 0000000..458d7dd
---- /dev/null
-+++ b/js/src/jit-test/tests/ion/bug1107011-1.js
-@@ -0,0 +1,17 @@
-+var f32 = new Float32Array(32);
-+function f(n) {
-+ var x;
-+ if (n > 10000) {
-+ x = 4.5;
-+ } else {
-+ x = f32[0];
-+ }
-+ f32[0] = (function() {
-+ for(var f=0;f<4;++f) {
-+ x=1;
-+ }
-+ })() < x;
-+}
-+for (var n = 0; n < 100; n++)
-+ f(n);
-+
-diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js
-new file mode 100644
-index 0000000..d59685e
---- /dev/null
-+++ b/js/src/jit-test/tests/ion/bug1107011-2.js
-@@ -0,0 +1,12 @@
-+function foo() {
-+ var x = 0, y = 0, a = new Float32Array(1);
-+ function bar() {
-+ x = y;
-+ y = a[0];
-+ }
-+ for (var i = 0; i < 1000; i++) {
-+ bar();
-+ }
-+}
-+for (var i=0; i < 50; i++)
-+ foo();
-diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
-index 4cea638..2510d50 100644
---- a/js/src/jit/TypePolicy.cpp
-+++ b/js/src/jit/TypePolicy.cpp
-@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op)
- if (in->type() == MIRType_Float32) {
- MToDouble* replace = MToDouble::New(alloc, in);
- def->block()->insertBefore(def, replace);
-+ if (def->isRecoveredOnBailout())
-+ replace->setRecoveredOnBailout();
- def->replaceOperand(op, replace);
- }
- }
-diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
-index da3e692..eb367e1 100644
---- a/js/src/jit/ValueNumbering.cpp
-+++ b/js/src/jit/ValueNumbering.cpp
-@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def)
- return true;
- }
-
-+ // Skip optimizations on instructions which are recovered on bailout, to
-+ // avoid mixing instructions which are recovered on bailouts with
-+ // instructions which are not.
-+ if (def->isRecoveredOnBailout())
-+ return true;
-+
- // If this instruction has a dependency() into an unreachable block, we'll
- // need to update AliasAnalysis.
- MInstruction* dep = def->dependency();
---
-2.5.0
-
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-24 18:36:59 +0000