1 files changed, 189 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
new file mode 100644
index 0000000000..e87b95f729
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
@@ -0,0 +1,189 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1452110721 -3600
+# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e
+# Parent  4444e94a99cb9b00c0351cc8bf5459739cc036a5
+Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu
+
+diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
+--- a/js/src/jit/BacktrackingAllocator.cpp
++++ b/js/src/jit/BacktrackingAllocator.cpp
+@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters
+     // constructor calling convention.
+     if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) {
+         if (*reg0->def()->output() != *reg1->def()->output())
+             return true;
+     }
+ 
+     // Registers which might spill to the frame's argument slots can only be
+     // grouped with other such registers if the frame might access those
+-    // arguments through a lazy arguments object.
++    // arguments through a lazy arguments object or rest parameter.
+     if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) {
+-        JSScript* script = graph.mir().entryBlock()->info().script();
+-        if (script && script->argumentsAliasesFormals()) {
++        if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) {
+             if (*reg0->def()->output() != *reg1->def()->output())
+                 return true;
+         }
+     }
+ 
+     VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group();
+ 
+     if (!group0 && group1)
+diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h
+--- a/js/src/jit/CompileInfo.h
++++ b/js/src/jit/CompileInfo.h
+@@ -194,16 +194,17 @@ enum AnalysisMode {
+ class CompileInfo
+ {
+   public:
+     CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing,
+                 AnalysisMode analysisMode, bool scriptNeedsArgsObj,
+                 InlineScriptTree* inlineScriptTree)
+       : script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing),
+         analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj),
++        mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()),
+         inlineScriptTree_(inlineScriptTree)
+     {
+         MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY);
+ 
+         // The function here can flow in from anywhere so look up the canonical
+         // function to ensure that we do not try to embed a nursery pointer in
+         // jit-code. Precisely because it can flow in from anywhere, it's not
+         // guaranteed to be non-lazy. Hence, don't access its script!
+@@ -222,17 +223,17 @@ class CompileInfo
+         fixedLexicalBegin_ = script->fixedLexicalBegin();
+         nstack_ = script->nslots() - script->nfixed();
+         nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_;
+     }
+ 
+     explicit CompileInfo(unsigned nlocals)
+       : script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr),
+         constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false),
+-        inlineScriptTree_(nullptr)
++        mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr)
+     {
+         nimplicit_ = 0;
+         nargs_ = 0;
+         nbodyfixed_ = 0;
+         nlocals_ = nlocals;
+         nstack_ = 1;  /* For FunctionCompiler::pushPhiInput/popPhiOutput */
+         nslots_ = nlocals_ + nstack_;
+         fixedLexicalBegin_ = nlocals;
+@@ -539,16 +540,20 @@ class CompileInfo
+             return false;
+ 
+         if (needsArgsObj() && isObservableArgumentSlot(slot))
+             return false;
+ 
+         return true;
+     }
+ 
++    bool mayReadFrameArgsDirectly() const {
++        return mayReadFrameArgsDirectly_;
++    }
++
+   private:
+     unsigned nimplicit_;
+     unsigned nargs_;
+     unsigned nbodyfixed_;
+     unsigned nlocals_;
+     unsigned nstack_;
+     unsigned nslots_;
+     unsigned fixedLexicalBegin_;
+@@ -559,15 +564,17 @@ class CompileInfo
+     bool constructing_;
+     AnalysisMode analysisMode_;
+ 
+     // Whether a script needs an arguments object is unstable over compilation
+     // since the arguments optimization could be marked as failed on the main
+     // thread, so cache a value here and use it throughout for consistency.
+     bool scriptNeedsArgsObj_;
+ 
++    bool mayReadFrameArgsDirectly_;
++
+     InlineScriptTree* inlineScriptTree_;
+ };
+ 
+ } // namespace jit
+ } // namespace js
+ 
+ #endif /* jit_CompileInfo_h */
+diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
+--- a/js/src/jit/JitFrames.cpp
++++ b/js/src/jit/JitFrames.cpp
+@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF
+     // formal arguments is taken care of by the frame's safepoint/snapshot,
+     // except when the script's lazy arguments object aliases those formals,
+     // in which case we mark them as well.
+ 
+     size_t nargs = layout->numActualArgs();
+     size_t nformals = 0;
+     if (CalleeTokenIsFunction(layout->calleeToken())) {
+         JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+-        nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs();
++        nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs();
+     }
+ 
+     Value* argv = layout->argv();
+ 
+     // Trace |this|.
+     gc::MarkValueRoot(trc, argv, "ion-thisv");
+ 
+     // Trace actual arguments beyond the formals. Note + 1 for thisv.
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -3894,16 +3894,22 @@ JSScript::hasLoops()
+     JSTryNote* tnlimit = tn + trynotes()->length;
+     for (; tn < tnlimit; tn++) {
+         if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP)
+             return true;
+     }
+     return false;
+ }
+ 
++bool
++JSScript::mayReadFrameArgsDirectly()
++{
++    return argumentsHasVarBinding() || (function_ && function_->hasRest());
++}
++
+ static inline void
+ LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end,
+                HashNumber hashes[3])
+ {
+     HashNumber hash = lineno;
+     hash = RotateLeft(hash, 4) ^ column;
+     hash = RotateLeft(hash, 4) ^ begin;
+     hash = RotateLeft(hash, 4) ^ end;
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC
+     }
+     inline void setFunction(JSFunction* fun);
+     /*
+      * De-lazifies the canonical function. Must be called before entering code
+      * that expects the function to be non-lazy.
+      */
+     inline void ensureNonLazyCanonicalFunction(JSContext* cx);
+ 
++    // Returns true if the script may read formal arguments on the stack
++    // directly, via lazy arguments or a rest parameter.
++    bool mayReadFrameArgsDirectly();
++
+     JSFlatString* sourceData(JSContext* cx);
+ 
+     static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked);
+ 
+     void setSourceObject(JSObject* object);
+     JSObject* sourceObject() const {
+         return sourceObject_;
+     }
+