guix-devel/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch

From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001
From: Benjamin Bouvier <benj@benj.me>
Date: Tue, 13 Oct 2015 19:22:47 +0200
Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when
 converting float32 to doubles; r=nbp, a=ritu, a=abillings

--HG--
extra : commitid : 51QGWZ84Mqx
extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5
extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65
---
 js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++
 js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++
 js/src/jit/TypePolicy.cpp                 |  2 ++
 js/src/jit/ValueNumbering.cpp             |  6 ++++++
 4 files changed, 37 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js
 create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js

diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js
new file mode 100644
index 0000000..458d7dd
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1107011-1.js
@@ -0,0 +1,17 @@
+var f32 = new Float32Array(32);
+function f(n) {
+    var x;
+    if (n > 10000) {
+        x = 4.5;
+    } else {
+        x = f32[0];
+    }
+    f32[0] = (function() {
+        for(var f=0;f<4;++f) {
+            x=1;
+        }
+    })() < x;
+}
+for (var n = 0; n < 100; n++)
+    f(n);
+
diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js
new file mode 100644
index 0000000..d59685e
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1107011-2.js
@@ -0,0 +1,12 @@
+function foo() {
+    var x = 0, y = 0, a = new Float32Array(1);
+    function bar() {
+        x = y;
+        y = a[0];
+    }
+    for (var i = 0; i < 1000; i++) {
+        bar();
+    }
+}
+for (var i=0; i < 50; i++)
+    foo();
diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
index 4cea638..2510d50 100644
--- a/js/src/jit/TypePolicy.cpp
+++ b/js/src/jit/TypePolicy.cpp
@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op)
     if (in->type() == MIRType_Float32) {
         MToDouble* replace = MToDouble::New(alloc, in);
         def->block()->insertBefore(def, replace);
+        if (def->isRecoveredOnBailout())
+            replace->setRecoveredOnBailout();
         def->replaceOperand(op, replace);
     }
 }
diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
index da3e692..eb367e1 100644
--- a/js/src/jit/ValueNumbering.cpp
+++ b/js/src/jit/ValueNumbering.cpp
@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def)
         return true;
     }
 
+    // Skip optimizations on instructions which are recovered on bailout, to
+    // avoid mixing instructions which are recovered on bailouts with
+    // instructions which are not.
+    if (def->isRecoveredOnBailout())
+        return true;
+
     // If this instruction has a dependency() into an unreachable block, we'll
     // need to update AliasAnalysis.
     MInstruction* dep = def->dependency();
-- 
2.5.0