summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch410
1 files changed, 410 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch
new file mode 100644
index 0000000000..3d2f81e24a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch
@@ -0,0 +1,410 @@
+From 4f447768a2ff6bf37d462e033c11e20c733129ba Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Tue, 16 Dec 2014 22:52:51 +0100
+Subject: [PATCH] Bug 1109889 - Share more exception handling code. r=nbp,
+ a=abillings
+
+---
+ js/src/jit/Ion.cpp                            | 11 ++++++++++-
+ js/src/jit/IonMacroAssembler.cpp              |  8 ++++----
+ js/src/jit/JitCompartment.h                   |  8 ++++++--
+ js/src/jit/arm/MacroAssembler-arm.cpp         | 11 ++---------
+ js/src/jit/arm/MacroAssembler-arm.h           |  6 ++++--
+ js/src/jit/arm/Trampoline-arm.cpp             |  4 ++--
+ js/src/jit/mips/MacroAssembler-mips.cpp       | 11 ++---------
+ js/src/jit/mips/MacroAssembler-mips.h         |  7 +++++--
+ js/src/jit/mips/Trampoline-mips.cpp           |  4 ++--
+ js/src/jit/shared/MacroAssembler-x86-shared.h |  3 +++
+ js/src/jit/x64/MacroAssembler-x64.cpp         | 11 ++---------
+ js/src/jit/x64/MacroAssembler-x64.h           |  3 +--
+ js/src/jit/x64/Trampoline-x64.cpp             |  4 ++--
+ js/src/jit/x86/MacroAssembler-x86.cpp         | 11 ++---------
+ js/src/jit/x86/MacroAssembler-x86.h           |  3 +--
+ js/src/jit/x86/Trampoline-x86.cpp             |  4 ++--
+ 16 files changed, 50 insertions(+), 59 deletions(-)
+
+diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
+index 9635742..a77f9b4 100644
+--- a/js/src/jit/Ion.cpp
++++ b/js/src/jit/Ion.cpp
+@@ -150,6 +150,7 @@ JitRuntime::JitRuntime()
+   : execAlloc_(nullptr),
+     ionAlloc_(nullptr),
+     exceptionTail_(nullptr),
++    exceptionTailParallel_(nullptr),
+     bailoutTail_(nullptr),
+     enterJIT_(nullptr),
+     bailoutHandler_(nullptr),
+@@ -198,10 +199,18 @@ JitRuntime::initialize(JSContext *cx)
+         return false;
+ 
+     IonSpew(IonSpew_Codegen, "# Emitting exception tail stub");
+-    exceptionTail_ = generateExceptionTailStub(cx);
++
++    void *handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++    void *handlerParallel = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure);
++
++    exceptionTail_ = generateExceptionTailStub(cx, handler);
+     if (!exceptionTail_)
+         return false;
+ 
++    exceptionTailParallel_ = generateExceptionTailStub(cx, handlerParallel);
++    if (!exceptionTailParallel_)
++        return false;
++
+     IonSpew(IonSpew_Codegen, "# Emitting bailout tail stub");
+     bailoutTail_ = generateBailoutTailStub(cx);
+     if (!bailoutTail_)
+diff --git a/js/src/jit/IonMacroAssembler.cpp b/js/src/jit/IonMacroAssembler.cpp
+index 2326fe1..9f7cc8f 100644
+--- a/js/src/jit/IonMacroAssembler.cpp
++++ b/js/src/jit/IonMacroAssembler.cpp
+@@ -1030,18 +1030,18 @@ MacroAssembler::handleFailure(ExecutionMode executionMode)
+         sps_->skipNextReenter();
+     leaveSPSFrame();
+ 
+-    void *handler;
++    JitCode *excTail;
+     switch (executionMode) {
+       case SequentialExecution:
+-        handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++        excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+         break;
+       case ParallelExecution:
+-        handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure);
++        excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTailParallel();
+         break;
+       default:
+         MOZ_ASSUME_UNREACHABLE("No such execution mode");
+     }
+-    MacroAssemblerSpecific::handleFailureWithHandler(handler);
++    jump(excTail);
+ 
+     // Doesn't actually emit code, but balances the leave()
+     if (sps_)
+diff --git a/js/src/jit/JitCompartment.h b/js/src/jit/JitCompartment.h
+index 486a29d..475a685 100644
+--- a/js/src/jit/JitCompartment.h
++++ b/js/src/jit/JitCompartment.h
+@@ -153,8 +153,9 @@ class JitRuntime
+     // need for explicit interrupt checks.
+     JSC::ExecutableAllocator *ionAlloc_;
+ 
+-    // Shared post-exception-handler tail
++    // Shared exception-handler tail.
+     JitCode *exceptionTail_;
++    JitCode *exceptionTailParallel_;
+ 
+     // Shared post-bailout-handler tail.
+     JitCode *bailoutTail_;
+@@ -214,7 +215,7 @@ class JitRuntime
+     InlineList<PatchableBackedge> backedgeList_;
+ 
+   private:
+-    JitCode *generateExceptionTailStub(JSContext *cx);
++    JitCode *generateExceptionTailStub(JSContext *cx, void *handler);
+     JitCode *generateBailoutTailStub(JSContext *cx);
+     JitCode *generateEnterJIT(JSContext *cx, EnterJitType type);
+     JitCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut);
+@@ -287,6 +288,9 @@ class JitRuntime
+     JitCode *getExceptionTail() const {
+         return exceptionTail_;
+     }
++    JitCode *getExceptionTailParallel() const {
++        return exceptionTailParallel_;
++    }
+ 
+     JitCode *getBailoutTail() const {
+         return bailoutTail_;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp
+index b34483c..63b3ff2 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.cpp
++++ b/js/src/jit/arm/MacroAssembler-arm.cpp
+@@ -3984,25 +3984,18 @@ MacroAssemblerARMCompat::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerARMCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerARMCompat::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     int size = (sizeof(ResumeFromException) + 7) & ~7;
+     ma_sub(Imm32(size), sp);
+     ma_mov(sp, r0);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, r1);
+     passABIArg(r0);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    branch(excTail);
+-}
+-
+-void
+-MacroAssemblerARMCompat::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.h b/js/src/jit/arm/MacroAssembler-arm.h
+index 00e8a03..6ccc0be 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.h
++++ b/js/src/jit/arm/MacroAssembler-arm.h
+@@ -711,6 +711,9 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+     void jump(Label *label) {
+         as_b(label);
+     }
++    void jump(JitCode *code) {
++        branch(code);
++    }
+     void jump(Register reg) {
+         ma_bx(reg);
+     }
+@@ -1202,8 +1205,7 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+ 
+     void linkExitFrame();
+     void linkParallelExitFrame(const Register &pt);
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     /////////////////////////////////////////////////////////////////
+     // Common interface.
+diff --git a/js/src/jit/arm/Trampoline-arm.cpp b/js/src/jit/arm/Trampoline-arm.cpp
+index e539c00..693dad8 100644
+--- a/js/src/jit/arm/Trampoline-arm.cpp
++++ b/js/src/jit/arm/Trampoline-arm.cpp
+@@ -928,11 +928,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/mips/MacroAssembler-mips.cpp b/js/src/jit/mips/MacroAssembler-mips.cpp
+index cee93a5..256434d 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.cpp
++++ b/js/src/jit/mips/MacroAssembler-mips.cpp
+@@ -3139,25 +3139,18 @@ MacroAssemblerMIPSCompat::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerMIPSCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerMIPSCompat::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     int size = (sizeof(ResumeFromException) + StackAlignment) & ~(StackAlignment - 1);
+     ma_subu(StackPointer, StackPointer, Imm32(size));
+     ma_move(a0, StackPointer); // Use a0 since it is a first function argument
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, a1);
+     passABIArg(a0);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    branch(excTail);
+-}
+-
+-void
+-MacroAssemblerMIPSCompat::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/mips/MacroAssembler-mips.h b/js/src/jit/mips/MacroAssembler-mips.h
+index ed1f566..899a50e 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.h
++++ b/js/src/jit/mips/MacroAssembler-mips.h
+@@ -481,6 +481,10 @@ class MacroAssemblerMIPSCompat : public MacroAssemblerMIPS
+         as_nop();
+     }
+ 
++    void jump(JitCode *code) {
++        branch(code);
++    }
++
+     void neg32(Register reg) {
+         ma_negu(reg, reg);
+     }
+@@ -842,8 +846,7 @@ public:
+ 
+     void linkExitFrame();
+     void linkParallelExitFrame(const Register &pt);
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     /////////////////////////////////////////////////////////////////
+     // Common interface.
+diff --git a/js/src/jit/mips/Trampoline-mips.cpp b/js/src/jit/mips/Trampoline-mips.cpp
+index b456845..64c2385 100644
+--- a/js/src/jit/mips/Trampoline-mips.cpp
++++ b/js/src/jit/mips/Trampoline-mips.cpp
+@@ -960,11 +960,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ 
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/shared/MacroAssembler-x86-shared.h b/js/src/jit/shared/MacroAssembler-x86-shared.h
+index 01d1a4b..779cf83 100644
+--- a/js/src/jit/shared/MacroAssembler-x86-shared.h
++++ b/js/src/jit/shared/MacroAssembler-x86-shared.h
+@@ -287,6 +287,9 @@ class MacroAssemblerX86Shared : public Assembler
+     void jump(Label *label) {
+         jmp(label);
+     }
++    void jump(JitCode *code) {
++        jmp(code);
++    }
+     void jump(RepatchLabel *label) {
+         jmp(label);
+     }
+diff --git a/js/src/jit/x64/MacroAssembler-x64.cpp b/js/src/jit/x64/MacroAssembler-x64.cpp
+index 9a9f995..0db799c 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.cpp
++++ b/js/src/jit/x64/MacroAssembler-x64.cpp
+@@ -287,24 +287,17 @@ MacroAssemblerX64::callWithABI(Address fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerX64::handleFailureWithHandler(void *handler)
++MacroAssemblerX64::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     subq(Imm32(sizeof(ResumeFromException)), rsp);
+     movq(rsp, rax);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, rcx);
+     passABIArg(rax);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX64::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/x64/MacroAssembler-x64.h b/js/src/jit/x64/MacroAssembler-x64.h
+index 2c11e9a..5010549 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.h
++++ b/js/src/jit/x64/MacroAssembler-x64.h
+@@ -1288,8 +1288,7 @@ class MacroAssemblerX64 : public MacroAssemblerX86Shared
+     void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL);
+     void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL);
+ 
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+         shlq(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x64/Trampoline-x64.cpp b/js/src/jit/x64/Trampoline-x64.cpp
+index 72f4592..3b83850 100644
+--- a/js/src/jit/x64/Trampoline-x64.cpp
++++ b/js/src/jit/x64/Trampoline-x64.cpp
+@@ -785,11 +785,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+diff --git a/js/src/jit/x86/MacroAssembler-x86.cpp b/js/src/jit/x86/MacroAssembler-x86.cpp
+index d36f4d3..57a0f85 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.cpp
++++ b/js/src/jit/x86/MacroAssembler-x86.cpp
+@@ -281,24 +281,17 @@ MacroAssemblerX86::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerX86::handleFailureWithHandler(void *handler)
++MacroAssemblerX86::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     subl(Imm32(sizeof(ResumeFromException)), esp);
+     movl(esp, eax);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, ecx);
+     passABIArg(eax);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX86::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/x86/MacroAssembler-x86.h b/js/src/jit/x86/MacroAssembler-x86.h
+index 17de7a7..7e578c8 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.h
++++ b/js/src/jit/x86/MacroAssembler-x86.h
+@@ -1086,8 +1086,7 @@ class MacroAssemblerX86 : public MacroAssemblerX86Shared
+     void callWithABI(const Address &fun, MoveOp::Type result = MoveOp::GENERAL);
+ 
+     // Used from within an Exit frame to handle a pending exception.
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+         shll(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x86/Trampoline-x86.cpp b/js/src/jit/x86/Trampoline-x86.cpp
+index 0a2f0de..9fd2c00 100644
+--- a/js/src/jit/x86/Trampoline-x86.cpp
++++ b/js/src/jit/x86/Trampoline-x86.cpp
+@@ -827,11 +827,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+-- 
+2.1.2
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-02-04 19:56:16 +0000