diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch new file mode 100644 index 0000000000..f6f3cd3585 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch @@ -0,0 +1,50 @@ +From 97bd3ada2a0ac6eff0e03e6eec8d2012af3bb57d Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Mon, 28 Sep 2015 13:30:42 +0200 +Subject: [PATCH] Bug 1205707 part 1 - Clean up some is-TypedArrayObject code + in Ion. r=Waldo, a=sylvestre + +--- + js/src/jit/MCallOptimize.cpp | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp +index 7fdede8..2c6a533 100644 +--- a/js/src/jit/MCallOptimize.cpp ++++ b/js/src/jit/MCallOptimize.cpp +@@ -2122,6 +2122,19 @@ IonBuilder::inlineIsTypedArray(CallInfo& callInfo) + return InliningStatus_Inlined; + } + ++static bool ++IsTypedArrayObject(CompilerConstraintList* constraints, MDefinition* def) ++{ ++ MOZ_ASSERT(def->type() == MIRType_Object); ++ ++ TemporaryTypeSet* types = def->resultTypeSet(); ++ if (!types) ++ return false; ++ ++ return types->forAllClasses(constraints, IsTypedArrayClass) == ++ TemporaryTypeSet::ForAllResult::ALL_TRUE; ++} ++ + IonBuilder::InliningStatus + IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) + { +@@ -2132,8 +2145,10 @@ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) + if (getInlineReturnType() != MIRType_Int32) + return InliningStatus_NotInlined; + +- // We assume that when calling this function we always +- // have a TypedArray. The native asserts that as well. ++ // Note that the argument we see here is not necessarily a typed array. ++ // If it's not, this call should be unreachable though. ++ if (!IsTypedArrayObject(constraints(), callInfo.getArg(0))) ++ return InliningStatus_NotInlined; + + MInstruction* length = addTypedArrayLength(callInfo.getArg(0)); + current->push(length); +-- +2.5.0 + |