summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch69
1 files changed, 0 insertions, 69 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
deleted file mode 100644
index f4b4c0d4eb..0000000000
--- a/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
-
-# HG changeset patch
-# User Shu-yu Guo <shu@rfrn.org>
-# Date 1459741387 -7200
-# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
-# Parent  9d4364f6b55c6ee65c13c491292c3abe1ee2c993
-Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
-
-diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
-new file mode 100644
---- /dev/null
-+++ b/js/src/jit-test/tests/parser/bug-1254164.js
-@@ -0,0 +1,6 @@
-+// |jit-test| slow;
-+
-+var s = '';
-+for (var i = 0; i < 70000; i++)
-+    s += 'function x' + i + '() { x' + i + '(); }\n';
-+eval("(function() { " + s + " })();");
-diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
---- a/js/src/jsscript.cpp
-+++ b/js/src/jsscript.cpp
-@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
-     // JITs when interpreting/compiling aliasedvar ops.)
- 
-     // Since unaliased variables are, by definition, only accessed by local
-     // operations and never through the scope chain, only give shapes to
-     // aliased variables. While the debugger may observe any scope object at
-     // any time, such accesses are mediated by DebugScopeProxy (see
-     // DebugScopeProxy::handleUnaliasedAccess).
-     uint32_t nslots = CallObject::RESERVED_SLOTS;
--    uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
-+
-+    // Unless there are aliased body-level lexical bindings at all, set the
-+    // begin index to an impossible slot number.
-+    uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
-     for (BindingIter bi(self); bi; bi++) {
-         if (bi->aliased()) {
-             // Per ES6, lexical bindings cannot be accessed until
-             // initialized. Remember the first aliased slot that is a
-             // body-level lexical, so that they may be initialized to sentinel
-             // magic values.
-             if (numBodyLevelLexicals > 0 &&
-                 nslots < aliasedBodyLevelLexicalBegin &&
-diff --git a/js/src/jsscript.h b/js/src/jsscript.h
---- a/js/src/jsscript.h
-+++ b/js/src/jsscript.h
-@@ -201,18 +201,18 @@ class Bindings
-     friend class BindingIter;
-     friend class AliasedFormalIter;
- 
-     RelocatablePtrShape callObjShape_;
-     uintptr_t bindingArrayAndFlag_;
-     uint16_t numArgs_;
-     uint16_t numBlockScoped_;
-     uint16_t numBodyLevelLexicals_;
--    uint16_t aliasedBodyLevelLexicalBegin_;
-     uint16_t numUnaliasedBodyLevelLexicals_;
-+    uint32_t aliasedBodyLevelLexicalBegin_;
-     uint32_t numVars_;
-     uint32_t numUnaliasedVars_;
- 
- #if JS_BITS_PER_WORD == 32
-     // Bindings is allocated inline inside JSScript, which needs to be
-     // gc::Cell aligned.
-     uint32_t padding_;
- #endif
-