summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch
blob: 843e2eb24488e5820adb39e78a1e983cd7c7f29e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
  changeset:   312044:09418166fd77
  user:        Jon Coppeard <jcoppeard@mozilla.com>
  Date:        Wed May 11 10:14:45 2016 +0100
  summary:     Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu

diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit-test/tests/self-hosting/bug1264575.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/js/src/jit-test/tests/self-hosting/bug1264575.js	Wed May 11 10:14:45 2016 +0100
@@ -0,0 +1,7 @@
+function f(x, [y]) {}
+f(0, []);
+// jsfunfuzz-generated
+let i = 0;
+for (var z of [0, 0, 0]) {
+    verifyprebarriers();
+}
diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit/MCallOptimize.cpp
--- a/js/src/jit/MCallOptimize.cpp	Mon May 16 15:11:24 2016 -0400
+++ b/js/src/jit/MCallOptimize.cpp	Wed May 11 10:14:45 2016 +0100
@@ -2263,7 +2263,8 @@
 
     callInfo.setImplicitlyUsedUnchecked();
 
-    MStoreFixedSlot* store = MStoreFixedSlot::New(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
+    MStoreFixedSlot* store =
+        MStoreFixedSlot::NewBarriered(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2));
     current->add(store);
     current->push(store);