1 files changed, 93 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
new file mode 100644
index 0000000000..042188ee9c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch
@@ -0,0 +1,93 @@
+From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001
+From: Benjamin Bouvier <benj@benj.me>
+Date: Tue, 13 Oct 2015 19:22:47 +0200
+Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when
+ converting float32 to doubles; r=nbp, a=ritu, a=abillings
+
+--HG--
+extra : commitid : 51QGWZ84Mqx
+extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5
+extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65
+---
+ js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++
+ js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++
+ js/src/jit/TypePolicy.cpp                 |  2 ++
+ js/src/jit/ValueNumbering.cpp             |  6 ++++++
+ 4 files changed, 37 insertions(+)
+ create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js
+ create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js
+
+diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js
+new file mode 100644
+index 0000000..458d7dd
+--- /dev/null
++++ b/js/src/jit-test/tests/ion/bug1107011-1.js
+@@ -0,0 +1,17 @@
++var f32 = new Float32Array(32);
++function f(n) {
++    var x;
++    if (n > 10000) {
++        x = 4.5;
++    } else {
++        x = f32[0];
++    }
++    f32[0] = (function() {
++        for(var f=0;f<4;++f) {
++            x=1;
++        }
++    })() < x;
++}
++for (var n = 0; n < 100; n++)
++    f(n);
++
+diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js
+new file mode 100644
+index 0000000..d59685e
+--- /dev/null
++++ b/js/src/jit-test/tests/ion/bug1107011-2.js
+@@ -0,0 +1,12 @@
++function foo() {
++    var x = 0, y = 0, a = new Float32Array(1);
++    function bar() {
++        x = y;
++        y = a[0];
++    }
++    for (var i = 0; i < 1000; i++) {
++        bar();
++    }
++}
++for (var i=0; i < 50; i++)
++    foo();
+diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
+index 4cea638..2510d50 100644
+--- a/js/src/jit/TypePolicy.cpp
++++ b/js/src/jit/TypePolicy.cpp
+@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op)
+     if (in->type() == MIRType_Float32) {
+         MToDouble* replace = MToDouble::New(alloc, in);
+         def->block()->insertBefore(def, replace);
++        if (def->isRecoveredOnBailout())
++            replace->setRecoveredOnBailout();
+         def->replaceOperand(op, replace);
+     }
+ }
+diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
+index da3e692..eb367e1 100644
+--- a/js/src/jit/ValueNumbering.cpp
++++ b/js/src/jit/ValueNumbering.cpp
+@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def)
+         return true;
+     }
+ 
++    // Skip optimizations on instructions which are recovered on bailout, to
++    // avoid mixing instructions which are recovered on bailouts with
++    // instructions which are not.
++    if (def->isRecoveredOnBailout())
++        return true;
++
+     // If this instruction has a dependency() into an unreachable block, we'll
+     // need to update AliasAnalysis.
+     MInstruction* dep = def->dependency();
+-- 
+2.5.0
+