diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch | 410 |
1 files changed, 410 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch new file mode 100644 index 0000000000..3d2f81e24a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch @@ -0,0 +1,410 @@ +From 4f447768a2ff6bf37d462e033c11e20c733129ba Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Tue, 16 Dec 2014 22:52:51 +0100 +Subject: [PATCH] Bug 1109889 - Share more exception handling code. r=nbp, + a=abillings + +--- + js/src/jit/Ion.cpp | 11 ++++++++++- + js/src/jit/IonMacroAssembler.cpp | 8 ++++---- + js/src/jit/JitCompartment.h | 8 ++++++-- + js/src/jit/arm/MacroAssembler-arm.cpp | 11 ++--------- + js/src/jit/arm/MacroAssembler-arm.h | 6 ++++-- + js/src/jit/arm/Trampoline-arm.cpp | 4 ++-- + js/src/jit/mips/MacroAssembler-mips.cpp | 11 ++--------- + js/src/jit/mips/MacroAssembler-mips.h | 7 +++++-- + js/src/jit/mips/Trampoline-mips.cpp | 4 ++-- + js/src/jit/shared/MacroAssembler-x86-shared.h | 3 +++ + js/src/jit/x64/MacroAssembler-x64.cpp | 11 ++--------- + js/src/jit/x64/MacroAssembler-x64.h | 3 +-- + js/src/jit/x64/Trampoline-x64.cpp | 4 ++-- + js/src/jit/x86/MacroAssembler-x86.cpp | 11 ++--------- + js/src/jit/x86/MacroAssembler-x86.h | 3 +-- + js/src/jit/x86/Trampoline-x86.cpp | 4 ++-- + 16 files changed, 50 insertions(+), 59 deletions(-) + +diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp +index 9635742..a77f9b4 100644 +--- a/js/src/jit/Ion.cpp ++++ b/js/src/jit/Ion.cpp +@@ -150,6 +150,7 @@ JitRuntime::JitRuntime() + : execAlloc_(nullptr), + ionAlloc_(nullptr), + exceptionTail_(nullptr), ++ exceptionTailParallel_(nullptr), + bailoutTail_(nullptr), + enterJIT_(nullptr), + bailoutHandler_(nullptr), +@@ -198,10 +199,18 @@ JitRuntime::initialize(JSContext *cx) + return false; + + IonSpew(IonSpew_Codegen, "# Emitting exception tail stub"); +- exceptionTail_ = generateExceptionTailStub(cx); ++ ++ void *handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException); ++ void *handlerParallel = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure); ++ ++ exceptionTail_ = generateExceptionTailStub(cx, handler); + if (!exceptionTail_) + return false; + ++ exceptionTailParallel_ = generateExceptionTailStub(cx, handlerParallel); ++ if (!exceptionTailParallel_) ++ return false; ++ + IonSpew(IonSpew_Codegen, "# Emitting bailout tail stub"); + bailoutTail_ = generateBailoutTailStub(cx); + if (!bailoutTail_) +diff --git a/js/src/jit/IonMacroAssembler.cpp b/js/src/jit/IonMacroAssembler.cpp +index 2326fe1..9f7cc8f 100644 +--- a/js/src/jit/IonMacroAssembler.cpp ++++ b/js/src/jit/IonMacroAssembler.cpp +@@ -1030,18 +1030,18 @@ MacroAssembler::handleFailure(ExecutionMode executionMode) + sps_->skipNextReenter(); + leaveSPSFrame(); + +- void *handler; ++ JitCode *excTail; + switch (executionMode) { + case SequentialExecution: +- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException); ++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); + break; + case ParallelExecution: +- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure); ++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTailParallel(); + break; + default: + MOZ_ASSUME_UNREACHABLE("No such execution mode"); + } +- MacroAssemblerSpecific::handleFailureWithHandler(handler); ++ jump(excTail); + + // Doesn't actually emit code, but balances the leave() + if (sps_) +diff --git a/js/src/jit/JitCompartment.h b/js/src/jit/JitCompartment.h +index 486a29d..475a685 100644 +--- a/js/src/jit/JitCompartment.h ++++ b/js/src/jit/JitCompartment.h +@@ -153,8 +153,9 @@ class JitRuntime + // need for explicit interrupt checks. + JSC::ExecutableAllocator *ionAlloc_; + +- // Shared post-exception-handler tail ++ // Shared exception-handler tail. + JitCode *exceptionTail_; ++ JitCode *exceptionTailParallel_; + + // Shared post-bailout-handler tail. + JitCode *bailoutTail_; +@@ -214,7 +215,7 @@ class JitRuntime + InlineList<PatchableBackedge> backedgeList_; + + private: +- JitCode *generateExceptionTailStub(JSContext *cx); ++ JitCode *generateExceptionTailStub(JSContext *cx, void *handler); + JitCode *generateBailoutTailStub(JSContext *cx); + JitCode *generateEnterJIT(JSContext *cx, EnterJitType type); + JitCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut); +@@ -287,6 +288,9 @@ class JitRuntime + JitCode *getExceptionTail() const { + return exceptionTail_; + } ++ JitCode *getExceptionTailParallel() const { ++ return exceptionTailParallel_; ++ } + + JitCode *getBailoutTail() const { + return bailoutTail_; +diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp +index b34483c..63b3ff2 100644 +--- a/js/src/jit/arm/MacroAssembler-arm.cpp ++++ b/js/src/jit/arm/MacroAssembler-arm.cpp +@@ -3984,25 +3984,18 @@ MacroAssemblerARMCompat::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerARMCompat::handleFailureWithHandler(void *handler) ++MacroAssemblerARMCompat::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + int size = (sizeof(ResumeFromException) + 7) & ~7; + ma_sub(Imm32(size), sp); + ma_mov(sp, r0); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, r1); + passABIArg(r0); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- branch(excTail); +-} +- +-void +-MacroAssemblerARMCompat::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/arm/MacroAssembler-arm.h b/js/src/jit/arm/MacroAssembler-arm.h +index 00e8a03..6ccc0be 100644 +--- a/js/src/jit/arm/MacroAssembler-arm.h ++++ b/js/src/jit/arm/MacroAssembler-arm.h +@@ -711,6 +711,9 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM + void jump(Label *label) { + as_b(label); + } ++ void jump(JitCode *code) { ++ branch(code); ++ } + void jump(Register reg) { + ma_bx(reg); + } +@@ -1202,8 +1205,7 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM + + void linkExitFrame(); + void linkParallelExitFrame(const Register &pt); +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + ///////////////////////////////////////////////////////////////// + // Common interface. +diff --git a/js/src/jit/arm/Trampoline-arm.cpp b/js/src/jit/arm/Trampoline-arm.cpp +index e539c00..693dad8 100644 +--- a/js/src/jit/arm/Trampoline-arm.cpp ++++ b/js/src/jit/arm/Trampoline-arm.cpp +@@ -928,11 +928,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + AutoFlushICache afc("ExceptionTailStub"); +diff --git a/js/src/jit/mips/MacroAssembler-mips.cpp b/js/src/jit/mips/MacroAssembler-mips.cpp +index cee93a5..256434d 100644 +--- a/js/src/jit/mips/MacroAssembler-mips.cpp ++++ b/js/src/jit/mips/MacroAssembler-mips.cpp +@@ -3139,25 +3139,18 @@ MacroAssemblerMIPSCompat::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerMIPSCompat::handleFailureWithHandler(void *handler) ++MacroAssemblerMIPSCompat::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + int size = (sizeof(ResumeFromException) + StackAlignment) & ~(StackAlignment - 1); + ma_subu(StackPointer, StackPointer, Imm32(size)); + ma_move(a0, StackPointer); // Use a0 since it is a first function argument + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, a1); + passABIArg(a0); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- branch(excTail); +-} +- +-void +-MacroAssemblerMIPSCompat::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/mips/MacroAssembler-mips.h b/js/src/jit/mips/MacroAssembler-mips.h +index ed1f566..899a50e 100644 +--- a/js/src/jit/mips/MacroAssembler-mips.h ++++ b/js/src/jit/mips/MacroAssembler-mips.h +@@ -481,6 +481,10 @@ class MacroAssemblerMIPSCompat : public MacroAssemblerMIPS + as_nop(); + } + ++ void jump(JitCode *code) { ++ branch(code); ++ } ++ + void neg32(Register reg) { + ma_negu(reg, reg); + } +@@ -842,8 +846,7 @@ public: + + void linkExitFrame(); + void linkParallelExitFrame(const Register &pt); +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + ///////////////////////////////////////////////////////////////// + // Common interface. +diff --git a/js/src/jit/mips/Trampoline-mips.cpp b/js/src/jit/mips/Trampoline-mips.cpp +index b456845..64c2385 100644 +--- a/js/src/jit/mips/Trampoline-mips.cpp ++++ b/js/src/jit/mips/Trampoline-mips.cpp +@@ -960,11 +960,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + AutoFlushICache afc("ExceptionTailStub"); +diff --git a/js/src/jit/shared/MacroAssembler-x86-shared.h b/js/src/jit/shared/MacroAssembler-x86-shared.h +index 01d1a4b..779cf83 100644 +--- a/js/src/jit/shared/MacroAssembler-x86-shared.h ++++ b/js/src/jit/shared/MacroAssembler-x86-shared.h +@@ -287,6 +287,9 @@ class MacroAssemblerX86Shared : public Assembler + void jump(Label *label) { + jmp(label); + } ++ void jump(JitCode *code) { ++ jmp(code); ++ } + void jump(RepatchLabel *label) { + jmp(label); + } +diff --git a/js/src/jit/x64/MacroAssembler-x64.cpp b/js/src/jit/x64/MacroAssembler-x64.cpp +index 9a9f995..0db799c 100644 +--- a/js/src/jit/x64/MacroAssembler-x64.cpp ++++ b/js/src/jit/x64/MacroAssembler-x64.cpp +@@ -287,24 +287,17 @@ MacroAssemblerX64::callWithABI(Address fun, MoveOp::Type result) + } + + void +-MacroAssemblerX64::handleFailureWithHandler(void *handler) ++MacroAssemblerX64::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + subq(Imm32(sizeof(ResumeFromException)), rsp); + movq(rsp, rax); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, rcx); + passABIArg(rax); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- jmp(excTail); +-} +- +-void +-MacroAssemblerX64::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/x64/MacroAssembler-x64.h b/js/src/jit/x64/MacroAssembler-x64.h +index 2c11e9a..5010549 100644 +--- a/js/src/jit/x64/MacroAssembler-x64.h ++++ b/js/src/jit/x64/MacroAssembler-x64.h +@@ -1288,8 +1288,7 @@ class MacroAssemblerX64 : public MacroAssemblerX86Shared + void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL); + void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL); + +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + void makeFrameDescriptor(Register frameSizeReg, FrameType type) { + shlq(Imm32(FRAMESIZE_SHIFT), frameSizeReg); +diff --git a/js/src/jit/x64/Trampoline-x64.cpp b/js/src/jit/x64/Trampoline-x64.cpp +index 72f4592..3b83850 100644 +--- a/js/src/jit/x64/Trampoline-x64.cpp ++++ b/js/src/jit/x64/Trampoline-x64.cpp +@@ -785,11 +785,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE); +diff --git a/js/src/jit/x86/MacroAssembler-x86.cpp b/js/src/jit/x86/MacroAssembler-x86.cpp +index d36f4d3..57a0f85 100644 +--- a/js/src/jit/x86/MacroAssembler-x86.cpp ++++ b/js/src/jit/x86/MacroAssembler-x86.cpp +@@ -281,24 +281,17 @@ MacroAssemblerX86::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerX86::handleFailureWithHandler(void *handler) ++MacroAssemblerX86::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + subl(Imm32(sizeof(ResumeFromException)), esp); + movl(esp, eax); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, ecx); + passABIArg(eax); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- jmp(excTail); +-} +- +-void +-MacroAssemblerX86::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/x86/MacroAssembler-x86.h b/js/src/jit/x86/MacroAssembler-x86.h +index 17de7a7..7e578c8 100644 +--- a/js/src/jit/x86/MacroAssembler-x86.h ++++ b/js/src/jit/x86/MacroAssembler-x86.h +@@ -1086,8 +1086,7 @@ class MacroAssemblerX86 : public MacroAssemblerX86Shared + void callWithABI(const Address &fun, MoveOp::Type result = MoveOp::GENERAL); + + // Used from within an Exit frame to handle a pending exception. +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + void makeFrameDescriptor(Register frameSizeReg, FrameType type) { + shll(Imm32(FRAMESIZE_SHIFT), frameSizeReg); +diff --git a/js/src/jit/x86/Trampoline-x86.cpp b/js/src/jit/x86/Trampoline-x86.cpp +index 0a2f0de..9fd2c00 100644 +--- a/js/src/jit/x86/Trampoline-x86.cpp ++++ b/js/src/jit/x86/Trampoline-x86.cpp +@@ -827,11 +827,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE); +-- +2.1.2 + |