From a24d62130932b8104f931f925288d3abc9105684 Mon Sep 17 00:00:00 2001
From: Lars T Hansen <lhansen@mozilla.com>
Date: Sat, 25 May 2019 15:41:06 +0200
Subject: [js, ARM] Always check error return from BufferOffset::diffB.

We were missing error checks at two points. In one case an error return
is meaningful; in another case it is not, as the problem should have
been guarded against at a higher level by emitting far jump islands soon
enough during pasteup of compiled code.
---
 js/src/jit/arm/Assembler-arm.cpp      | 7 ++++++-
 js/src/jit/arm/MacroAssembler-arm.cpp | 5 ++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'js/src/jit')

diff --git a/js/src/jit/arm/Assembler-arm.cpp b/js/src/jit/arm/Assembler-arm.cpp
index 2830f06955..1e20da1c8c 100644
--- a/js/src/jit/arm/Assembler-arm.cpp
+++ b/js/src/jit/arm/Assembler-arm.cpp
@@ -2401,7 +2401,12 @@ Assembler::as_b(Label* l, Condition c)
         if (oom())
             return BufferOffset();
 
-        as_b(BufferOffset(l).diffB<BOffImm>(ret), c, ret);
+        BOffImm off = BufferOffset(l).diffB<BOffImm>(ret);
+        if (off.isInvalid()) {
+            m_buffer.fail_bail();
+            return BufferOffset();
+        }
+        as_b(off, c, ret);
 #ifdef JS_DISASM_ARM
         spewBranch(m_buffer.getInstOrNull(ret), l);
 #endif
diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp
index d405785144..a4161ab006 100644
--- a/js/src/jit/arm/MacroAssembler-arm.cpp
+++ b/js/src/jit/arm/MacroAssembler-arm.cpp
@@ -5012,7 +5012,10 @@ void
 MacroAssembler::patchCall(uint32_t callerOffset, uint32_t calleeOffset)
 {
     BufferOffset inst(callerOffset - 4);
-    as_bl(BufferOffset(calleeOffset).diffB<BOffImm>(inst), Always, inst);
+    BOffImm off = BufferOffset(calleeOffset).diffB<BOffImm>(inst);
+    MOZ_RELEASE_ASSERT(!off.isInvalid(),
+                       "Failed to insert necessary far jump islands");
+    as_bl(off, Always, inst);
 }
 
 CodeOffset
-- 
cgit v1.2.3


From 50062bdfc004c8e24e3344ffe6991894ee0e6d09 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Wed, 29 May 2019 11:08:31 +0200
Subject: Fix #1091 deprot

---
 js/src/jit/IonCaches.cpp | 1 +
 js/src/jit/Recover.cpp   | 1 +
 2 files changed, 2 insertions(+)

(limited to 'js/src/jit')

diff --git a/js/src/jit/IonCaches.cpp b/js/src/jit/IonCaches.cpp
index 96e488ea8c..0208db6aeb 100644
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@@ -31,6 +31,7 @@
 #include "jit/shared/Lowering-shared-inl.h"
 #include "vm/Interpreter-inl.h"
 #include "vm/Shape-inl.h"
+#include "vm/UnboxedObject-inl.h"
 
 using namespace js;
 using namespace js::jit;
diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp
index 13bf9224b3..6fd71f3774 100644
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -30,6 +30,7 @@
 
 #include "vm/Interpreter-inl.h"
 #include "vm/NativeObject-inl.h"
+#include "vm/UnboxedObject-inl.h"
 
 using namespace js;
 using namespace js::jit;
-- 
cgit v1.2.3