[tor-browser/esr24] Bug 919592 - Ionmonkey (ARM): Guard against branches being out of range and bail out of compilation if so. r=mjrosenb, a=sledru - tor-commits

29 Aug 2014

commit a248a86571775fc8c25d29e90cf015cfc7b34358
Author: Douglas Crosher dtc-moz@scieneer.com
Date:   Fri Mar 21 14:27:31 2014 +1100
Bug 919592 - Ionmonkey (ARM): Guard against branches being out of range and bail out of compilation if so. r=mjrosenb, a=sledru
---
 js/src/jit/arm/Assembler-arm.cpp |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/js/src/jit/arm/Assembler-arm.cpp b/js/src/jit/arm/Assembler-arm.cpp
index 57a3aa2..9969d22 100644
--- a/js/src/jit/arm/Assembler-arm.cpp
+++ b/js/src/jit/arm/Assembler-arm.cpp
@@ -1851,6 +1851,10 @@ Assembler::as_b(Label *l, Condition c, bool isPatchable)
         old = l->offset();
         // This will currently throw an assertion if we couldn't actually
         // encode the offset of the branch.
+        if (!BOffImm::isInRange(old)) {
+            m_buffer.bail();
+            return ret;
+        }
         ret = as_b(BOffImm(old), c, isPatchable);
     } else {
         old = LabelBase::INVALID_OFFSET;
@@ -1910,6 +1914,10 @@ Assembler::as_bl(Label *l, Condition c)
         // This will currently throw an assertion if we couldn't actually
         // encode the offset of the branch.
         old = l->offset();
+        if (!BOffImm::isInRange(old)) {
+            m_buffer.bail();
+            return ret;
+        }
         ret = as_bl(BOffImm(old), c);
     } else {
         old = LabelBase::INVALID_OFFSET;

    