Bug 919592 - Ionmonkey (ARM): Guard against branches being out of range and bail out of compilation if so. r=mjrosenb, a=sledru
authorDouglas Crosher <dtc-moz@scieneer.com>
Fri, 21 Mar 2014 14:27:31 +1100
changeset 183667 7be150811dd8
parent 183666 ed9793adc2c7
child 183668 c8bcfc32f855
push id3441
push userryanvm@gmail.com
push date2014-04-08 16:59 +0000
Treeherderresults
reviewersmjrosenb, sledru
bugs919592
milestone29.0
Bug 919592 - Ionmonkey (ARM): Guard against branches being out of range and bail out of compilation if so. r=mjrosenb, a=sledru
js/src/jit/arm/Assembler-arm.cpp
--- a/js/src/jit/arm/Assembler-arm.cpp
+++ b/js/src/jit/arm/Assembler-arm.cpp
@@ -1861,16 +1861,20 @@ Assembler::as_b(Label *l, Condition c, b
     }
 
     int32_t old;
     BufferOffset ret;
     if (l->used()) {
         old = l->offset();
         // This will currently throw an assertion if we couldn't actually
         // encode the offset of the branch.
+        if (!BOffImm::isInRange(old)) {
+            m_buffer.bail();
+            return ret;
+        }
         ret = as_b(BOffImm(old), c, isPatchable);
     } else {
         old = LabelBase::INVALID_OFFSET;
         BOffImm inv;
         ret = as_b(inv, c, isPatchable);
     }
     DebugOnly<int32_t> check = l->use(ret.getOffset());
     JS_ASSERT(check == old);
@@ -1919,16 +1923,20 @@ Assembler::as_bl(Label *l, Condition c)
 
     int32_t old;
     BufferOffset ret;
     // See if the list was empty :(
     if (l->used()) {
         // This will currently throw an assertion if we couldn't actually
         // encode the offset of the branch.
         old = l->offset();
+        if (!BOffImm::isInRange(old)) {
+            m_buffer.bail();
+            return ret;
+        }
         ret = as_bl(BOffImm(old), c);
     } else {
         old = LabelBase::INVALID_OFFSET;
         BOffImm inv;
         ret = as_bl(inv, c);
     }
     DebugOnly<int32_t> check = l->use(ret.getOffset());
     JS_ASSERT(check == old);