From 1d5bb90cb0a1b457570019845fed207faed67a99 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 21 Apr 2024 20:34:58 +0200
Subject: Adding upstream version 115.10.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 js/src/jit/CacheIR.cpp             | 11 ++++++++---
 js/src/jit/IonAnalysis.cpp         |  4 ++--
 js/src/jit/JitFrames.cpp           | 20 ++++++++++----------
 js/src/vm/BigIntType.h             |  1 +
 js/src/vm/StructuredClone.cpp      |  2 +-
 js/xpconnect/src/XPCComponents.cpp |  2 +-
 js/xpconnect/src/XPCShellImpl.cpp  | 11 ++++++++++-
 7 files changed, 33 insertions(+), 18 deletions(-)

(limited to 'js')

diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
index 68163e7d6c..2a7c72abe4 100644
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -498,9 +498,14 @@ enum class NativeGetPropKind {
 
 static NativeGetPropKind IsCacheableGetPropCall(NativeObject* obj,
                                                 NativeObject* holder,
-                                                PropertyInfo prop) {
+                                                PropertyInfo prop,
+                                                jsbytecode* pc = nullptr) {
   MOZ_ASSERT(IsCacheableProtoChain(obj, holder));
 
+  if (pc && JSOp(*pc) == JSOp::GetBoundName) {
+    return NativeGetPropKind::None;
+  }
+
   if (!prop.isAccessorProperty()) {
     return NativeGetPropKind::None;
   }
@@ -593,7 +598,7 @@ static NativeGetPropKind CanAttachNativeGetProp(JSContext* cx, JSObject* obj,
       return NativeGetPropKind::Slot;
     }
 
-    return IsCacheableGetPropCall(nobj, *holder, propInfo->ref());
+    return IsCacheableGetPropCall(nobj, *holder, propInfo->ref(), pc);
   }
 
   if (!prop.isFound()) {
@@ -3130,7 +3135,7 @@ AttachDecision GetNameIRGenerator::tryAttachGlobalNameGetter(ObjOperandId objId,
 
   GlobalObject* global = &globalLexical->global();
 
-  NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop);
+  NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop, pc_);
   if (kind != NativeGetPropKind::NativeGetter &&
       kind != NativeGetPropKind::ScriptedGetter) {
     return AttachDecision::NoAction;
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index d15c0d5df0..77b166af04 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -747,13 +747,13 @@ static bool IsDiamondPattern(MBasicBlock* initialBlock) {
   MTest* initialTest = ins->toTest();
 
   MBasicBlock* trueBranch = initialTest->ifTrue();
-  if (trueBranch->numPredecessors() != 1 || trueBranch->numSuccessors() != 1) {
+  if (trueBranch->numPredecessors() != 1 || !trueBranch->lastIns()->isGoto()) {
     return false;
   }
 
   MBasicBlock* falseBranch = initialTest->ifFalse();
   if (falseBranch->numPredecessors() != 1 ||
-      falseBranch->numSuccessors() != 1) {
+      !falseBranch->lastIns()->isGoto()) {
     return false;
   }
 
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
index fd65289e61..5e723041cd 100644
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -897,32 +897,32 @@ static void TraceThisAndArguments(JSTracer* trc, const JSJitFrameIter& frame,
     return;
   }
 
-  size_t nargs = layout->numActualArgs();
-  size_t nformals = 0;
-
   JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+
+  size_t numFormals = fun->nargs();
+  size_t numArgs = std::max(layout->numActualArgs(), numFormals);
+  size_t firstArg = 0;
+
   if (frame.type() != FrameType::JSJitToWasm &&
       !frame.isExitFrameLayout<CalledFromJitExitFrameLayout>() &&
       !fun->nonLazyScript()->mayReadFrameArgsDirectly()) {
-    nformals = fun->nargs();
+    firstArg = numFormals;
   }
 
-  size_t newTargetOffset = std::max(nargs, fun->nargs());
-
   Value* argv = layout->thisAndActualArgs();
 
   // Trace |this|.
   TraceRoot(trc, argv, "ion-thisv");
 
-  // Trace actual arguments beyond the formals. Note + 1 for thisv.
-  for (size_t i = nformals + 1; i < nargs + 1; i++) {
-    TraceRoot(trc, &argv[i], "ion-argv");
+  // Trace arguments. Note + 1 for thisv.
+  for (size_t i = firstArg; i < numArgs; i++) {
+    TraceRoot(trc, &argv[i + 1], "ion-argv");
   }
 
   // Always trace the new.target from the frame. It's not in the snapshots.
   // +1 to pass |this|
   if (CalleeTokenIsConstructing(layout->calleeToken())) {
-    TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
+    TraceRoot(trc, &argv[1 + numArgs], "ion-newTarget");
   }
 }
 
diff --git a/js/src/vm/BigIntType.h b/js/src/vm/BigIntType.h
index c8e264b20b..fe70d0cf69 100644
--- a/js/src/vm/BigIntType.h
+++ b/js/src/vm/BigIntType.h
@@ -398,6 +398,7 @@ class BigInt final : public js::gc::CellWithLengthAndFlags {
   static JSLinearString* toStringGeneric(JSContext* cx, Handle<BigInt*>,
                                          unsigned radix);
 
+  friend struct ::JSStructuredCloneReader; // So it can call the following:
   static BigInt* destructivelyTrimHighZeroDigits(JSContext* cx, BigInt* x);
 
   bool absFitsInUint64() const { return digitLength() <= 64 / DigitBits; }
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 7eafc89113..1ba63c7fee 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2489,7 +2489,7 @@ BigInt* JSStructuredCloneReader::readBigInt(uint32_t data) {
   if (!in.readArray(result->digits().data(), length)) {
     return nullptr;
   }
-  return result;
+  return JS::BigInt::destructivelyTrimHighZeroDigits(context(), result);
 }
 
 static uint32_t TagToV1ArrayType(uint32_t tag) {
diff --git a/js/xpconnect/src/XPCComponents.cpp b/js/xpconnect/src/XPCComponents.cpp
index 77df85b5f8..b69aaea0b5 100644
--- a/js/xpconnect/src/XPCComponents.cpp
+++ b/js/xpconnect/src/XPCComponents.cpp
@@ -1789,7 +1789,7 @@ nsXPCComponents_Utils::GetFunctionSourceLocation(HandleValue funcValue,
     NS_ENSURE_TRUE(func, NS_ERROR_INVALID_ARG);
 
     RootedScript script(cx, JS_GetFunctionScript(cx, func));
-    NS_ENSURE_TRUE(func, NS_ERROR_FAILURE);
+    NS_ENSURE_TRUE(script, NS_ERROR_FAILURE);
 
     AppendUTF8toUTF16(nsDependentCString(JS_GetScriptFilename(script)),
                       filename);
diff --git a/js/xpconnect/src/XPCShellImpl.cpp b/js/xpconnect/src/XPCShellImpl.cpp
index 124c2ed37d..f24b939fae 100644
--- a/js/xpconnect/src/XPCShellImpl.cpp
+++ b/js/xpconnect/src/XPCShellImpl.cpp
@@ -1106,6 +1106,10 @@ int XRE_XPCShellMain(int argc, char** argv, char** envp,
   // stability, we should instantiate COM ASAP so that we can ensure that these
   // global settings are configured before anything can interfere.
   mscom::ProcessRuntime mscom;
+
+#  ifdef MOZ_SANDBOX
+  nsAutoString binDirPath;
+#  endif
 #endif
 
   // The provider needs to outlive the call to shutting down XPCOM.
@@ -1125,6 +1129,11 @@ int XRE_XPCShellMain(int argc, char** argv, char** envp,
       return 1;
     }
 
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    // We need the binary directory to initialize the windows sandbox.
+    MOZ_ALWAYS_SUCCEEDS(appDir->GetPath(binDirPath));
+#endif
+
     dirprovider.SetAppFile(appFile);
 
     nsCOMPtr<nsIFile> greDir;
@@ -1323,7 +1332,7 @@ int XRE_XPCShellMain(int argc, char** argv, char** envp,
 #  if defined(MOZ_SANDBOX)
     // Required for sandboxed child processes.
     if (aShellData->sandboxBrokerServices) {
-      SandboxBroker::Initialize(aShellData->sandboxBrokerServices);
+      SandboxBroker::Initialize(aShellData->sandboxBrokerServices, binDirPath);
       SandboxBroker::GeckoDependentInitialize();
     } else {
       NS_WARNING(
-- 
cgit v1.2.3