4 files changed, 37 insertions, 33 deletions

diff --git a/js/src/vm/SharedArrayObject.cpp b/js/src/vm/SharedArrayObject.cpp
index 730578cd4..c69306aac 100644
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -116,22 +116,22 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length)
     if (allocSize <= length)
         return nullptr;
 
+    // Test >= to guard against the case where multiple extant runtimes
+    // race to allocate.
+    if (++numLive >= maxLive) {
+        JSRuntime* rt = cx->runtime();
+        if (rt->largeAllocationFailureCallback)
+            rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData);
+        if (numLive >= maxLive) {
+            numLive--;
+            return nullptr;
+        }
+    }
+
     bool preparedForAsmJS = jit::JitOptions.asmJSAtomicsEnable && IsValidAsmJSHeapLength(length);
 
     void* p = nullptr;
     if (preparedForAsmJS) {
-        // Test >= to guard against the case where multiple extant runtimes
-        // race to allocate.
-        if (++numLive >= maxLive) {
-            JSRuntime* rt = cx->runtime();
-            if (rt->largeAllocationFailureCallback)
-                rt->largeAllocationFailureCallback(rt->largeAllocationFailureCallbackData);
-            if (numLive >= maxLive) {
-                numLive--;
-                return nullptr;
-            }
-        }
-
         uint32_t mappedSize = SharedArrayMappedSize(allocSize);
 
         // Get the entire reserved region (with all pages inaccessible)
@@ -154,8 +154,10 @@ SharedArrayRawBuffer::New(JSContext* cx, uint32_t length)
 # endif
     } else {
         p = MapMemory(allocSize, true);
-        if (!p)
+        if (!p) {
+            numLive--;
             return nullptr;
+        }
     }
 
     uint8_t* buffer = reinterpret_cast<uint8_t*>(p) + gc::SystemPageSize();
@@ -189,8 +191,6 @@ SharedArrayRawBuffer::dropReference()
     uint32_t allocSize = SharedArrayAllocSize(this->length);
 
     if (this->preparedForAsmJS) {
-        numLive--;
-
         uint32_t mappedSize = SharedArrayMappedSize(allocSize);
         UnmapMemory(address, mappedSize);
 
@@ -202,6 +202,10 @@ SharedArrayRawBuffer::dropReference()
     } else {
         UnmapMemory(address, allocSize);
     }
+
+    // Decrement the buffer counter at the end -- otherwise, a race condition
+    // could enable the creation of unlimited buffers.
+    numLive--;
 }
 
 
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index 5b55ba947..2a7762e4f 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -1511,18 +1511,6 @@ js::FinishCompilation(JSContext* cx, HandleScript script, CompilerConstraintList
     return true;
 }
 
-void
-js::InvalidateCompilerOutputsForScript(JSContext* cx, HandleScript script)
-{
-    TypeZone& types = cx->zone()->types;
-    if (types.compilerOutputs) {
-        for (auto& co : *types.compilerOutputs) {
-            if (co.script() == script)
-                co.invalidate();
-        }
-    }
-}
-
 static void
 CheckDefinitePropertiesTypeSet(JSContext* cx, TemporaryTypeSet* frozen, StackTypeSet* actual)
 {
diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h
index 45b2711e2..9ba1c3cc8 100644
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@@ -1093,10 +1093,6 @@ bool
 FinishCompilation(JSContext* cx, HandleScript script, CompilerConstraintList* constraints,
                   RecompileInfo* precompileInfo, bool* isValidOut);
 
-// Reset any CompilerOutput present for a script.
-void
-InvalidateCompilerOutputsForScript(JSContext* cx, HandleScript script);
-
 // Update the actual types in any scripts queried by constraints with any
 // speculative types added during the definite properties analysis.
 void
diff --git a/js/src/vm/Xdr.h b/js/src/vm/Xdr.h
index 8e8c5bf17..2a5c62480 100644
--- a/js/src/vm/Xdr.h
+++ b/js/src/vm/Xdr.h
@@ -143,13 +143,17 @@ class XDRState {
     template <typename T>
     bool codeEnum32(T* val, typename mozilla::EnableIf<mozilla::IsEnum<T>::value, T>::Type * = NULL)
     {
+        // Mix the enumeration value with a random magic number, such that a
+        // corruption with a low-ranged value (like 0) is less likely to cause a
+        // miss-interpretation of the XDR content and instead cause a failure.
+        const uint32_t MAGIC = 0xAF647BCE;
         uint32_t tmp;
         if (mode == XDR_ENCODE)
-            tmp = uint32_t(*val);
+            tmp = uint32_t(*val) ^ MAGIC;
         if (!codeUint32(&tmp))
             return false;
         if (mode == XDR_DECODE)
-            *val = T(tmp);
+            *val = T(tmp ^ MAGIC);
         return true;
     }
 
@@ -167,6 +171,18 @@ class XDRState {
         return true;
     }
 
+    bool codeMarker(uint32_t magic) {
+        uint32_t actual = magic;
+        if (!codeUint32(&actual))
+            return false;
+        if (actual != magic) {
+            // Fail in debug, but only soft-fail in release
+            MOZ_ASSERT(false, "Bad XDR marker");
+            return fail(JS::TranscodeResult_Failure_BadDecode);
+        }
+        return true;
+    }
+
     bool codeBytes(void* bytes, size_t len) {
         if (len == 0)
             return true;