From 4b06471b36f6c23b910556cdece4f38bdc65e5ea Mon Sep 17 00:00:00 2001
From: =?utf8?q?Andr=C3=A9=20Bargull?= <andre.bargull@gmail.com>
Date: Wed, 3 Apr 2024 07:47:07 +0000
Subject: [PATCH] Bug 1885489 - Part 1: Handle double inputs when recovering
 StringFromCharCode and AtomicIsLockFree. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D204897
---
 js/src/jit/Recover.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/js/src/jit/Recover.cpp b/js/src/jit/Recover.cpp
index 220ffe7bb29f..85dc58da1ae7 100644
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -1044,7 +1044,11 @@ bool MFromCharCode::writeRecoverData(CompactBufferWriter& writer) const {
 RFromCharCode::RFromCharCode(CompactBufferReader& reader) {}
 
 bool RFromCharCode::recover(JSContext* cx, SnapshotIterator& iter) const {
-  int32_t charCode = iter.read().toInt32();
+  Value charCodeValue = iter.read();
+  MOZ_ASSERT(charCodeValue.isNumber(),
+             "charCode computed from (recoverable) user input");
+
+  int32_t charCode = JS::ToInt32(charCodeValue.toNumber());
 
   JSString* str = StringFromCharCode(cx, charCode);
   if (!str) {
@@ -2015,9 +2019,13 @@ RAtomicIsLockFree::RAtomicIsLockFree(CompactBufferReader& reader) {}
 
 bool RAtomicIsLockFree::recover(JSContext* cx, SnapshotIterator& iter) const {
   Value operand = iter.read();
-  MOZ_ASSERT(operand.isInt32());
+  MOZ_ASSERT(operand.isNumber());
+
+  double dsize = JS::ToInteger(operand.toNumber());
 
-  bool result = AtomicOperations::isLockfreeJS(operand.toInt32());
+  int32_t size;
+  bool result = mozilla::NumberEqualsInt32(dsize, &size) &&
+                AtomicOperations::isLockfreeJS(size);
   iter.storeInstructionResult(BooleanValue(result));
   return true;
 }
-- 
2.11.4.GIT