diff -Nru mozjs102-102.9.0/build/debian-packages/mercurial-timeout.diff mozjs102-102.10.0/build/debian-packages/mercurial-timeout.diff --- mozjs102-102.9.0/build/debian-packages/mercurial-timeout.diff 1969-12-31 19:00:00.000000000 -0500 +++ mozjs102-102.10.0/build/debian-packages/mercurial-timeout.diff 2023-04-10 19:40:44.000000000 -0400 @@ -0,0 +1,38 @@ +# HG changeset patch +# User Julien Cristau +# Date 1679408823 -3600 +# Tue Mar 21 15:27:03 2023 +0100 +# Branch stable +# Node ID 3a889388b8f5e4fc884fd7eb6c5daf82056627e2 +# Parent 411dc27fd9fd076d6a031a08fcaace659afe2fe3 +url: don't ignore timeout for https connections + +For http, we use the stdlib's HTTPConnection.connect which passes the +timeout down to socket.create_connection; for https, we override the +connect method but weren't handling the timeout, so connections could +hang for hours even with http.timeout set to low values. + +diff --git a/mercurial/url.py b/mercurial/url.py +--- a/mercurial/url.py ++++ b/mercurial/url.py +@@ -404,17 +404,19 @@ if has_https: + *args, + **kwargs + ): + keepalive.HTTPConnection.__init__(self, host, port, *args, **kwargs) + self.key_file = key_file + self.cert_file = cert_file + + def connect(self): +- self.sock = socket.create_connection((self.host, self.port)) ++ self.sock = socket.create_connection( ++ (self.host, self.port), self.timeout ++ ) + + host = self.host + if self.realhostport: # use CONNECT proxy + _generic_proxytunnel(self) + host = self.realhostport.rsplit(b':', 1)[0] + self.sock = sslutil.wrapsocket( + self.sock, + self.key_file, Binary files /tmp/XYYrctyKpT/mozjs102-102.9.0/config/external/icu/data/icudt71l.dat and /tmp/ix89ntfDjx/mozjs102-102.10.0/config/external/icu/data/icudt71l.dat differ diff -Nru mozjs102-102.9.0/config/milestone.txt mozjs102-102.10.0/config/milestone.txt --- mozjs102-102.9.0/config/milestone.txt 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/config/milestone.txt 2023-04-10 19:40:44.000000000 -0400 @@ -10,4 +10,4 @@ # hardcoded milestones in the tree from these two files. #-------------------------------------------------------- -102.9.0 +102.10.0 diff -Nru mozjs102-102.9.0/debian/changelog mozjs102-102.10.0/debian/changelog --- mozjs102-102.9.0/debian/changelog 2023-03-13 11:03:53.000000000 -0400 +++ mozjs102-102.10.0/debian/changelog 2023-04-10 19:48:42.000000000 -0400 @@ -1,3 +1,14 @@ +mozjs102 (102.10.0-1) unstable; urgency=high + + * New upstream release (LP: #2015880) + - CVE-2023-29536: Invalid free from JavaScript code + - CVE-2023-29548: Incorrect optimization result on ARM64 + - CVE-2023-29550: Memory safety bugs + - CVE-2023-29535: Potential Memory Corruption following Garbage Collector + compaction + + -- Jeremy BĂ­cha Mon, 10 Apr 2023 19:48:42 -0400 + mozjs102 (102.9.0-1) unstable; urgency=high [ Jeremy Bicha ] diff -Nru mozjs102-102.9.0/js/src/builtin/intl/TimeZoneDataGenerated.h mozjs102-102.10.0/js/src/builtin/intl/TimeZoneDataGenerated.h --- mozjs102-102.9.0/js/src/builtin/intl/TimeZoneDataGenerated.h 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/builtin/intl/TimeZoneDataGenerated.h 2023-04-10 19:40:44.000000000 -0400 @@ -1,5 +1,5 @@ // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a #ifndef builtin_intl_TimeZoneDataGenerated_h #define builtin_intl_TimeZoneDataGenerated_h diff -Nru mozjs102-102.9.0/js/src/gc/Compacting.cpp mozjs102-102.10.0/js/src/gc/Compacting.cpp --- mozjs102-102.9.0/js/src/gc/Compacting.cpp 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/gc/Compacting.cpp 2023-04-10 19:40:44.000000000 -0400 @@ -455,11 +455,12 @@ } void GCRuntime::sweepZoneAfterCompacting(MovingTracer* trc, Zone* zone) { - MOZ_ASSERT(zone->isCollecting()); - traceWeakFinalizationObserverEdges(trc, zone); + MOZ_ASSERT(zone->isGCCompacting()); zone->traceWeakMaps(trc); + traceWeakFinalizationObserverEdges(trc, zone); + for (auto* cache : zone->weakCaches()) { cache->traceWeak(trc, nullptr); } diff -Nru mozjs102-102.9.0/js/src/jit/arm64/Lowering-arm64.cpp mozjs102-102.10.0/js/src/jit/arm64/Lowering-arm64.cpp --- mozjs102-102.9.0/js/src/jit/arm64/Lowering-arm64.cpp 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/jit/arm64/Lowering-arm64.cpp 2023-04-10 19:40:44.000000000 -0400 @@ -572,10 +572,10 @@ void LIRGeneratorARM64::lowerUDiv(MDiv* div) { LAllocation lhs = useRegister(div->lhs()); if (div->rhs()->isConstant()) { - int32_t rhs = div->rhs()->toConstant()->toInt32(); - int32_t shift = mozilla::FloorLog2(mozilla::Abs(rhs)); + uint32_t rhs = div->rhs()->toConstant()->toInt32(); + int32_t shift = mozilla::FloorLog2(rhs); - if (rhs != 0 && uint32_t(1) << shift == mozilla::Abs(rhs)) { + if (rhs != 0 && uint32_t(1) << shift == rhs) { LDivPowTwoI* lir = new (alloc()) LDivPowTwoI(lhs, shift, false); if (div->fallible()) { assignSnapshot(lir, div->bailoutKind()); diff -Nru mozjs102-102.9.0/js/src/jit/CacheIR.cpp mozjs102-102.10.0/js/src/jit/CacheIR.cpp --- mozjs102-102.9.0/js/src/jit/CacheIR.cpp 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/jit/CacheIR.cpp 2023-04-10 19:40:44.000000000 -0400 @@ -9932,8 +9932,8 @@ writer.loadArgumentDynamicSlot(ArgumentKind::This, argcId, flags); ObjOperandId thisObjId = writer.guardToObject(thisValId); - // Guard on the |this| class to make sure it's the right instance. - writer.guardAnyClass(thisObjId, thisval_.toObject().getClass()); + // Guard on the |this| shape to make sure it's the right instance. + writer.guardShape(thisObjId, thisval_.toObject().shape()); // Ensure callee matches this stub's callee writer.guardSpecificFunction(calleeObjId, calleeFunc); diff -Nru mozjs102-102.9.0/js/src/jit/WarpBuilderShared.h mozjs102-102.10.0/js/src/jit/WarpBuilderShared.h --- mozjs102-102.9.0/js/src/jit/WarpBuilderShared.h 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/jit/WarpBuilderShared.h 2023-04-10 19:40:44.000000000 -0400 @@ -291,7 +291,8 @@ DOMObjectKind objKind = DOMObjectKind::Unknown; if (isDOMCall) { - const JSClass* clasp = callInfo.thisArg()->toGuardToClass()->getClass(); + const JSClass* clasp = + callInfo.thisArg()->toGuardShape()->shape()->getObjectClass(); MOZ_ASSERT(clasp->isDOMClass()); if (clasp->isNativeObject()) { objKind = DOMObjectKind::Native; diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backward_links.js mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backward_links.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backward_links.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backward_links.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,7 +1,7 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a const tzMapper = [ x => x, diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone.js mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,7 +1,7 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a const tzMapper = [ x => x, @@ -77,6 +77,7 @@ "America/St_Vincent": "America/St_Vincent", "America/Thunder_Bay": "America/Thunder_Bay", "America/Tortola": "America/Tortola", + "America/Yellowknife": "America/Yellowknife", "Antarctica/DumontDUrville": "Antarctica/DumontDUrville", "Antarctica/McMurdo": "Antarctica/McMurdo", "Antarctica/Syowa": "Antarctica/Syowa", diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone_links.js mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone_links.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone_links.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_backzone_links.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,7 +1,7 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a const tzMapper = [ x => x, diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_notbackward_links.js mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_notbackward_links.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_notbackward_links.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_notbackward_links.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,7 +1,7 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a const tzMapper = [ x => x, diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_version.js mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_version.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_version.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/DateTimeFormat/timeZone_version.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,8 +1,8 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g -const tzdata = "2022g"; +// tzdata version = 2023a +const tzdata = "2023a"; if (typeof getICUOptions === "undefined") { var getICUOptions = SpecialPowers.Cu.getJSTestingFunctions().getICUOptions; diff -Nru mozjs102-102.9.0/js/src/tests/non262/Intl/supportedValuesOf-timeZones-canonical.js mozjs102-102.10.0/js/src/tests/non262/Intl/supportedValuesOf-timeZones-canonical.js --- mozjs102-102.9.0/js/src/tests/non262/Intl/supportedValuesOf-timeZones-canonical.js 2023-03-13 10:54:55.000000000 -0400 +++ mozjs102-102.10.0/js/src/tests/non262/Intl/supportedValuesOf-timeZones-canonical.js 2023-04-10 19:40:44.000000000 -0400 @@ -1,7 +1,7 @@ // |reftest| skip-if(!this.hasOwnProperty("Intl")) // Generated by make_intl_data.py. DO NOT EDIT. -// tzdata version = 2022g +// tzdata version = 2023a // This file was generated with historical, pre-1970 backzone information // respected. diff -Nru mozjs102-102.9.0/js/src/vm/JSObject.cpp mozjs102-102.10.0/js/src/vm/JSObject.cpp --- mozjs102-102.9.0/js/src/vm/JSObject.cpp 2023-03-13 10:54:57.000000000 -0400 +++ mozjs102-102.10.0/js/src/vm/JSObject.cpp 2023-04-10 19:40:46.000000000 -0400 @@ -1073,12 +1073,13 @@ if (hasDynamicElements()) { ObjectElements* elements = getElementsHeader(); + void* allocatedElements = getUnshiftedElementsHeader(); size_t count = elements->numAllocatedElements(); size_t size = count * sizeof(HeapSlot); if (isTenured()) { RemoveCellMemory(this, size, MemoryUse::ObjectElements); - } else if (cx->nursery().isInside(elements)) { + } else if (cx->nursery().isInside(allocatedElements)) { // Move nursery allocated elements in case they end up in a tenured // object. ObjectElements* newElements = @@ -1090,7 +1091,7 @@ memmove(newElements, elements, size); elements_ = newElements->elements(); } else { - cx->nursery().removeMallocedBuffer(elements, size); + cx->nursery().removeMallocedBuffer(allocatedElements, size); } MOZ_ASSERT(hasDynamicElements()); } @@ -1140,11 +1141,12 @@ if (obj->hasDynamicElements()) { ObjectElements* elements = obj->getElementsHeader(); - MOZ_ASSERT(!cx->nursery().isInside(elements)); + void* allocatedElements = obj->getUnshiftedElementsHeader(); + MOZ_ASSERT(!cx->nursery().isInside(allocatedElements)); size_t size = elements->numAllocatedElements() * sizeof(HeapSlot); if (obj->isTenured()) { AddCellMemory(obj, size, MemoryUse::ObjectElements); - } else if (!cx->nursery().registerMallocedBuffer(elements, size)) { + } else if (!cx->nursery().registerMallocedBuffer(allocatedElements, size)) { return false; } } @@ -3290,7 +3292,7 @@ MOZ_ASSERT(nobj.numFixedSlots() == 0); /* Use minimal size object if we are just going to copy the pointer. */ - if (!nursery.isInside(nobj.getElementsHeader())) { + if (!nursery.isInside(nobj.getUnshiftedElementsHeader())) { return gc::AllocKind::OBJECT0_BACKGROUND; }