Skip to content

Commit

Permalink
[MERGE #6528 @akroshg] ChakraCore Servicing update for 2020.11B
Browse files Browse the repository at this point in the history
Merge pull request #6528 from akroshg:servicing_2011

Fixing -
[CVE-2020-17054]
[CVE-2020-17048]
  • Loading branch information
akroshg committed Nov 10, 2020
2 parents 63c5099 + ab0e7c0 commit 008e43e
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 41 deletions.
2 changes: 1 addition & 1 deletion Build/NuGet/.pack-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.11.22
1.11.23
8 changes: 8 additions & 0 deletions lib/Backend/GlobOpt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -14591,6 +14591,14 @@ GlobOpt::OptIsInvariant(
allowNonPrimitives = true;
}
break;

case Js::OpCode::CheckFixedFld:
if (!instr->GetSrc1()->AsPropertySymOpnd()->NeedsPrimaryTypeCheck())
{
break;
}
// Fall through. If the instruction has to do a type check as well as a fixed field check, then we need to check the invariance
// of the type symbol.
case Js::OpCode::CheckObjType:
// Bug 11712101: If the operand is a field, ensure that its containing object type is invariant
// before hoisting -- that is, don't hoist a CheckObjType over a DeleteFld on that object.
Expand Down
8 changes: 4 additions & 4 deletions lib/Backend/GlobOpt.h
Original file line number Diff line number Diff line change
Expand Up @@ -559,7 +559,7 @@ class GlobOpt
void TryOptimizeInstrWithFixedDataProperty(IR::Instr * * const pInstr);
bool CheckIfPropOpEmitsTypeCheck(IR::Instr *instr, IR::PropertySymOpnd *opnd);
IR::PropertySymOpnd * CreateOpndForTypeCheckOnly(IR::PropertySymOpnd* opnd, Func* func);
bool FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block = nullptr, bool updateExistingValue = false, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr);
bool FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block = nullptr, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr);
IR::Instr * SetTypeCheckBailOut(IR::Opnd *opnd, IR::Instr *instr, BailOutInfo *bailOutInfo);
void OptArguments(IR::Instr *Instr);
void TrackInstrsForScopeObjectRemoval(IR::Instr * instr);
Expand Down Expand Up @@ -944,7 +944,7 @@ class GlobOpt
bool ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd);
bool CheckIfInstrInTypeCheckSeqEmitsTypeCheck(IR::Instr* instr, IR::PropertySymOpnd *opnd);
template<bool makeChanges>
bool ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr, bool *isObjTypeChecked = nullptr);
bool ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr, bool *isObjTypeChecked = nullptr);
template<class Fn>
bool MapObjectHeaderInlinedTypeSymsUntil(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId, Fn fn);
void KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecialized, SymID symId = SymID_Invalid);
Expand All @@ -954,8 +954,8 @@ class GlobOpt
void SetTypeSetOnObjectTypeValue(Value* value, Js::EquivalentTypeSet* typeSet);
void UpdateObjectTypeValue(Value* value, const JITTypeHolder type, bool setType, Js::EquivalentTypeSet* typeSet, bool setTypeSet);
void SetObjectTypeFromTypeSym(StackSym *typeSym, Value* value, BasicBlock* block = nullptr);
void SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block = nullptr, bool updateExistingValue = false);
void SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData, bool updateExistingValue = false);
void SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block = nullptr);
void SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData);
void KillObjectType(StackSym *objectSym, BVSparse<JitArenaAllocator>* liveFields = nullptr);
void KillAllObjectTypes(BVSparse<JitArenaAllocator>* liveFields = nullptr);
void EndFieldLifetime(IR::SymOpnd *symOpnd);
Expand Down
51 changes: 18 additions & 33 deletions lib/Backend/GlobOptFields.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -875,7 +875,7 @@ GlobOpt::CreateOpndForTypeCheckOnly(IR::PropertySymOpnd* opnd, Func* func)
}

bool
GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut)
GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut, bool* changesTypeValueOut)
{
if (!DoFieldRefOpts() || !OpCodeAttr::FastFldInstr(instr->m_opcode))
{
Expand All @@ -888,7 +888,7 @@ GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock

if (isTypeCheckSeqCandidate)
{
isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, updateExistingValue, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);
isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);
}

if (opnd == instr->GetDst() && this->objectTypeSyms)
Expand Down Expand Up @@ -1102,19 +1102,19 @@ GlobOpt::CompareCurrentTypesWithExpectedTypes(JsTypeValueInfo *valueInfo, IR::Pr
bool
GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd)
{
return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock, false);
return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock);
}

bool GlobOpt::CheckIfInstrInTypeCheckSeqEmitsTypeCheck(IR::Instr* instr, IR::PropertySymOpnd *opnd)
{
bool emitsTypeCheck;
ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, false, &emitsTypeCheck);
ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, &emitsTypeCheck);
return emitsTypeCheck;
}

template<bool makeChanges>
bool
GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)
GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)
{
// We no longer mark types as dead in the backward pass, so we should never see an instr with a dead type here
// during the forward pass. For the time being we've retained the logic below to deal with dead types in case
Expand Down Expand Up @@ -1193,7 +1193,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
addsProperty = isStore && isSpecialized && opnd->HasInitialType();
if (produceType)
{
SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);
}
}
else if (valueInfo->GetJsType() != nullptr)
Expand Down Expand Up @@ -1227,7 +1227,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
}
if (produceType)
{
SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);
}
isSpecialized = !isTypeDead || !objectMayHaveAcquiredAdditionalProperties;
emitsTypeCheck = isSpecialized && objectMayHaveAcquiredAdditionalProperties;
Expand Down Expand Up @@ -1376,11 +1376,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
{
if (opnd->IsMono())
{
SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);
}
else
{
SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);
}
}
isSpecialized = !isTypeDead;
Expand Down Expand Up @@ -1421,11 +1421,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
{
if (opnd->IsMono())
{
SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);
}
else
{
SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);
}
}
isSpecialized = !isTypeDead;
Expand Down Expand Up @@ -1788,18 +1788,18 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, Value* value, BasicBlock* b
}

void
GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block, bool updateExistingValue)
GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block)
{
if (block == nullptr)
{
block = this->currentBlock;
}

SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData, updateExistingValue);
SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData);
}

void
GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData, bool updateExistingValue)
GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData)
{
Assert(typeSym != nullptr);

Expand All @@ -1810,25 +1810,10 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, J
blockData = &this->currentBlock->globOptData;
}

if (updateExistingValue)
{
Value* value = blockData->FindValueFromMapDirect(typeSymId);

// If we're trying to update an existing value, the value better exist. We only do this when updating a generic
// value created during loop pre-pass for field hoisting, so we expect the value info to still be blank.
Assert(value != nullptr && value->GetValueInfo() != nullptr && value->GetValueInfo()->IsJsType());
JsTypeValueInfo* valueInfo = value->GetValueInfo()->AsJsType();
Assert(valueInfo->GetJsType() == nullptr && valueInfo->GetJsTypeSet() == nullptr);
UpdateObjectTypeValue(value, type, true, typeSet, true);
}
else
{
JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);
this->SetSymStoreDirect(valueInfo, typeSym);
Value* value = NewValue(valueInfo);
blockData->SetValue(value, typeSym);
}

JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);
this->SetSymStoreDirect(valueInfo, typeSym);
Value* value = NewValue(valueInfo);
blockData->SetValue(value, typeSym);
blockData->liveFields->Set(typeSymId);
}

Expand Down
7 changes: 5 additions & 2 deletions lib/Backend/Lower.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -27152,8 +27152,11 @@ void Lowerer::LowerLdFrameDisplay(IR::Instr *instr, bool doStackFrameDisplay)
if (instr->m_func != this->m_func && this->m_func->DoStackFrameDisplay())
{
StackSym * inlineeFrameDisplaySym = instr->m_func->GetLocalFrameDisplaySym();
Assert(inlineeFrameDisplaySym->IsAllocated());
InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);
Assert((inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated()) || this->m_func->IsLoopBody());
if (inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated())
{
InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion lib/Common/ChakraCoreVersion.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
#define CHAKRA_CORE_MINOR_VERSION 11
#define CHAKRA_CORE_PATCH_VERSION 22
#define CHAKRA_CORE_PATCH_VERSION 23
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.

// -------------
Expand Down

0 comments on commit 008e43e

Please sign in to comment.