Skip to content

Commit

Permalink
[1.8>1.9] [MERGE #4963 @rajatd] ChakraCore 2018-04 security updates
Browse files Browse the repository at this point in the history
Merge pull request #4963 from rajatd:servicing/1804
  • Loading branch information
rajatd committed Apr 10, 2018
2 parents 7f1ab68 + c259f22 commit 495de1a
Show file tree
Hide file tree
Showing 26 changed files with 475 additions and 245 deletions.
39 changes: 35 additions & 4 deletions lib/Backend/GlobOpt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -14402,7 +14402,8 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
currentBlock->next,
hoistBlock,
hoistInfo.IndexSym(),
hoistInfo.IndexValueNumber());
hoistInfo.IndexValueNumber(),
true);
it.IsValid();
it.MoveNext())
{
Expand Down Expand Up @@ -14670,7 +14671,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
Assert(!hoistInfo.Loop() || hoistBlock != currentBlock);
if(hoistBlock != currentBlock)
{
for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr);
for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr, InvalidValueNumber, true);
it.IsValid();
it.MoveNext())
{
Expand Down Expand Up @@ -17116,12 +17117,15 @@ InvariantBlockBackwardIterator::InvariantBlockBackwardIterator(
BasicBlock *const exclusiveBeginBlock,
BasicBlock *const inclusiveEndBlock,
StackSym *const invariantSym,
const ValueNumber invariantSymValueNumber)
const ValueNumber invariantSymValueNumber,
bool followFlow)
: globOpt(globOpt),
exclusiveEndBlock(inclusiveEndBlock->prev),
invariantSym(invariantSym),
invariantSymValueNumber(invariantSymValueNumber),
block(exclusiveBeginBlock)
block(exclusiveBeginBlock),
blockBV(globOpt->tempAlloc),
followFlow(followFlow)
#if DBG
,
inclusiveEndBlock(inclusiveEndBlock)
Expand Down Expand Up @@ -17159,6 +17163,11 @@ InvariantBlockBackwardIterator::MoveNext()
break;
}

if (!this->UpdatePredBlockBV())
{
continue;
}

if(block->isDeleted)
{
continue;
Expand Down Expand Up @@ -17186,6 +17195,28 @@ InvariantBlockBackwardIterator::MoveNext()
}
}

bool
InvariantBlockBackwardIterator::UpdatePredBlockBV()
{
if (!this->followFlow)
{
return true;
}

// Track blocks we've visited to ensure that we only iterate over predecessor blocks
if (!this->blockBV.IsEmpty() && !this->blockBV.Test(this->block->GetBlockNum()))
{
return false;
}

FOREACH_SLISTBASECOUNTED_ENTRY(FlowEdge*, edge, this->block->GetPredList())
{
this->blockBV.Set(edge->GetPred()->GetBlockNum());
} NEXT_SLISTBASECOUNTED_ENTRY;

return true;
}

BasicBlock *
InvariantBlockBackwardIterator::Block() const
{
Expand Down
5 changes: 4 additions & 1 deletion lib/Backend/GlobOpt.h
Original file line number Diff line number Diff line change
Expand Up @@ -364,13 +364,16 @@ class InvariantBlockBackwardIterator
const ValueNumber invariantSymValueNumber;
BasicBlock *block;
Value *invariantSymValue;
BVSparse<JitArenaAllocator> blockBV;
bool followFlow;

#if DBG
BasicBlock *const inclusiveEndBlock;
#endif

bool UpdatePredBlockBV();
public:
InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber);
InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber, bool followFlow = false);

public:
bool IsValid() const;
Expand Down
2 changes: 1 addition & 1 deletion lib/Runtime/Base/ThreadContext.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ const Js::PropertyRecord * const ThreadContext::builtInPropertyRecords[] =
};

ThreadContext::RecyclableData::RecyclableData(Recycler *const recycler) :
pendingFinallyException(nullptr),
soErrorObject(nullptr, nullptr, nullptr, true),
oomErrorObject(nullptr, nullptr, nullptr, true),
terminatedErrorObject(nullptr, nullptr, nullptr),
Expand All @@ -94,7 +95,6 @@ ThreadContext::ThreadContext(AllocationPolicyManager * allocationPolicyManager,
isThreadBound(false),
hasThrownPendingException(false),
hasBailedOutBitPtr(nullptr),
pendingFinallyException(nullptr),
noScriptScope(false),
heapEnum(nullptr),
threadContextFlags(ThreadContextFlagNoFlag),
Expand Down
8 changes: 4 additions & 4 deletions lib/Runtime/Base/ThreadContext.h
Original file line number Diff line number Diff line change
Expand Up @@ -443,8 +443,6 @@ class ThreadContext sealed :

private:
const Js::PropertyRecord * emptyStringPropertyRecord;

Js::JavascriptExceptionObject * pendingFinallyException;
bool noScriptScope;

#ifdef ENABLE_SCRIPT_DEBUGGING
Expand Down Expand Up @@ -559,6 +557,8 @@ class ThreadContext sealed :
Field(Js::TempArenaAllocatorObject *) temporaryArenaAllocators[MaxTemporaryArenaAllocators];
Field(Js::TempGuestArenaAllocatorObject *) temporaryGuestArenaAllocators[MaxTemporaryArenaAllocators];

Field(Js::JavascriptExceptionObject *) pendingFinallyException;

Field(Js::JavascriptExceptionObject *) exceptionObject;
Field(bool) propagateException;

Expand Down Expand Up @@ -1294,12 +1294,12 @@ class ThreadContext sealed :

void SetPendingFinallyException(Js::JavascriptExceptionObject * exceptionObj)
{
pendingFinallyException = exceptionObj;
recyclableData->pendingFinallyException = exceptionObj;
}

Js::JavascriptExceptionObject * GetPendingFinallyException()
{
return pendingFinallyException;
return recyclableData->pendingFinallyException;
}

Js::EntryPointInfo ** RegisterEquivalentTypeCacheEntryPoint(Js::EntryPointInfo * entryPoint);
Expand Down
Loading

0 comments on commit 495de1a

Please sign in to comment.