Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ChakraCore 2018-06 security updates #5298

Merged
merged 4 commits into from
Jun 12, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Build/NuGet/.pack-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.8.4
1.8.5
2 changes: 1 addition & 1 deletion lib/Backend/Func.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ Func::Func(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
ObjTypeSpecFldInfo * info = GetWorkItem()->GetJITTimeInfo()->GetObjTypeSpecFldInfo(i);
if (info != nullptr)
{
Assert(info->GetObjTypeSpecFldId() < GetTopFunc()->GetWorkItem()->GetJITTimeInfo()->GetGlobalObjTypeSpecFldInfoCount());
AssertOrFailFast(info->GetObjTypeSpecFldId() < GetTopFunc()->GetWorkItem()->GetJITTimeInfo()->GetGlobalObjTypeSpecFldInfoCount());
GetTopFunc()->m_globalObjTypeSpecFldInfoArray[info->GetObjTypeSpecFldId()] = info;
}
}
Expand Down
51 changes: 38 additions & 13 deletions lib/Backend/GlobOpt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -12746,6 +12746,8 @@ GlobOpt::DoTrackNewValueForKills(Value *const value)
const bool isJsArray = valueInfo->IsArrayOrObjectWithArray();
Assert(!isJsArray == valueInfo->IsOptimizedTypedArray());

const bool isVirtualTypedArray = valueInfo->IsOptimizedVirtualTypedArray();

Loop *implicitCallsLoop;
if(currentBlock->next && !currentBlock->next->isDeleted && currentBlock->next->isLoopHeader)
{
Expand All @@ -12760,7 +12762,7 @@ GlobOpt::DoTrackNewValueForKills(Value *const value)
implicitCallsLoop = currentBlock->loop;
}

if(isJsArray)
if(isJsArray || isVirtualTypedArray)
{
if(!DoArrayCheckHoist(valueInfo->Type(), implicitCallsLoop))
{
Expand All @@ -12779,7 +12781,7 @@ GlobOpt::DoTrackNewValueForKills(Value *const value)
VerifyArrayValueInfoForTracking(valueInfo, isJsArray, currentBlock);
#endif

if(!isJsArray)
if(!isJsArray && !isVirtualTypedArray)
{
return;
}
Expand Down Expand Up @@ -12815,11 +12817,13 @@ GlobOpt::DoTrackCopiedValueForKills(Value *const value)
const bool isJsArray = valueInfo->IsArrayOrObjectWithArray();
Assert(!isJsArray == valueInfo->IsOptimizedTypedArray());

const bool isVirtualTypedArray = valueInfo->IsOptimizedVirtualTypedArray();

#if DBG
VerifyArrayValueInfoForTracking(valueInfo, isJsArray, currentBlock);
#endif

if(!isJsArray && !(valueInfo->IsArrayValueInfo() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym()))
if(!isJsArray && !isVirtualTypedArray && !(valueInfo->IsArrayValueInfo() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym()))
{
return;
}
Expand Down Expand Up @@ -12862,11 +12866,13 @@ GlobOpt::DoTrackMergedValueForKills(
const bool isJsArray = valueInfo->IsArrayOrObjectWithArray();
Assert(!isJsArray == valueInfo->IsOptimizedTypedArray());

const bool isVirtualTypedArray = valueInfo->IsOptimizedVirtualTypedArray();

#if DBG
VerifyArrayValueInfoForTracking(valueInfo, isJsArray, currentBlock, true);
#endif

if(!isJsArray && !(valueInfo->IsArrayValueInfo() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym()))
if(!isJsArray && !isVirtualTypedArray && !(valueInfo->IsArrayValueInfo() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym()))
{
return;
}
Expand Down Expand Up @@ -12899,6 +12905,7 @@ GlobOpt::TrackValueInfoChangeForKills(BasicBlock *const block, Value *const valu

const bool trackOldValueInfo =
oldValueInfo->IsArrayOrObjectWithArray() ||
oldValueInfo->IsOptimizedVirtualTypedArray() ||
(
oldValueInfo->IsOptimizedTypedArray() &&
oldValueInfo->IsArrayValueInfo() &&
Expand All @@ -12915,6 +12922,7 @@ GlobOpt::TrackValueInfoChangeForKills(BasicBlock *const block, Value *const valu

const bool trackNewValueInfo =
newValueInfo->IsArrayOrObjectWithArray() ||
newValueInfo->IsOptimizedVirtualTypedArray() ||
(
newValueInfo->IsOptimizedTypedArray() &&
newValueInfo->IsArrayValueInfo() &&
Expand Down Expand Up @@ -12983,6 +12991,7 @@ GlobOpt::ProcessValueKills(IR::Instr *const instr)
ValueInfo *const valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if (valueInfo->IsArrayOrObjectWithArray() || valueInfo->IsOptimizedVirtualTypedArray())
{
Expand All @@ -13008,6 +13017,7 @@ GlobOpt::ProcessValueKills(IR::Instr *const instr)
ValueInfo *const valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if(!valueInfo->IsArrayOrObjectWithArray() || !valueInfo->HasNoMissingValues())
{
Expand All @@ -13028,6 +13038,7 @@ GlobOpt::ProcessValueKills(IR::Instr *const instr)
ValueInfo *const valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if(!valueInfo->IsArrayOrObjectWithArray() || valueInfo->HasVarElements())
{
Expand All @@ -13054,6 +13065,7 @@ GlobOpt::ProcessValueKills(IR::Instr *const instr)
ValueInfo *valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if(!valueInfo->IsArrayOrObjectWithArray())
{
Expand Down Expand Up @@ -13129,8 +13141,9 @@ GlobOpt::ProcessValueKills(BasicBlock *const block, GlobOptBlockData *const bloc
ValueInfo *const valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());
if(valueInfo->IsArrayOrObjectWithArray())
if(valueInfo->IsArrayOrObjectWithArray() || valueInfo->IsOptimizedVirtualTypedArray())
{
ChangeValueType(nullptr, value, valueInfo->Type().ToLikely(), false);
continue;
Expand Down Expand Up @@ -13163,18 +13176,21 @@ GlobOpt::ProcessValueKillsForLoopHeaderAfterBackEdgeMerge(BasicBlock *const bloc
ValueInfo *valueInfo = value->GetValueInfo();
Assert(
valueInfo->IsArrayOrObjectWithArray() ||
valueInfo->IsOptimizedVirtualTypedArray() ||
valueInfo->IsOptimizedTypedArray() && valueInfo->AsArrayValueInfo()->HeadSegmentLengthSym());

const bool isJsArray = valueInfo->IsArrayOrObjectWithArray();
Assert(!isJsArray == valueInfo->IsOptimizedTypedArray());

if(isJsArray ? loopKills.KillsValueType(valueInfo->Type()) : loopKills.KillsTypedArrayHeadSegmentLengths())
const bool isVirtualTypedArray = valueInfo->IsOptimizedVirtualTypedArray();

if((isJsArray || isVirtualTypedArray) ? loopKills.KillsValueType(valueInfo->Type()) : loopKills.KillsTypedArrayHeadSegmentLengths())
{
// Hoisting array checks and other related things for this type is disabled for the loop due to the kill, as
// compensation code is currently not added on back-edges. When merging values from a back-edge, the array value
// type cannot be definite, as that may require adding compensation code on the back-edge if the optimization pass
// chooses to not optimize the array.
if(isJsArray)
if(isJsArray || isVirtualTypedArray)
{
ChangeValueType(nullptr, value, valueInfo->Type().ToLikely(), false);
}
Expand Down Expand Up @@ -16452,14 +16468,16 @@ void
GlobOpt::OptHoistUpdateValueType(
Loop* loop,
IR::Instr* instr,
IR::Opnd* srcOpnd,
IR::Opnd** srcOpndPtr /* All code paths that change src, should update srcOpndPtr*/,
Value* opndVal)
{
if (opndVal == nullptr || instr->m_opcode == Js::OpCode::FromVar)
if (opndVal == nullptr || instr->m_opcode == Js::OpCode::FromVar || srcOpndPtr == nullptr || *srcOpndPtr == nullptr)
{
return;
}

IR::Opnd* srcOpnd = *srcOpndPtr;

Sym* opndSym = srcOpnd->GetSym();;

if (opndSym)
Expand All @@ -16472,8 +16490,11 @@ GlobOpt::OptHoistUpdateValueType(

if (srcOpnd->GetValueType() != opndValueTypeInLandingPad)
{
srcOpnd->SetValueType(opndValueTypeInLandingPad);

if (instr->m_opcode == Js::OpCode::SetConcatStrMultiItemBE)
{
Assert(!opndSym->IsPropertySym());
Assert(!opndValueTypeInLandingPad.IsString());
Assert(instr->GetDst());

Expand All @@ -16484,6 +16505,9 @@ GlobOpt::OptHoistUpdateValueType(
IR::Instr::New(Js::OpCode::Conv_PrimStr, strOpnd, srcOpnd->Use(instr->m_func), instr->m_func);
instr->ReplaceSrc(srcOpnd, strOpnd);

// Replace above will free srcOpnd, so reassign it
*srcOpndPtr = srcOpnd = reinterpret_cast<IR::Opnd *>(strOpnd);

if (loop->bailOutInfo->bailOutInstr)
{
loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr);
Expand All @@ -16492,9 +16516,10 @@ GlobOpt::OptHoistUpdateValueType(
{
landingPad->InsertAfter(convPrimStrInstr);
}
}

srcOpnd->SetValueType(opndValueTypeInLandingPad);
// If we came here opndSym can't be PropertySym
return;
}
}


Expand Down Expand Up @@ -16528,7 +16553,7 @@ GlobOpt::OptHoistInvariant(
if (src1)
{
// We are hoisting this instruction possibly past other uses, which might invalidate the last use info. Clear it.
OptHoistUpdateValueType(loop, instr, src1, src1Val);
OptHoistUpdateValueType(loop, instr, &src1, src1Val);

if (src1->IsRegOpnd())
{
Expand All @@ -16538,7 +16563,7 @@ GlobOpt::OptHoistInvariant(
IR::Opnd* src2 = instr->GetSrc2();
if (src2)
{
OptHoistUpdateValueType(loop, instr, src2, src2Val);
OptHoistUpdateValueType(loop, instr, &src2, src2Val);

if (src2->IsRegOpnd())
{
Expand Down
2 changes: 1 addition & 1 deletion lib/Backend/GlobOpt.h
Original file line number Diff line number Diff line change
Expand Up @@ -758,7 +758,7 @@ class GlobOpt
bool TryHoistInvariant(IR::Instr *instr, BasicBlock *block, Value *dstVal, Value *src1Val, Value *src2Val, bool isNotTypeSpecConv,
const bool lossy = false, const bool forceInvariantHoisting = false, IR::BailOutKind bailoutKind = IR::BailOutInvalid);
void HoistInvariantValueInfo(ValueInfo *const invariantValueInfoToHoist, Value *const valueToUpdate, BasicBlock *const targetBlock);
void OptHoistUpdateValueType(Loop* loop, IR::Instr* instr, IR::Opnd* srcOpnd, Value *const srcVal);
void OptHoistUpdateValueType(Loop* loop, IR::Instr* instr, IR::Opnd** srcOpndPtr, Value *const srcVal);
public:
static bool IsTypeSpecPhaseOff(Func const * func);
static bool DoAggressiveIntTypeSpec(Func const * func);
Expand Down
2 changes: 1 addition & 1 deletion lib/Common/ChakraCoreVersion.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
#define CHAKRA_CORE_MINOR_VERSION 8
#define CHAKRA_CORE_PATCH_VERSION 4
#define CHAKRA_CORE_PATCH_VERSION 5
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.

// -------------
Expand Down