deps: update ChakraCore to chakra-core/ChakraCore@fffb4e24be

[MERGE #4226 @leirocks] 17-11 Security Update

Merge pull request #4226 from leirocks:1711-1

17-11 Security Update that addresses the following issues in ChakraCore

CVE-2017-11791
CVE-2017-11836
CVE-2017-11837
CVE-2017-11838
CVE-2017-11840
CVE-2017-11841
CVE-2017-11843
CVE-2017-11846
CVE-2017-11858
CVE-2017-11861
CVE-2017-11862
CVE-2017-11870
CVE-2017-11871
CVE-2017-11873
CVE-2017-11874
CVE-2017-11866
CVE-2017-11859

Reviewed-By: chakrabot <chakrabot@users.noreply.github.com>

Author: leirocks

deps/chakrashim/core/Build/NuGet/.pack-version

@@ -1 +1 @@
-1.7.3
+1.7.4

deps/chakrashim/core/lib/Backend/Backend.h

@@ -139,6 +139,7 @@ enum IRDumpFlags
 #include "SymTable.h"
 #include "IR.h"
 #include "Opnd.h"
+#include "IntConstMath.h"
 #include "IntOverflowDoesNotMatterRange.h"
 #include "IntConstantBounds.h"
 #include "ValueRelativeOffset.h"

deps/chakrashim/core/lib/Backend/BackwardPass.cpp

@@ -2047,8 +2047,8 @@ BackwardPass::ProcessBailOutInfo(IR::Instr * instr)
 bool
 BackwardPass::IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, bool mayNeedImplicitCallBailOut, bool hasLiveFields)
 {
-    return this->globOpt->IsImplicitCallBailOutCurrentlyNeeded(
-        instr, nullptr, nullptr, this->currentBlock, hasLiveFields, mayNeedImplicitCallBailOut, false);
+    return this->globOpt->IsImplicitCallBailOutCurrentlyNeeded(instr, nullptr, nullptr, this->currentBlock, hasLiveFields, mayNeedImplicitCallBailOut, false) ||
+        this->NeedBailOutOnImplicitCallsForTypedArrayStore(instr);
 }
 
 void
@@ -2235,6 +2235,30 @@ BackwardPass::DeadStoreImplicitCallBailOut(IR::Instr * instr, bool hasLiveFields
     }
 }
 
+bool
+BackwardPass::NeedBailOutOnImplicitCallsForTypedArrayStore(IR::Instr* instr)
+{
+    if ((instr->m_opcode == Js::OpCode::StElemI_A || instr->m_opcode == Js::OpCode::StElemI_A_Strict) &&
+        instr->GetDst()->IsIndirOpnd() &&
+        instr->GetDst()->AsIndirOpnd()->GetBaseOpnd()->GetValueType().IsLikelyTypedArray())
+    {
+        IR::Opnd * opnd = instr->GetSrc1();
+        if (opnd->IsRegOpnd())
+        {
+            return !opnd->AsRegOpnd()->GetValueType().IsPrimitive() &&
+                !opnd->AsRegOpnd()->m_sym->IsInt32() &&
+                !opnd->AsRegOpnd()->m_sym->IsFloat64() &&
+                !opnd->AsRegOpnd()->m_sym->IsFloatConst() &&
+                !opnd->AsRegOpnd()->m_sym->IsIntConst();
+        }
+        else
+        {
+            Assert(opnd->IsIntConstOpnd() || opnd->IsInt64ConstOpnd() || opnd->IsFloat32ConstOpnd() || opnd->IsFloatConstOpnd() || opnd->IsAddrOpnd());
+        }
+    }
+    return false;
+}
+
 void
 BackwardPass::ProcessPendingPreOpBailOutInfo(IR::Instr *const currentInstr)
 {

deps/chakrashim/core/lib/Backend/BackwardPass.h

@@ -101,6 +101,7 @@ class BackwardPass
     void DeadStoreImplicitCallBailOut(IR::Instr * instr, bool hasLiveFields);
     void DeadStoreTypeCheckBailOut(IR::Instr * instr);
     bool IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, bool mayNeedImplicitCallBailOut, bool hasLiveFields);
+    bool NeedBailOutOnImplicitCallsForTypedArrayStore(IR::Instr* instr);
     bool TrackNoImplicitCallInlinees(IR::Instr *instr);
     bool ProcessBailOnNoProfile(IR::Instr *instr, BasicBlock *block);
 

deps/chakrashim/core/lib/Backend/CMakeLists.txt

@@ -39,6 +39,7 @@ add_library (Chakra.Backend OBJECT
     InliningDecider.cpp
     InliningHeuristics.cpp
     IntBounds.cpp
+    IntConstMath.cpp
     InterpreterThunkEmitter.cpp
     JITThunkEmitter.cpp
     JITOutput.cpp

deps/chakrashim/core/lib/Backend/Chakra.Backend.vcxproj

@@ -218,6 +218,7 @@
     <ClCompile Include="$(MSBuildThisFileDirectory)GlobOptBlockData.cpp" />
     <ClCompile Include="$(MSBuildThisFileDirectory)ValueInfo.cpp" />
     <ClCompile Include="$(MSBuildThisFileDirectory)JITThunkEmitter.cpp" />
+    <ClCompile Include="$(MSBuildThisFileDirectory)IntConstMath.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="AgenPeeps.h" />
@@ -259,6 +260,7 @@
     <ClInclude Include="FunctionJITRuntimeInfo.h" />
     <ClInclude Include="FunctionJITTimeInfo.h" />
     <ClInclude Include="GlobOptBlockData.h" />
+    <ClInclude Include="IntConstMath.h" />
     <ClInclude Include="IRBaseTypeList.h" />
     <ClInclude Include="IRBuilderAsmJs.h" />
     <ClInclude Include="BackendOpCodeAttrAsmJs.h" />

deps/chakrashim/core/lib/Backend/Chakra.Backend.vcxproj.filters

@@ -130,6 +130,7 @@
     <ClCompile Include="$(MSBuildThisFileDirectory)GlobOptBlockData.cpp" />
     <ClCompile Include="$(MSBuildThisFileDirectory)ValueInfo.cpp" />
     <ClCompile Include="$(MSBuildThisFileDirectory)JITThunkEmitter.cpp" />
+    <ClCompile Include="$(MSBuildThisFileDirectory)IntConstMath.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="AgenPeeps.h" />
@@ -345,6 +346,7 @@
     <ClInclude Include="GlobOptBlockData.h" />
     <ClInclude Include="ValueInfo.h" />
     <ClInclude Include="JITThunkEmitter.h" />
+    <ClInclude Include="IntConstMath.h" />
   </ItemGroup>
   <ItemGroup>
     <MASM Include="$(MSBuildThisFileDirectory)amd64\LinearScanMdA.asm">

deps/chakrashim/core/lib/Backend/CodeGenAllocators.cpp

@@ -5,10 +5,10 @@
 #include "Backend.h"
 
 template<typename TAlloc, typename TPreReservedAlloc>
-CodeGenAllocators<TAlloc, TPreReservedAlloc>::CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle)
+CodeGenAllocators<TAlloc, TPreReservedAlloc>::CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle)
 : pageAllocator(policyManager, Js::Configuration::Global.flags, PageAllocatorType_BGJIT, 0)
 , allocator(_u("NativeCode"), &pageAllocator, Js::Throw::OutOfMemory)
-, emitBufferManager(&allocator, codePageAllocators, scriptContext, _u("JIT code buffer"), processHandle)
+, emitBufferManager(&allocator, codePageAllocators, scriptContext, threadContext, _u("JIT code buffer"), processHandle)
 #if !_M_X64_OR_ARM64 && _CONTROL_FLOW_GUARD
 , canCreatePreReservedSegment(false)
 #endif

deps/chakrashim/core/lib/Backend/CodeGenAllocators.h

@@ -17,7 +17,7 @@ class CodeGenAllocators
     bool canCreatePreReservedSegment;
 #endif
 
-    CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle);
+    CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle);
     ~CodeGenAllocators();
 
 #if DBG

deps/chakrashim/core/lib/Backend/CodeGenWorkItem.cpp

@@ -205,7 +205,7 @@ void CodeGenWorkItem::OnWorkItemProcessFail(NativeCodeGenerator* codeGen)
 #if DBG
         this->allocation->allocation->isNotExecutableBecauseOOM = true;
 #endif
-        codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address, nullptr);
+        codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address);
     }
 }