[1.11>master] [1.10>1.11] [MERGE #5764 @thomasmo] October 2018 Security Update

Thomas Moore (CHAKRA) · Thomas Moore (CHAKRA) · commit 090b2585649d · 2018-10-10T08:29:48.000-07:00
Merge pull request #5764 from thomasmo:1810 October 2018 Security Update that addresses the following issues in ChakraCore: CVE-2018-8473 CVE-2018-8500 CVE-2018-8503 CVE-2018-8505 CVE-2018-8510 CVE-2018-8511 CVE-2018-8513
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -1017,27 +1017,16 @@ BOOL GlobOpt::PRE::PreloadPRECandidate(Loop *loop, GlobHashBucket* candidate)
     // Create instr to put in landing pad for compensation
     Assert(IsPREInstrCandidateLoad(ldInstrInLoop->m_opcode));
 
-    IR::Instr * ldInstr = InsertPropertySymPreloadWithoutDstInLandingPad(ldInstrInLoop, loop, propertySym);
+    IR::Instr * ldInstr = InsertPropertySymPreloadInLandingPad(ldInstrInLoop, loop, propertySym);
     if (!ldInstr)
     {
         return false;
     }
 
     Assert(ldInstr->GetDst() == nullptr);
-    if (ldInstrInLoop->GetDst())
-    {
-        Assert(ldInstrInLoop->GetDst()->IsRegOpnd());
-        if (ldInstrInLoop->GetDst()->AsRegOpnd()->m_sym != symStore)
-        {
-            ldInstr->SetDst(IR::RegOpnd::New(symStore->AsStackSym(), TyVar, this->globOpt->func));
-            loop->fieldPRESymStores->Set(symStore->m_id);
-        }
-        else
-        {
-            ldInstr->SetDst(ldInstrInLoop->GetDst()->Copy(ldInstrInLoop->m_func));
-        }
-        landingPad->globOptData.liveVarSyms->Set(ldInstr->GetDst()->AsRegOpnd()->m_sym->m_id);
-    }
+    ldInstr->SetDst(IR::RegOpnd::New(symStore->AsStackSym(), TyVar, this->globOpt->func));
+    loop->fieldPRESymStores->Set(symStore->m_id);
+    landingPad->globOptData.liveVarSyms->Set(symStore->m_id);
 
     Value * objPtrValue = landingPad->globOptData.FindValue(objPtrSym);
 
@@ -3318,7 +3307,7 @@ GlobOpt::OptSrc(IR::Opnd *opnd, IR::Instr * *pInstr, Value **indirIndexValRef, I
                 // Can this be done in one call?
                 if (!this->prePassInstrMap->ContainsKey(sym->m_id))
                 {
-                    this->prePassInstrMap->AddNew(sym->m_id, instr);
+                    this->prePassInstrMap->AddNew(sym->m_id, instr->CopyWithoutDst());
                 }
             }
         }
@@ -17492,7 +17481,7 @@ GlobOpt::PRE::InsertSymDefinitionInLandingPad(StackSym * sym, Loop * loop, Sym *
                 // #1 is done next. #2 and #3 are done as part of preloading T1.y
 
                 // Insert T1 = o.x
-                if (!InsertPropertySymPreloadInLandingPad(symDefInstr, loop, propSym))
+                if (!InsertPropertySymPreloadInLandingPad(symDefInstr->Copy(), loop, propSym))
                 {
                     return false;
                 }
@@ -17505,7 +17494,7 @@ GlobOpt::PRE::InsertSymDefinitionInLandingPad(StackSym * sym, Loop * loop, Sym *
                 if (loop->landingPad->globOptData.IsLive(*objPtrCopyPropSym))
                 {
                     // insert T1 = o.x
-                    if (!InsertPropertySymPreloadInLandingPad(symDefInstr, loop, propSym))
+                    if (!InsertPropertySymPreloadInLandingPad(symDefInstr->Copy(), loop, propSym))
                     {
                         return false;
                     }
@@ -17593,25 +17582,6 @@ GlobOpt::PRE::InsertInstrInLandingPad(IR::Instr * instr, Loop * loop)
 
 IR::Instr *
 GlobOpt::PRE::InsertPropertySymPreloadInLandingPad(IR::Instr * ldInstr, Loop * loop, PropertySym * propertySym)
-{
-    IR::Instr * instr = InsertPropertySymPreloadWithoutDstInLandingPad(ldInstr, loop, propertySym);
-    if (!instr)
-    {
-        return nullptr;
-    }
-
-    if (ldInstr->GetDst())
-    {
-        instr->SetDst(ldInstr->GetDst()->Copy(ldInstr->m_func));
-        instr->GetDst()->SetIsJITOptimizedReg(true);
-        loop->landingPad->globOptData.liveVarSyms->Set(instr->GetDst()->GetStackSym()->m_id);
-    }
-
-    return instr;
-}
-
-IR::Instr *
-GlobOpt::PRE::InsertPropertySymPreloadWithoutDstInLandingPad(IR::Instr * ldInstr, Loop * loop, PropertySym * propertySym)
 {
     IR::SymOpnd *ldSrc = ldInstr->GetSrc1()->AsSymOpnd();
 
@@ -17626,8 +17596,6 @@ GlobOpt::PRE::InsertPropertySymPreloadWithoutDstInLandingPad(IR::Instr * ldInstr
         }
     }
 
-    ldInstr = ldInstr->CopyWithoutDst();
-
     // Consider: Shouldn't be necessary once we have copy-prop in prepass...
     ldInstr->GetSrc1()->AsSymOpnd()->m_sym = propertySym;
     ldSrc = ldInstr->GetSrc1()->AsSymOpnd();
@@ -17641,6 +17609,11 @@ GlobOpt::PRE::InsertPropertySymPreloadWithoutDstInLandingPad(IR::Instr * ldInstr
         ldInstr->ReplaceSrc1(newPropSymOpnd);
     }
 
+    if (ldInstr->GetDst())
+    {
+        loop->landingPad->globOptData.liveVarSyms->Set(ldInstr->GetDst()->GetStackSym()->m_id);
+    }
+
     InsertInstrInLandingPad(ldInstr, loop);
 
     return ldInstr;
diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
@@ -1030,7 +1030,6 @@ class GlobOpt::PRE
     void                    FindPossiblePRECandidates(Loop *loop, JitArenaAllocator *alloc);
     void                    PreloadPRECandidates(Loop *loop);
     BOOL                    PreloadPRECandidate(Loop *loop, GlobHashBucket* candidate);
-    IR::Instr *             InsertPropertySymPreloadWithoutDstInLandingPad(IR::Instr * origLdInstr, Loop * loop, PropertySym * propertySym);
     IR::Instr *             InsertPropertySymPreloadInLandingPad(IR::Instr * origLdInstr, Loop * loop, PropertySym * propertySym);
     void                    InsertInstrInLandingPad(IR::Instr * instr, Loop * loop);
     bool                    InsertSymDefinitionInLandingPad(StackSym * sym, Loop * loop, Sym ** objPtrCopyPropSym);
diff --git a/lib/Backend/GlobOptArrays.cpp b/lib/Backend/GlobOptArrays.cpp
@@ -330,7 +330,8 @@ void GlobOpt::ArraySrcOpt::CheckVirtualArrayBounds()
                 {
                     Assert(instr->m_opcode == Js::OpCode::InlineArrayPush ||
                         instr->m_opcode == Js::OpCode::InlineArrayPop ||
-                        instr->m_opcode == Js::OpCode::LdLen_A);
+                        instr->m_opcode == Js::OpCode::LdLen_A ||
+                        instr->m_opcode == Js::OpCode::IsIn);
                 }
 
                 eliminatedLowerBoundCheck = true;
@@ -1998,6 +1999,8 @@ void GlobOpt::ArraySrcOpt::Optimize()
         {
             TRACE_TESTTRACE_PHASE_INSTR(Js::Phase::BoundCheckEliminationPhase, instr, _u("Eliminating IsIn\n"));
 
+            globOpt->CaptureByteCodeSymUses(instr);
+
             instr->m_opcode = Js::OpCode::Ld_A;
 
             IR::AddrOpnd * addrOpnd = IR::AddrOpnd::New(func->GetScriptContextInfo()->GetTrueAddr(), IR::AddrOpndKindDynamicVar, func, true);
diff --git a/lib/Backend/GlobOptBailOut.cpp b/lib/Backend/GlobOptBailOut.cpp
@@ -201,7 +201,7 @@ GlobOpt::CaptureValuesIncremental(BasicBlock * block,
     NEXT_BITSET_IN_SPARSEBV
 
     // If, after going over the set of changed syms since the last time we captured values,
-    // there are remaining unprocessed entries in the current captured values set, 
+    // there are remaining unprocessed entries in the current captured values set,
     // they can simply be copied over to the new bailout info.
     while (hasConstValue)
     {
@@ -272,7 +272,7 @@ GlobOpt::CaptureValues(BasicBlock *block, BailOutInfo * bailOutInfo, BVSparse<Ji
     bailOutInfo->capturedValues->copyPropSyms.Clear(this->func->m_alloc);
     bailOutCopySymsIter.SetNext(&bailOutInfo->capturedValues->copyPropSyms);
     bailOutInfo->capturedValues->copyPropSyms = capturedValues.copyPropSyms;
-    
+
     // In pre-pass only bailout info created should be for the loop header, and that doesn't take into account the back edge.
     // Don't use the captured values on that bailout for incremental capturing of values.
     if (!PHASE_OFF(Js::IncrementalBailoutPhase, func) && !this->IsLoopPrePass())
@@ -591,6 +591,8 @@ GlobOpt::TrackCalls(IR::Instr * instr)
         this->EndTrackCall(instr);
 
         InlineeFrameInfo* inlineeFrameInfo = InlineeFrameInfo::New(instr->m_func->m_alloc);
+        inlineeFrameInfo->functionSymStartValue = instr->GetSrc1()->GetSym() ?
+            CurrentBlockData()->FindValue(instr->GetSrc1()->GetSym()) : nullptr;
         inlineeFrameInfo->floatSyms = CurrentBlockData()->liveFloat64Syms->CopyNew(this->alloc);
         inlineeFrameInfo->intSyms = CurrentBlockData()->liveInt32Syms->MinusNew(CurrentBlockData()->liveLossyInt32Syms, this->alloc);
         inlineeFrameInfo->varSyms = CurrentBlockData()->liveVarSyms->CopyNew(this->alloc);
@@ -605,7 +607,7 @@ GlobOpt::TrackCalls(IR::Instr * instr)
             instr->m_func->cachedInlineeFrameInfo = inlineeFrameInfo;
         }
         break;
-    }    
+    }
 
     case Js::OpCode::EndCallForPolymorphicInlinee:
         // Have this opcode mimic the functions of both InlineeStart and InlineeEnd in the bailout block of a polymorphic call inlined using fixed methods.
@@ -780,6 +782,15 @@ void GlobOpt::RecordInlineeFrameInfo(IR::Instr* inlineeEnd)
             }
             else
             {
+                // If the value of the functionObject symbol has changed between the inlineeStart and the inlineeEnd,
+                // we don't record the inlinee frame info (see OS#18318884).
+                Assert(frameInfo->functionSymStartValue != nullptr);
+                if (!frameInfo->functionSymStartValue->IsEqualTo(CurrentBlockData()->FindValue(functionObject->m_sym)))
+                {
+                    argInstr->m_func->DisableCanDoInlineArgOpt();
+                    return true;
+                }
+
                 frameInfo->function = InlineFrameInfoValue(functionObject->m_sym);
             }
         }
@@ -1171,7 +1182,7 @@ GlobOpt::MaySrcNeedBailOnImplicitCall(IR::Opnd const * opnd, Value const * val)
     case IR::OpndKindReg:
         // Only need implicit call if the operation will call ToPrimitive and we haven't prove
         // that it is already a primitive
-        return 
+        return
             !(val && val->GetValueInfo()->IsPrimitive()) &&
             !opnd->AsRegOpnd()->GetValueType().IsPrimitive() &&
             !opnd->AsRegOpnd()->m_sym->IsInt32() &&
diff --git a/lib/Backend/InlineeFrameInfo.h b/lib/Backend/InlineeFrameInfo.h
@@ -5,6 +5,8 @@
 
 #pragma once
 
+class Value;
+
 struct BailoutConstantValue {
 public:
     void InitIntConstValue(int32 value) { this->type = TyInt32; this->u.intConst.value = (IntConstType)value; };
@@ -150,6 +152,7 @@ struct InlineeFrameInfo
     BVSparse<JitArenaAllocator>* floatSyms;
     BVSparse<JitArenaAllocator>* intSyms;
     BVSparse<JitArenaAllocator>* varSyms;
+    Value* functionSymStartValue;
 
     bool isRecorded;
 
diff --git a/lib/Runtime/Base/FunctionBody.cpp b/lib/Runtime/Base/FunctionBody.cpp
@@ -2119,7 +2119,7 @@ namespace Js
     {
         FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();
 
-        Assert(functionType != deferredPrototypeType);
+        Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);
         Recycler * recycler = this->GetScriptContext()->GetRecycler();
         FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);
         typeList->SetAtFirstFreeSpot(weakRef);
diff --git a/lib/Runtime/Base/FunctionBody.h b/lib/Runtime/Base/FunctionBody.h
@@ -1088,8 +1088,10 @@ namespace Js
             {
                 func(this->deferredPrototypeType);
             }
-            // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list
-            // of registered function object types we processed above.
+            if (this->undeferredFunctionType)
+            {
+                func(this->undeferredFunctionType);
+            }
         }
 
         static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -4953,13 +4953,18 @@ using namespace Js;
                 }
                 else if (instanceType == TypeIds_NativeIntArray)
                 {
-                    // Only accept tagged int. Also covers case for MissingItem
+                    // Only accept tagged int.
                     if (!TaggedInt::Is(value))
                     {
                         return false;
                     }
                     int32 intValue = 0;
                     if (!MemsetConversion<int32, JavascriptConversion::ToInt32>(value, scriptContext, &intValue))
+                    {
+                        return false;
+                    }
+                     // Special case for missing item
+                    if (SparseArraySegment<int32>::IsMissingItem(&intValue))
                     {
                         return false;
                     }
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -1490,13 +1490,11 @@ using namespace Js;
 
             bool isTaggedInt = TaggedInt::Is(item);
             bool isTaggedIntMissingValue = false;
-#ifdef TARGET_64
             if (isTaggedInt)
             {
                 int32 iValue = TaggedInt::ToInt32(item);
                 isTaggedIntMissingValue = Js::SparseArraySegment<int32>::IsMissingItem(&iValue);
             }
-#endif
             if (isTaggedInt && !isTaggedIntMissingValue)
             {
                 // This is taggedInt case and we verified that item is not missing value in AMD64.
@@ -3426,16 +3424,12 @@ using namespace Js;
             {
                 if (TaggedInt::Is(aItem))
                 {
-                    pDestArray->DirectSetItemAt(idxDest, TaggedInt::ToInt32(aItem));
+                    int32 int32Value = TaggedInt::ToInt32(aItem);
+                    Assert(!SparseArraySegment<int32>::IsMissingItem(&int32Value));
+                    pDestArray->DirectSetItemAt(idxDest, int32Value);
                 }
                 else
                 {
-#if DBG
-                    int32 int32Value;
-                    Assert(
-                        JavascriptNumber::TryGetInt32Value(JavascriptNumber::GetValue(aItem), &int32Value) &&
-                        !SparseArraySegment<int32>::IsMissingItem(&int32Value));
-#endif
                     pDestArray->DirectSetItemAt(idxDest, static_cast<int32>(JavascriptNumber::GetValue(aItem)));
                 }
                 ++idxDest;
diff --git a/lib/Runtime/Types/PathTypeHandler.cpp b/lib/Runtime/Types/PathTypeHandler.cpp
@@ -1512,6 +1512,9 @@ namespace Js
                 if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor))
                 {
                     // Setter without a getter; this is a stale entry, so ignore it
+                    // Just consume the slot so no descriptor refers to it.
+                    Assert(i == newTypeHandler->nextPropertyIndex);
+                    ::Math::PostInc(newTypeHandler->nextPropertyIndex);
                     continue;
                 }
                 Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex);

Original file line number	Diff line number	Diff line change
`@@ -330,7 +330,8 @@ void GlobOpt::ArraySrcOpt::CheckVirtualArrayBounds()`
`330`	`330`	`{`
`331`	`331`	`Assert(instr->m_opcode == Js::OpCode::InlineArrayPush \|\|`
`332`	`332`	`instr->m_opcode == Js::OpCode::InlineArrayPop \|\|`
`333`		`- instr->m_opcode == Js::OpCode::LdLen_A);`
	`333`	`+ instr->m_opcode == Js::OpCode::LdLen_A \|\|`
	`334`	`+ instr->m_opcode == Js::OpCode::IsIn);`
`334`	`335`	`}`
`335`	`336`
`336`	`337`	`eliminatedLowerBoundCheck = true;`
`@@ -1998,6 +1999,8 @@ void GlobOpt::ArraySrcOpt::Optimize()`
`1998`	`1999`	`{`
`1999`	`2000`	`TRACE_TESTTRACE_PHASE_INSTR(Js::Phase::BoundCheckEliminationPhase, instr, _u("Eliminating IsIn\n"));`
`2000`	`2001`
	`2002`	`+ globOpt->CaptureByteCodeSymUses(instr);`
	`2003`	`+`
`2001`	`2004`	`instr->m_opcode = Js::OpCode::Ld_A;`
`2002`	`2005`
`2003`	`2006`	`IR::AddrOpnd * addrOpnd = IR::AddrOpnd::New(func->GetScriptContextInfo()->GetTrueAddr(), IR::AddrOpndKindDynamicVar, func, true);`
Original file line number	Diff line number	Diff line change
`@@ -2119,7 +2119,7 @@ namespace Js`
`2119`	`2119`	`{`
`2120`	`2120`	`FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();`
`2121`	`2121`
`2122`		`- Assert(functionType != deferredPrototypeType);`
	`2122`	`+ Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);`
`2123`	`2123`	`Recycler * recycler = this->GetScriptContext()->GetRecycler();`
`2124`	`2124`	`FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);`
`2125`	`2125`	`typeList->SetAtFirstFreeSpot(weakRef);`
Original file line number	Diff line number	Diff line change
`@@ -1088,8 +1088,10 @@ namespace Js`
`1088`	`1088`	`{`
`1089`	`1089`	`func(this->deferredPrototypeType);`
`1090`	`1090`	`}`
`1091`		`- // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list`
`1092`		`- // of registered function object types we processed above.`
	`1091`	`+ if (this->undeferredFunctionType)`
	`1092`	`+ {`
	`1093`	`+ func(this->undeferredFunctionType);`
	`1094`	`+ }`
`1093`	`1095`	`}`
`1094`	`1096`
`1095`	`1097`	`static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }`
Original file line number	Diff line number	Diff line change
`@@ -4953,13 +4953,18 @@ using namespace Js;`
`4953`	`4953`	`}`
`4954`	`4954`	`else if (instanceType == TypeIds_NativeIntArray)`
`4955`	`4955`	`{`
`4956`		`- // Only accept tagged int. Also covers case for MissingItem`
	`4956`	`+ // Only accept tagged int.`
`4957`	`4957`	`if (!TaggedInt::Is(value))`
`4958`	`4958`	`{`
`4959`	`4959`	`return false;`
`4960`	`4960`	`}`
`4961`	`4961`	`int32 intValue = 0;`
`4962`	`4962`	`if (!MemsetConversion<int32, JavascriptConversion::ToInt32>(value, scriptContext, &intValue))`
	`4963`	`+ {`
	`4964`	`+ return false;`
	`4965`	`+ }`
	`4966`	`+ // Special case for missing item`
	`4967`	`+ if (SparseArraySegment<int32>::IsMissingItem(&intValue))`
`4963`	`4968`	`{`
`4964`	`4969`	`return false;`
`4965`	`4970`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1490,13 +1490,11 @@ using namespace Js;`
`1490`	`1490`
`1491`	`1491`	`bool isTaggedInt = TaggedInt::Is(item);`
`1492`	`1492`	`bool isTaggedIntMissingValue = false;`
`1493`		`-#ifdef TARGET_64`
`1494`	`1493`	`if (isTaggedInt)`
`1495`	`1494`	`{`
`1496`	`1495`	`int32 iValue = TaggedInt::ToInt32(item);`
`1497`	`1496`	`isTaggedIntMissingValue = Js::SparseArraySegment<int32>::IsMissingItem(&iValue);`
`1498`	`1497`	`}`
`1499`		`-#endif`
`1500`	`1498`	`if (isTaggedInt && !isTaggedIntMissingValue)`
`1501`	`1499`	`{`
`1502`	`1500`	`// This is taggedInt case and we verified that item is not missing value in AMD64.`
`@@ -3426,16 +3424,12 @@ using namespace Js;`
`3426`	`3424`	`{`
`3427`	`3425`	`if (TaggedInt::Is(aItem))`
`3428`	`3426`	`{`
`3429`		`- pDestArray->DirectSetItemAt(idxDest, TaggedInt::ToInt32(aItem));`
	`3427`	`+ int32 int32Value = TaggedInt::ToInt32(aItem);`
	`3428`	`+ Assert(!SparseArraySegment<int32>::IsMissingItem(&int32Value));`
	`3429`	`+ pDestArray->DirectSetItemAt(idxDest, int32Value);`
`3430`	`3430`	`}`
`3431`	`3431`	`else`
`3432`	`3432`	`{`
`3433`		`-#if DBG`
`3434`		`- int32 int32Value;`
`3435`		`- Assert(`
`3436`		`- JavascriptNumber::TryGetInt32Value(JavascriptNumber::GetValue(aItem), &int32Value) &&`
`3437`		`- !SparseArraySegment<int32>::IsMissingItem(&int32Value));`
`3438`		`-#endif`
`3439`	`3433`	`pDestArray->DirectSetItemAt(idxDest, static_cast<int32>(JavascriptNumber::GetValue(aItem)));`
`3440`	`3434`	`}`
`3441`	`3435`	`++idxDest;`
Original file line number	Diff line number	Diff line change
`@@ -1512,6 +1512,9 @@ namespace Js`
`1512`	`1512`	`if (!(attributes[descriptor->GetDataPropertyIndex<false>()] & ObjectSlotAttr_Accessor))`
`1513`	`1513`	`{`
`1514`	`1514`	`// Setter without a getter; this is a stale entry, so ignore it`
	`1515`	`+ // Just consume the slot so no descriptor refers to it.`
	`1516`	`+ Assert(i == newTypeHandler->nextPropertyIndex);`
	`1517`	`+ ::Math::PostInc(newTypeHandler->nextPropertyIndex);`
`1515`	`1518`	`continue;`
`1516`	`1519`	`}`
`1517`	`1520`	`Assert(oldTypeHandler->GetSetterSlotIndex(descriptor->GetDataPropertyIndex<false>()) == newTypeHandler->nextPropertyIndex);`