[MERGE #6420 @boingoing] ChakraCore Servicing Update for 2020.04B

Merge pull request #6420 from boingoing:servicing_2004_b

ChakraCore Servicing Update for 2020.04B

Changes to address the following issues:

[CVE-2020-0970]
[CVE-2020-0969]

Author: boingoing

Diff for: Build/NuGet/.pack-version

@@ -1 +1 @@
-1.11.17
+1.11.18

Diff for: lib/Common/ChakraCoreVersion.h

@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 17
+#define CHAKRA_CORE_PATCH_VERSION 18
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------

Diff for: lib/Runtime/ByteCode/ByteCodeEmitter.cpp

@@ -4262,21 +4262,33 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot
                 funcInfo->FindOrAddReferencedPropertyId(propertyId),
                 envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));
 
-            Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister();
-
             AssertOrFailFast(scope->GetIsObject());
-            this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg,
-                envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));
-
-            Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A;
 
-            this->m_writer.Reg2(op, instLocation, tmpReg);
-            if (thisLocation != Js::Constants::NoRegister)
+            if (unwrapWithObj)
             {
-                this->m_writer.Reg2(op, thisLocation, tmpReg);
+                Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister();
+
+                this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg,
+                    envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));
+
+                this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, tmpReg);
+                if (thisLocation != Js::Constants::NoRegister)
+                {
+                    this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, tmpReg);
+                }
+
+                funcInfo->ReleaseTmpRegister(tmpReg);
             }
+            else
+            {
+                this->m_writer.SlotI1(Js::OpCode::LdEnvObj, instLocation,
+                    envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));
 
-            funcInfo->ReleaseTmpRegister(tmpReg);
+                if (thisLocation != Js::Constants::NoRegister)
+                {
+                    this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
+                }
+            }
         }
         else if (scopeLocation != Js::Constants::NoRegister && scopeLocation == funcInfo->frameObjRegister)
         {
@@ -4288,19 +4300,29 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot
             this->m_writer.Reg1(Js::OpCode::LdLocalObj, instLocation);
             if (thisLocation != Js::Constants::NoRegister)
             {
-                this->m_writer.Reg1(Js::OpCode::LdLocalObj, thisLocation);
+                this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
             }
         }
         else
         {
             this->m_writer.BrProperty(Js::OpCode::BrOnNoProperty, nextLabel, scopeLocation,
                 funcInfo->FindOrAddReferencedPropertyId(propertyId));
 
-            Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A;
-            this->m_writer.Reg2(op, instLocation, scopeLocation);
-            if (thisLocation != Js::Constants::NoRegister)
+            if (unwrapWithObj)
             {
-                this->m_writer.Reg2(op, thisLocation, scopeLocation);
+                this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, scopeLocation);
+                if (thisLocation != Js::Constants::NoRegister)
+                {
+                    this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, scopeLocation);
+                }
+            }
+            else
+            {
+                this->m_writer.Reg2(Js::OpCode::Ld_A, instLocation, scopeLocation);
+                if (thisLocation != Js::Constants::NoRegister)
+                {
+                    this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
+                }
             }
         }
 

Diff for: lib/Runtime/Language/JavascriptOperators.cpp

@@ -2072,8 +2072,7 @@ using namespace Js;
                 // HasProperty will call UnscopablesWrapperObject's HasProperty which will do the filtering
                 // All we have to do here is unwrap the object hence the api call
 
-                *thisVar = obj->GetThisObjectOrUnWrap();
-                return *thisVar;
+                return obj->GetThisAndUnwrappedInstance(thisVar);
             }
         }
 

Diff for: lib/Runtime/Types/PathTypeHandler.cpp

@@ -2013,6 +2013,16 @@ namespace Js
                 {
                     newSetters = this->UpdateSetterSlots(recycler, oldSetters, oldPathSize, newTypePath->GetPathSize());
                 }
+
+#if ENABLE_FIXED_FIELDS
+#ifdef SUPPORT_FIXED_FIELDS_ON_PATH_TYPES
+                if (PathTypeHandlerBase::FixPropsOnPathTypes())
+                {
+                    Assert(this->HasSingletonInstanceOnlyIfNeeded());
+                    this->GetTypePath()->ClearSingletonInstanceIfSame(instance);
+                }
+#endif
+#endif
             }
             else if (growing)
             {

Diff for: lib/Runtime/Types/RecyclableObject.cpp

@@ -331,6 +331,12 @@ namespace Js
         return this;
     }
 
+    RecyclableObject* RecyclableObject::GetThisAndUnwrappedInstance(Var* thisVar) const
+    {
+        *thisVar = this->GetLibrary()->GetUndefined();
+        return (RecyclableObject*)this;
+    }
+
     // In order to avoid a branch, every object has an entry point if it gets called like a
     // function - however, if it can't be called like a function, it's set to DefaultEntryPoint
     // which will emit an error.

Diff for: lib/Runtime/Types/RecyclableObject.h

@@ -353,6 +353,7 @@ namespace Js {
         virtual uint GetSpecialPropertyCount() const { return 0; }
         virtual PropertyId const * GetSpecialPropertyIds() const { return nullptr; }
         virtual RecyclableObject* GetThisObjectOrUnWrap(); // Due to the withScope object there are times we need to unwrap
+        virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const;
 
         virtual BOOL HasInstance(Var instance, ScriptContext* scriptContext, IsInstInlineCache* inlineCache = NULL);
 

Diff for: lib/Runtime/Types/UnscopablesWrapperObject.cpp

@@ -23,6 +23,12 @@ namespace Js
         return static_cast<UnscopablesWrapperObject*>(aValue);
     }
 
+    RecyclableObject * UnscopablesWrapperObject::GetThisAndUnwrappedInstance(Var* thisVar) const
+    {
+        *thisVar = this->GetWrappedObject();
+        return this->GetWrappedObject();
+    }
+
     PropertyQueryFlags UnscopablesWrapperObject::HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info)
     {
         return JavascriptConversion::BooleanToPropertyQueryFlags(JavascriptOperators::HasPropertyUnscopables(wrappedObject, propertyId));

Diff for: lib/Runtime/Types/UnscopablesWrapperObject.h

@@ -28,7 +28,8 @@ namespace Js
             static bool Is(Var aValue);
             static UnscopablesWrapperObject* FromVar(Var value);
             static UnscopablesWrapperObject* UnsafeFromVar(Var value);
-            RecyclableObject *GetWrappedObject() { return wrappedObject; }
+            RecyclableObject *GetWrappedObject() const { return wrappedObject; }
+            virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const override;
             virtual PropertyQueryFlags HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info) override;
             virtual BOOL HasOwnProperty(PropertyId propertyId) override;
             virtual BOOL SetProperty(PropertyId propertyId, Var value, PropertyOperationFlags flags, PropertyValueInfo* info) override;