[CVE-2019-1196] Chakra Builtins Function Type Confusion

Author: boingoing

lib/Backend/BackwardPass.cpp

@@ -6555,6 +6555,7 @@ BackwardPass::TrackIntUsage(IR::Instr *const instr)
             case Js::OpCode::Coerce_Regex:
             case Js::OpCode::Coerce_StrOrRegex:
             case Js::OpCode::Conv_PrimStr:
+            case Js::OpCode::Conv_Prop:
                 // These instructions don't generate -0, and their behavior is the same for any src that is -0 or +0
                 SetNegativeZeroDoesNotMatterIfLastUse(instr->GetSrc1());
                 SetNegativeZeroDoesNotMatterIfLastUse(instr->GetSrc2());

lib/Backend/JnHelperMethodList.h

@@ -134,6 +134,7 @@ HELPERCALL_MATH(Op_MaxInAnArray, Js::JavascriptMath::MaxInAnArray, AttrCanThrow)
 HELPERCALL_MATH(Op_MinInAnArray, Js::JavascriptMath::MinInAnArray, AttrCanThrow)
 
 HELPERCALLCHK(Op_ConvString, Js::JavascriptConversion::ToString, AttrCanThrow)
+HELPERCALLCHK(Op_ConvPropertyKey, Js::JavascriptOperators::OP_ToPropertyKey, AttrCanThrow)
 HELPERCALLCHK(Op_CoerseString, Js::JavascriptConversion::CoerseString, AttrCanThrow)
 HELPERCALLCHK(Op_CoerseRegex, (Js::JavascriptRegExp* (*) (Js::Var aValue, Js::Var options, Js::ScriptContext *scriptContext))Js::JavascriptRegExp::CreateRegEx, AttrCanThrow)
 

lib/Backend/Lower.cpp

@@ -2826,6 +2826,10 @@ Lowerer::LowerRange(IR::Instr *instrStart, IR::Instr *instrEnd, bool defaultDoFa
             this->LowerConvPrimStr(instr);
             break;
 
+        case Js::OpCode::Conv_Prop:
+            this->LowerConvPropertyKey(instr);
+            break;
+
         case Js::OpCode::ClearAttributes:
             this->LowerBinaryHelper(instr, IR::HelperOP_ClearAttributes);
             break;
@@ -25474,6 +25478,12 @@ Lowerer::GenerateGetImmutableOrScriptUnreferencedString(IR::RegOpnd * strOpnd, I
     return dstOpnd;
 }
 
+void
+Lowerer::LowerConvPropertyKey(IR::Instr* instr)
+{
+    LowerConvStrCommon(IR::HelperOp_ConvPropertyKey, instr);
+}
+
 void
 Lowerer::LowerConvStrCommon(IR::JnHelperMethod helper,  IR::Instr * instr)
 {

lib/Backend/Lower.h

@@ -670,6 +670,8 @@ class Lowerer
     void            LowerConvPrimStr(IR::Instr * instr);
     void            LowerConvStrCommon(IR::JnHelperMethod helper, IR::Instr * instr);
 
+    void            LowerConvPropertyKey(IR::Instr* instr);
+
     void            GenerateRecyclerAlloc(IR::JnHelperMethod allocHelper, size_t allocSize, IR::RegOpnd* newObjDst, IR::Instr* insertionPointInstr, bool inOpHelper = false);
 
     template <typename ArrayType>

lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h

@@ -5,6 +5,6 @@
 // NOTE: If there is a merge conflict the correct fix is to make a new GUID.
 // This file was generated with tools\update_bytecode_version.ps1
 
-// {26894CEE-B780-4CD4-B793-7B0972AEEDD9}
+// {3096A219-129D-4A4A-A61C-186D03BB25B7}
 const GUID byteCodeCacheReleaseFileVersion =
-{ 0x26894CEE, 0xB780, 0x4CD4, { 0xB7, 0x93, 0x7B, 0x09, 0x72, 0xAE, 0xED, 0xD9 } };
+{ 0x3096a219, 0x129d, 0x4a4a, { 0xa6, 0x1c, 0x18, 0x6d, 0x3, 0xbb, 0x25, 0xb7 } };

lib/Runtime/ByteCode/ByteCodeEmitter.cpp

@@ -223,8 +223,8 @@ bool IsArguments(ParseNode *pnode)
 }
 
 bool ApplyEnclosesArgs(ParseNode* fncDecl, ByteCodeGenerator* byteCodeGenerator);
-void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, BOOL fReturnValue, bool isConstructorCall = false, ParseNode *bindPnode = nullptr, bool isTopLevel = false);
-void EmitBinaryOpnds(ParseNode *pnode1, ParseNode *pnode2, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo);
+void Emit(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo, BOOL fReturnValue, bool isConstructorCall = false, Js::RegSlot bindingNameLocation = Js::Constants::NoRegister, bool isTopLevel = false);
+void EmitBinaryOpnds(ParseNode* pnode1, ParseNode* pnode2, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo, Js::RegSlot computedPropertyLocation = Js::Constants::NoRegister);
 bool IsExpressionStatement(ParseNode* stmt, const Js::ScriptContext *const scriptContext);
 void EmitInvoke(Js::RegSlot location, Js::RegSlot callObjLocation, Js::PropertyId propertyId, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo);
 void EmitInvoke(Js::RegSlot location, Js::RegSlot callObjLocation, Js::PropertyId propertyId, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo, Js::RegSlot arg1Location);
@@ -953,7 +953,7 @@ void ByteCodeGenerator::EmitTopLevelStatement(ParseNode *stmt, FuncInfo *funcInf
         EndStatement(stmt);
     }
 
-    Emit(stmt, this, funcInfo, fReturnValue, false/*isConstructorCall*/, nullptr/*bindPnode*/, true/*isTopLevel*/);
+    Emit(stmt, this, funcInfo, fReturnValue, false/*isConstructorCall*/, Js::Constants::NoRegister/*computedPropertyLocation*/, true/*isTopLevel*/);
     if (funcInfo->IsTmpReg(stmt->location))
     {
         if (!stmt->isUsed && !fReturnValue)
@@ -8224,22 +8224,6 @@ void EmitInvoke(
     byteCodeGenerator->Writer()->CallI(Js::OpCode::CallI, location, location, 2, callSiteId);
 }
 
-void EmitComputedFunctionNameVar(ParseNode *nameNode, ParseNodeFnc *exprNode, ByteCodeGenerator *byteCodeGenerator)
-{
-    AssertMsg(exprNode != nullptr, "callers of this function should pass in a valid expression Node");
-    Assert(exprNode->HasComputedName());
-
-    if (nameNode == nullptr)
-    {
-        return;
-    }
-
-    if (exprNode->pnodeName == nullptr)
-    {
-        byteCodeGenerator->Writer()->Reg2(Js::OpCode::SetComputedNameVar, exprNode->location, nameNode->location);
-    }
-}
-
 void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, ParseNode* parentNode, bool useStore, bool* isObjectEmpty = nullptr)
 {
     ParseNode *nameNode = memberNode->AsParseNodeBin()->pnode1;
@@ -8254,6 +8238,8 @@ void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeG
         exprNode->AsParseNodeFnc()->SetHomeObjLocation(objectLocation);
     }
 
+    Js::RegSlot computedNamePropertyKey = Js::Constants::NoRegister;
+
     // Moved SetComputedNameVar before LdFld of prototype because loading the prototype undefers the function TypeHandler
     // which makes this bytecode too late to influence the function.name.
     if (nameNode->nop == knopComputedName)
@@ -8262,10 +8248,13 @@ void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeG
         // Transparently pass the name expr
         // The Emit will replace this with a temp register if necessary to preserve the value.
         nameNode->location = nameNode->AsParseNodeUni()->pnode1->location;
-        EmitBinaryOpnds(nameNode, exprNode, byteCodeGenerator, funcInfo);
-        if (isFncDecl && !exprNode->AsParseNodeFnc()->IsClassConstructor())
+        computedNamePropertyKey = funcInfo->AcquireTmpRegister();
+
+        EmitBinaryOpnds(nameNode, exprNode, byteCodeGenerator, funcInfo, computedNamePropertyKey);
+
+        if (isFncDecl && !exprNode->AsParseNodeFnc()->IsClassConstructor() && exprNode->AsParseNodeFnc()->pnodeName == nullptr)
         {
-            EmitComputedFunctionNameVar(nameNode, exprNode->AsParseNodeFnc(), byteCodeGenerator);
+            byteCodeGenerator->Writer()->Reg2(Js::OpCode::SetComputedNameVar, exprNode->location, computedNamePropertyKey);
         }
     }
 
@@ -8289,10 +8278,11 @@ void EmitMemberNode(ParseNode *memberNode, Js::RegSlot objectLocation, ByteCodeG
             (isClassMember ? Js::OpCode::InitClassMemberSetComputedName : Js::OpCode::InitSetElemI) :
             (isClassMember ? Js::OpCode::InitClassMemberComputedName : Js::OpCode::InitComputedProperty);
 
-        byteCodeGenerator->Writer()->Element(setOp, exprNode->location, objectLocation, nameNode->location, true);
+        byteCodeGenerator->Writer()->Element(setOp, exprNode->location, objectLocation, computedNamePropertyKey, true);
 
         funcInfo->ReleaseLoc(exprNode);
         funcInfo->ReleaseLoc(nameNode);
+        funcInfo->ReleaseTmpRegister(computedNamePropertyKey);
 
         return;
     }
@@ -9578,7 +9568,7 @@ void EmitJumpCleanup(ParseNodeStmt *pnode, ParseNode *pnodeTarget, ByteCodeGener
     }
 }
 
-void EmitBinaryOpnds(ParseNode *pnode1, ParseNode *pnode2, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo)
+void EmitBinaryOpnds(ParseNode *pnode1, ParseNode *pnode2, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, Js::RegSlot computedPropertyLocation)
 {
     // If opnd2 can overwrite opnd1, make sure the value of opnd1 is stashed away.
     if (MayHaveSideEffectOnNode(pnode1, pnode2))
@@ -9588,15 +9578,12 @@ void EmitBinaryOpnds(ParseNode *pnode1, ParseNode *pnode2, ByteCodeGenerator *by
 
     Emit(pnode1, byteCodeGenerator, funcInfo, false);
 
-    if (pnode1->nop == knopComputedName && pnode2->nop == knopClassDecl &&
-        (pnode2->AsParseNodeClass()->pnodeConstructor == nullptr || pnode2->AsParseNodeClass()->pnodeConstructor->nop != knopVarDecl))
-    {
-        Emit(pnode2, byteCodeGenerator, funcInfo, false, false, pnode1);
-    }
-    else
+    if (pnode1->nop == knopComputedName && computedPropertyLocation != Js::Constants::NoRegister)
     {
-        Emit(pnode2, byteCodeGenerator, funcInfo, false);
+        byteCodeGenerator->Writer()->Reg2(Js::OpCode::Conv_Prop, computedPropertyLocation, pnode1->location);
     }
+
+    Emit(pnode2, byteCodeGenerator, funcInfo, false, false, computedPropertyLocation);
 }
 
 void EmitBinaryReference(ParseNode *pnode1, ParseNode *pnode2, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, BOOL fLoadLhs)
@@ -10142,7 +10129,7 @@ void TrackGlobalIntAssignments(ParseNodePtr pnode, ByteCodeGenerator * byteCodeG
     }
 }
 
-void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, BOOL fReturnValue, bool isConstructorCall, ParseNode * bindPnode, bool isTopLevel)
+void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *funcInfo, BOOL fReturnValue, bool isConstructorCall, Js::RegSlot bindingNameLocation, bool isTopLevel)
 {
     if (pnode == nullptr)
     {
@@ -10966,7 +10953,13 @@ void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *func
 
         // Constructor
         Emit(pnodeClass->pnodeConstructor, byteCodeGenerator, funcInfo, false);
-        EmitComputedFunctionNameVar(bindPnode, pnodeClass->pnodeConstructor, byteCodeGenerator);
+
+        if (bindingNameLocation != Js::Constants::NoRegister && !pnodeClass->pnodeConstructor->pnodeName)
+        {
+            Assert(pnodeClass->pnodeConstructor->HasComputedName());
+            byteCodeGenerator->Writer()->Reg2(Js::OpCode::SetComputedNameVar, pnodeClass->pnodeConstructor->location, bindingNameLocation);
+        }
+
         if (pnodeClass->pnodeExtends)
         {
             byteCodeGenerator->StartStatement(pnodeClass->pnodeExtends);

lib/Runtime/ByteCode/OpCodes.h

@@ -320,6 +320,8 @@ MACRO_BACKEND_ONLY(     CmUnGe_I4,          Reg3,           OpTempNumberSources|
 MACRO_WMS(              Conv_Num,           Reg2,           OpSideEffect|OpTempNumberProducing|OpTempNumberTransfer|OpTempObjectSources|OpOpndHasImplicitCall|OpProducesNumber) // Convert to Number. [[ToNumber()]]
 // Operation ToString(str)
 MACRO_EXTEND_WMS(       Conv_Str,           Reg2,           OpOpndHasImplicitCall|OpTempNumberSources|OpTempObjectSources|OpCanCSE|OpPostOpDbgBailOut)
+// Operation ToPropertyKey(var)
+MACRO_EXTEND_WMS(       Conv_Prop,          Reg2,           OpOpndHasImplicitCall|OpTempNumberSources|OpTempObjectSources|OpCanCSE|OpPostOpDbgBailOut)
 
 // Conv_Obj:
 //      OpSideEffect - May throw exception on null/undefined.

lib/Runtime/Language/InterpreterHandler.inl

@@ -94,6 +94,7 @@ EXDEF2    (BRPROP,                  BrOnHasProperty,            OP_BrOnHasProper
   DEF3_WMS(CALL,                    ProfiledReturnTypeCallIExtendedFlags,    PROFILEDOP(OP_ProfiledReturnTypeCallIExtendedFlags, OP_CallIExtendedFlags), ProfiledCallIExtendedFlags)
 
 EXDEF2_WMS(A1toA1Mem,               Conv_Str,                   JavascriptConversion::ToString)
+EXDEF2_WMS(A1toA1Mem,               Conv_Prop,                  JavascriptOperators::OP_ToPropertyKey)
   DEF2_WMS(A1toA1Mem,               Conv_Obj,                   JavascriptOperators::ToObject)
 EXDEF2_WMS(A1toA1Mem,               NewUnscopablesWrapperObject,JavascriptOperators::ToUnscopablesWrapperObject)
   DEF2_WMS(A1toA1Mem,               Conv_Num,                   JavascriptOperators::ToNumber)

lib/Runtime/Language/JavascriptConversion.cpp

@@ -267,7 +267,7 @@ using namespace Js;
     // ToPropertyKey() takes a value and converts it to a property key
     // Implementation of ES6 7.1.14
     //----------------------------------------------------------------------------
-    void JavascriptConversion::ToPropertyKey(
+    Var JavascriptConversion::ToPropertyKey(
         Var argument,
         _In_ ScriptContext* scriptContext,
         _Out_ const PropertyRecord** propertyRecord,
@@ -289,12 +289,15 @@ using namespace Js;
             {
                 propertyString = PropertyString::UnsafeFromVar(propName);
             }
+            key = propName;
         }
 
         if (propString)
         {
             *propString = propertyString;
         }
+
+        return key;
     }
 
     //----------------------------------------------------------------------------

lib/Runtime/Language/JavascriptConversion.h

@@ -17,7 +17,7 @@ namespace Js {
         static Var ToPrimitive(_In_ Var aValue, _In_ ScriptContext * scriptContext);
         static BOOL CanonicalNumericIndexString(JavascriptString *aValue, double *indexValue, ScriptContext * scriptContext);
 
-        static void ToPropertyKey(
+        static Var ToPropertyKey(
             Var argument,
             _In_ ScriptContext* scriptContext,
             _Out_ const PropertyRecord** propertyRecord,

lib/Runtime/Language/JavascriptOperators.cpp

@@ -5208,6 +5208,14 @@ using namespace Js;
         JIT_HELPER_END(Op_DeleteElementI);
     }
 
+    Var JavascriptOperators::OP_ToPropertyKey(Js::Var argument, ScriptContext* scriptContext)
+    {
+        JIT_HELPER_REENTRANT_HEADER(Op_ConvPropertyKey);
+        PropertyRecord const* unused = nullptr;
+        return JavascriptConversion::ToPropertyKey(argument, scriptContext, &unused, nullptr);
+        JIT_HELPER_END(Op_ConvPropertyKey);
+    }
+
     Var JavascriptOperators::OP_GetLength(Var instance, ScriptContext* scriptContext)
     {
         return JavascriptOperators::OP_GetProperty(instance, PropertyIds::length, scriptContext);

lib/Runtime/Language/JavascriptOperators.h

@@ -453,6 +453,8 @@ namespace Js
         static Var OP_CmGt_A(Js::Var a,Js::Var b,ScriptContext* scriptContext);
         static Var OP_CmGe_A(Js::Var a,Js::Var b,ScriptContext* scriptContext);
 
+        static Var OP_ToPropertyKey(Js::Var argument, ScriptContext* scriptContext);
+
         static FunctionInfo * GetConstructorFunctionInfo(Var instance, ScriptContext * scriptContext);
         // Detach the type array buffer, if possible, and returns the state of the object which can be used to initialize another object
         static DetachedStateBase* DetachVarAndGetState(Var var, bool queueForDelayFree = true);