[1.11>master] [MERGE #6196 @atulkatti] ChakraCore servicing update for July, 2019

atulkatti · atulkatti · commit f8a6b80b4e5f · 2019-07-09T14:55:43.000-07:00
Merge pull request #6196 from atulkatti:servicing/1907 This release addresses the following issues: CVE-2019-1001 CVE-2019-1062 CVE-2019-1092 CVE-2019-1103 CVE-2019-1106 CVE-2019-1107
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -4369,6 +4369,59 @@ BackwardPass::TraceBlockUses(BasicBlock * block, bool isStart)
 
 #endif
 
+bool
+BackwardPass::UpdateImplicitCallBailOutKind(IR::Instr *const instr, bool needsBailOutOnImplicitCall)
+{
+    Assert(instr);
+    Assert(instr->HasBailOutInfo());
+
+    IR::BailOutKind implicitCallBailOutKind = needsBailOutOnImplicitCall ? IR::BailOutOnImplicitCalls : IR::BailOutInvalid;
+
+    IR::BailOutKind instrBailOutKind = instr->GetBailOutKind();
+    if (instrBailOutKind & IR::BailOutMarkTempObject)
+    {
+        // Remove the mark temp object bit, as we don't need it after the dead store pass
+        instrBailOutKind &= ~IR::BailOutMarkTempObject;
+        instr->SetBailOutKind(instrBailOutKind);
+
+        if (!instr->GetBailOutInfo()->canDeadStore)
+        {
+            return true;
+        }
+    }
+
+    const IR::BailOutKind instrImplicitCallBailOutKind = instrBailOutKind & ~IR::BailOutKindBits;
+    if(instrImplicitCallBailOutKind == IR::BailOutOnImplicitCallsPreOp)
+    {
+        if(needsBailOutOnImplicitCall)
+        {
+            implicitCallBailOutKind = IR::BailOutOnImplicitCallsPreOp;
+        }
+    }
+    else if(instrImplicitCallBailOutKind != IR::BailOutOnImplicitCalls && instrImplicitCallBailOutKind != IR::BailOutInvalid)
+    {
+        // This bailout kind (the value of 'instrImplicitCallBailOutKind') must guarantee that implicit calls will not happen.
+        // If it doesn't make such a guarantee, it must be possible to merge this bailout kind with an implicit call bailout
+        // kind, and therefore should be part of BailOutKindBits.
+        Assert(!needsBailOutOnImplicitCall);
+        return true;
+    }
+
+    if(instrImplicitCallBailOutKind == implicitCallBailOutKind)
+    {
+        return true;
+    }
+
+    const IR::BailOutKind newBailOutKind = instrBailOutKind - instrImplicitCallBailOutKind + implicitCallBailOutKind;
+    if(newBailOutKind == IR::BailOutInvalid)
+    {
+        return false;
+    }
+
+    instr->SetBailOutKind(newBailOutKind);
+    return true;
+}
+
 bool
 BackwardPass::ProcessNoImplicitCallUses(IR::Instr *const instr)
 {
diff --git a/lib/Backend/BailOut.h b/lib/Backend/BailOut.h
@@ -27,7 +27,7 @@ class BailOutInfo
     BailOutInfo(uint32 bailOutOffset, Func* bailOutFunc) :
         bailOutOffset(bailOutOffset), bailOutFunc(bailOutFunc),
         byteCodeUpwardExposedUsed(nullptr), polymorphicCacheIndex((uint)-1), startCallCount(0), startCallInfo(nullptr), bailOutInstr(nullptr),
-        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false),
+        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false), canDeadStore(true),
         outParamInlinedArgSlot(nullptr), liveVarSyms(nullptr), liveLosslessInt32Syms(nullptr), liveFloat64Syms(nullptr),
         branchConditionOpnd(nullptr),
         stackLiteralBailOutInfoCount(0), stackLiteralBailOutInfo(nullptr),
@@ -107,6 +107,7 @@ class BailOutInfo
 #endif
     bool wasCloned;
     bool isInvertedBranch;
+    bool canDeadStore;
     bool sharedBailOutKind;
     bool isLoopTopBailOutInfo;
 
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -355,6 +355,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
             case RejitReason::TrackIntOverflowDisabled:
                 outputData->disableTrackCompoundedIntOverflow = TRUE;
                 break;
+            case RejitReason::MemOpDisabled:
+                outputData->disableMemOp = TRUE;
+                break;
             default:
                 Assume(UNREACHED);
             }
@@ -1112,6 +1115,12 @@ Func::IsTrackCompoundedIntOverflowDisabled() const
     return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsTrackCompoundedIntOverflowDisabled()) || m_output.IsTrackCompoundedIntOverflowDisabled();
 }
 
+bool
+Func::IsMemOpDisabled() const
+{
+    return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsMemOpDisabled()) || m_output.IsMemOpDisabled();
+}
+
 bool
 Func::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/Func.h b/lib/Backend/Func.h
@@ -967,6 +967,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     bool HasStackSymForFormal(Js::ArgSlot formalsIndex);
 
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -2675,7 +2675,7 @@ GlobOpt::OptInstr(IR::Instr *&instr, bool* isInstrRemoved)
         !(instr->IsJitProfilingInstr()) &&
         this->currentBlock->loop && !IsLoopPrePass() &&
         !func->IsJitInDebugMode() &&
-        (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&
+        !func->IsMemOpDisabled() &&
         this->currentBlock->loop->doMemOp)
     {
         CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);
@@ -16864,6 +16864,7 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
         if (instr->HasBailOutInfo())
         {
             instr->SetBailOutKind(instr->GetBailOutKind() | IR::BailOutMarkTempObject);
+            instr->GetBailOutInfo()->canDeadStore = false;
         }
         else
         {
@@ -16873,6 +16874,11 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
                 || (instr->m_opcode == Js::OpCode::FromVar && !opnd->GetValueType().IsPrimitive())
                 || propertySymOpnd == nullptr
                 || !propertySymOpnd->IsTypeCheckProtected())
+            {
+                this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
+                instr->GetBailOutInfo()->canDeadStore = false;
+            }
+            else if (propertySymOpnd->MayHaveImplicitCall())
             {
                 this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
             }
@@ -17013,7 +17019,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In
     }
     else
     {
-        uint size = (loopCount->LoopCountMinusOneConstantValue() + 1)  * unroll;
+        int32 loopCountMinusOnePlusOne;
+        int32 size;
+        if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) ||
+            Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))
+        {
+            throw Js::RejitException(RejitReason::MemOpDisabled);
+        }
+        Assert(size > 0);
         sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);
     }
     loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);
diff --git a/lib/Backend/GlobOptBlockData.cpp b/lib/Backend/GlobOptBlockData.cpp
@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(
                 fromDataValueInfo->AsArrayValueInfo(),
                 fromDataSym,
                 symsRequiringCompensation,
-                symsCreatedForMerge);
+                symsCreatedForMerge,
+                isLoopBackEdge);
     }
 
     // Consider: If both values are VarConstantValueInfo with the same value, we could
@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
     const ArrayValueInfo *const fromDataValueInfo,
     Sym *const arraySym,
     BVSparse<JitArenaAllocator> *const symsRequiringCompensation,
-    BVSparse<JitArenaAllocator> *const symsCreatedForMerge)
+    BVSparse<JitArenaAllocator> *const symsCreatedForMerge,
+    bool isLoopBackEdge)
 {
     Assert(mergedValueType.IsAnyOptimizedArray());
     Assert(toDataValueInfo);
@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 // Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.
                 Assert(symsRequiringCompensation);
@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
diff --git a/lib/Backend/GlobOptBlockData.h b/lib/Backend/GlobOptBlockData.h
@@ -264,7 +264,7 @@ class GlobOptBlockData
     Value *                 MergeValues(Value *toDataValue, Value *fromDataValue, Sym *fromDataSym, bool isLoopBackEdge, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     ValueInfo *             MergeValueInfo(Value *toDataVal, Value *fromDataVal, Sym *fromDataSym, bool isLoopBackEdge, bool sameValueNumber, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     JsTypeValueInfo *       MergeJsTypeValueInfo(JsTypeValueInfo * toValueInfo, JsTypeValueInfo * fromValueInfo, bool isLoopBackEdge, bool sameValueNumber);
-    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
+    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge, bool isLoopBackEdge);
 
     // Argument Tracking
 public:
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -409,6 +409,14 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
         if (inGlobOpt)
         {
             KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+            if (this->objectTypeSyms)
+            {
+                if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)
+                {
+                    this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);
+                }
+                this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);
+            }
         }
 
         // fall through
diff --git a/lib/Backend/JITOutput.cpp b/lib/Backend/JITOutput.cpp
@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const
     return m_outputData->disableTrackCompoundedIntOverflow != FALSE;
 }
 
+bool
+JITOutput::IsMemOpDisabled() const
+{
+    return m_outputData->disableMemOp != FALSE;
+}
+
 bool
 JITOutput::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/JITOutput.h b/lib/Backend/JITOutput.h
@@ -22,6 +22,7 @@ class JITOutput
     void RecordXData(BYTE * xdata);
 #endif
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -1234,6 +1234,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor
         {
             body->GetAnyDynamicProfileInfo()->DisableTrackCompoundedIntOverflow();
         }
+        if (jitWriteData.disableMemOp)
+        {
+            body->GetAnyDynamicProfileInfo()->DisableMemOp();
+        }
     }
 
     if (jitWriteData.disableInlineApply)
diff --git a/lib/Backend/Opnd.cpp b/lib/Backend/Opnd.cpp
@@ -962,7 +962,8 @@ PropertySymOpnd::IsObjectHeaderInlined() const
 bool
 PropertySymOpnd::ChangesObjectLayout() const
 {
-    JITTypeHolder cachedType = this->IsMono() ? this->GetType() : this->GetFirstEquivalentType();
+    JITTypeHolder cachedType = this->HasInitialType() ? this->GetInitialType() : 
+        this->IsMono() ? this->GetType() : this->GetFirstEquivalentType();
 
     JITTypeHolder finalType = this->GetFinalType();
 
@@ -987,13 +988,11 @@ PropertySymOpnd::ChangesObjectLayout() const
         // This is the case where the type transition actually occurs. (This is the only case that's detectable
         // during the loop pre-pass, since final types are not in place yet.)
 
-        Assert(cachedType != nullptr && Js::DynamicType::Is(cachedType->GetTypeId()));
-
-        const JITTypeHandler * cachedTypeHandler = cachedType->GetTypeHandler();
         const JITTypeHandler * initialTypeHandler = initialType->GetTypeHandler();
 
-        return cachedTypeHandler->GetInlineSlotCapacity() != initialTypeHandler->GetInlineSlotCapacity() ||
-            cachedTypeHandler->GetOffsetOfInlineSlots() != initialTypeHandler->GetOffsetOfInlineSlots();
+        // If no final type has been set in the forward pass, then we have no way of knowing how the object shape will evolve here.
+        // If the initial type is object-header-inlined, assume that the layout may change.
+        return initialTypeHandler->IsObjectHeaderInlinedTypeHandler();
     }
 
     return false;
diff --git a/lib/Backend/Opnd.h b/lib/Backend/Opnd.h
@@ -1162,7 +1162,8 @@ class PropertySymOpnd sealed : public SymOpnd
     // fall back on live cache.  Similarly, for fixed method checks.
     bool MayHaveImplicitCall() const
     {
-        return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected());
+        return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected()
+            || (IsLoadedFromProto() && NeedsWriteGuardTypeCheck()));
     }
 
     // Is the instruction involving this operand part of a type check sequence? This is different from IsObjTypeSpecOptimized
diff --git a/lib/JITIDL/JITTypes.h b/lib/JITIDL/JITTypes.h
@@ -847,37 +847,42 @@ typedef struct JITOutputIDL
     boolean disableStackArgOpt;
     boolean disableSwitchOpt;
     boolean disableTrackCompoundedIntOverflow;
-    boolean isInPrereservedRegion;
+    boolean disableMemOp;
 
+    boolean isInPrereservedRegion;
     boolean hasBailoutInstr;
-
     boolean hasJittedStackClosure;
+    IDL_PAD1(0)
 
     unsigned short pdataCount;
     unsigned short xdataSize;
 
     unsigned short argUsedForBranch;
+    IDL_PAD2(1)
 
     int localVarSlotsOffset; // FunctionEntryPointInfo only
+
     int localVarChangedOffset; // FunctionEntryPointInfo only
     unsigned int frameHeight;
 
-
     unsigned int codeSize;
     unsigned int throwMapOffset;
+
     unsigned int throwMapCount;
     unsigned int inlineeFrameOffsetArrayOffset;
-    unsigned int inlineeFrameOffsetArrayCount;
 
+    unsigned int inlineeFrameOffsetArrayCount;
     unsigned int propertyGuardCount;
+
     unsigned int ctorCachesCount;
+    X64_PAD4(2)
 
 #if TARGET_64
     CHAKRA_PTR xdataAddr;
 #elif defined(_M_ARM)
     unsigned int xdataOffset;
 #else
-    X86_PAD4(0)
+    X86_PAD4(3)
 #endif
     CHAKRA_PTR codeAddress;
     CHAKRA_PTR thunkAddress;

Original file line number	Diff line number	Diff line change
`@@ -2675,7 +2675,7 @@ GlobOpt::OptInstr(IR::Instr &instr, bool isInstrRemoved)`
`2675`	`2675`	`!(instr->IsJitProfilingInstr()) &&`
`2676`	`2676`	`this->currentBlock->loop && !IsLoopPrePass() &&`
`2677`	`2677`	`!func->IsJitInDebugMode() &&`
`2678`		`- (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&`
	`2678`	`+ !func->IsMemOpDisabled() &&`
`2679`	`2679`	`this->currentBlock->loop->doMemOp)`
`2680`	`2680`	`{`
`2681`	`2681`	`CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);`
`@@ -16864,6 +16864,7 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn`
`16864`	`16864`	`if (instr->HasBailOutInfo())`
`16865`	`16865`	`{`
`16866`	`16866`	`instr->SetBailOutKind(instr->GetBailOutKind() \| IR::BailOutMarkTempObject);`
	`16867`	`+ instr->GetBailOutInfo()->canDeadStore = false;`
`16867`	`16868`	`}`
`16868`	`16869`	`else`
`16869`	`16870`	`{`
`@@ -16873,6 +16874,11 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn`
`16873`	`16874`	`\|\| (instr->m_opcode == Js::OpCode::FromVar && !opnd->GetValueType().IsPrimitive())`
`16874`	`16875`	`\|\| propertySymOpnd == nullptr`
`16875`	`16876`	`\|\| !propertySymOpnd->IsTypeCheckProtected())`
	`16877`	`+ {`
	`16878`	`+ this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);`
	`16879`	`+ instr->GetBailOutInfo()->canDeadStore = false;`
	`16880`	`+ }`
	`16881`	`+ else if (propertySymOpnd->MayHaveImplicitCall())`
`16876`	`16882`	`{`
`16877`	`16883`	`this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);`
`16878`	`16884`	`}`
`@@ -17013,7 +17019,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In`
`17013`	`17019`	`}`
`17014`	`17020`	`else`
`17015`	`17021`	`{`
`17016`		`- uint size = (loopCount->LoopCountMinusOneConstantValue() + 1) * unroll;`
	`17022`	`+ int32 loopCountMinusOnePlusOne;`
	`17023`	`+ int32 size;`
	`17024`	`+ if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) \|\|`
	`17025`	`+ Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))`
	`17026`	`+ {`
	`17027`	`+ throw Js::RejitException(RejitReason::MemOpDisabled);`
	`17028`	`+ }`
	`17029`	`+ Assert(size > 0);`
`17017`	`17030`	`sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);`
`17018`	`17031`	`}`
`17019`	`17032`	`loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);`
Original file line number	Diff line number	Diff line change
`@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(`
`974`	`974`	`fromDataValueInfo->AsArrayValueInfo(),`
`975`	`975`	`fromDataSym,`
`976`	`976`	`symsRequiringCompensation,`
`977`		`- symsCreatedForMerge);`
	`977`	`+ symsCreatedForMerge,`
	`978`	`+ isLoopBackEdge);`
`978`	`979`	`}`
`979`	`980`
`980`	`981`	`// Consider: If both values are VarConstantValueInfo with the same value, we could`
`@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1072`	`1073`	`const ArrayValueInfo *const fromDataValueInfo,`
`1073`	`1074`	`Sym *const arraySym,`
`1074`	`1075`	`BVSparse<JitArenaAllocator> *const symsRequiringCompensation,`
`1075`		`- BVSparse<JitArenaAllocator> *const symsCreatedForMerge)`
	`1076`	`+ BVSparse<JitArenaAllocator> *const symsCreatedForMerge,`
	`1077`	`+ bool isLoopBackEdge)`
`1076`	`1078`	`{`
`1077`	`1079`	`Assert(mergedValueType.IsAnyOptimizedArray());`
`1078`	`1080`	`Assert(toDataValueInfo);`
`@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1095`	`1097`	`}`
`1096`	`1098`	`else`
`1097`	`1099`	`{`
`1098`		`- if (!this->globOpt->IsLoopPrePass())`
	`1100`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1099`	`1101`	`{`
`1100`	`1102`	`// Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.`
`1101`	`1103`	`Assert(symsRequiringCompensation);`
`@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1123`	`1125`	`}`
`1124`	`1126`	`else`
`1125`	`1127`	`{`
`1126`		`- if (!this->globOpt->IsLoopPrePass())`
	`1128`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1127`	`1129`	`{`
`1128`	`1130`	`Assert(symsRequiringCompensation);`
`1129`	`1131`	`symsRequiringCompensation->Set(arraySym->m_id);`
`@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1150`	`1152`	`}`
`1151`	`1153`	`else`
`1152`	`1154`	`{`
`1153`		`- if (!this->globOpt->IsLoopPrePass())`
	`1155`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1154`	`1156`	`{`
`1155`	`1157`	`Assert(symsRequiringCompensation);`
`1156`	`1158`	`symsRequiringCompensation->Set(arraySym->m_id);`
Original file line number	Diff line number	Diff line change
`@@ -409,6 +409,14 @@ GlobOpt::ProcessFieldKills(IR::Instr instr, BVSparse<JitArenaAllocator> bv, bo`
`409`	`409`	`if (inGlobOpt)`
`410`	`410`	`{`
`411`	`411`	`KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);`
	`412`	`+ if (this->objectTypeSyms)`
	`413`	`+ {`
	`414`	`+ if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)`
	`415`	`+ {`
	`416`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);`
	`417`	`+ }`
	`418`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);`
	`419`	`+ }`
`412`	`420`	`}`
`413`	`421`
`414`	`422`	`// fall through`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const`
`65`	`65`	`return m_outputData->disableTrackCompoundedIntOverflow != FALSE;`
`66`	`66`	`}`
`67`	`67`
	`68`	`+bool`
	`69`	`+JITOutput::IsMemOpDisabled() const`
	`70`	`+{`
	`71`	`+ return m_outputData->disableMemOp != FALSE;`
	`72`	`+}`
	`73`	`+`
`68`	`74`	`bool`
`69`	`75`	`JITOutput::IsArrayCheckHoistDisabled() const`
`70`	`76`	`{`