[CVE-2017-11767] Do not instantiate param scope if only the function expression symbol is captured

aneeshdk · Suwei Chen · commit b3e3959d1481 · 2017-09-14T09:07:34.000-07:00
If a split scope happens because of the function expression being captured then the param scope may not have any locals in closure as the function expression symbol belongs to the function expression scope. In this case we don't have to instantiate the param scope in split scope.
diff --git a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp
@@ -4219,7 +4219,20 @@ void ByteCodeGenerator::StartEmitFunction(ParseNode *pnodeFnc)
         {
             bodyScope->SetMustInstantiate(funcInfo->frameSlotsRegister != Js::Constants::NoRegister);
         }
-        paramScope->SetMustInstantiate(!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged());
+
+        if (!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged())
+        {
+            if (funcInfo->frameObjRegister != Js::Constants::NoRegister)
+            {
+                paramScope->SetMustInstantiate(true);
+            }
+            else
+            {
+                // In the case of function expression being captured in the param scope the hasownlocalinclosure will be false for param scope,
+                // as function expression symbol stays in the function expression scope. We don't have to set mustinstantiate for param scope in that case.
+                paramScope->SetMustInstantiate(paramScope->GetHasOwnLocalInClosure());
+            }
+        }
     }
     else
     {
diff --git a/test/es6/default-splitscope.js b/test/es6/default-splitscope.js
@@ -186,6 +186,14 @@ var tests = [
         };
         f13();
 
+        var f14 = function f15(a = (function() {
+                return f15(1);
+            })()) {
+                with({}) {
+                };
+                return a === 1 ? 10 : a;
+        };
+        assert.areEqual(10, f14(), "Function expresison is captured in the param scope when no other formals are captured");
     }
  },
  {

Original file line number	Diff line number	Diff line change
`@@ -4219,7 +4219,20 @@ void ByteCodeGenerator::StartEmitFunction(ParseNode *pnodeFnc)`
`4219`	`4219`	`{`
`4220`	`4220`	`bodyScope->SetMustInstantiate(funcInfo->frameSlotsRegister != Js::Constants::NoRegister);`
`4221`	`4221`	`}`
`4222`		`- paramScope->SetMustInstantiate(!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged());`
	`4222`	`+`
	`4223`	`+ if (!pnodeFnc->sxFnc.IsBodyAndParamScopeMerged())`
	`4224`	`+ {`
	`4225`	`+ if (funcInfo->frameObjRegister != Js::Constants::NoRegister)`
	`4226`	`+ {`
	`4227`	`+ paramScope->SetMustInstantiate(true);`
	`4228`	`+ }`
	`4229`	`+ else`
	`4230`	`+ {`
	`4231`	`+ // In the case of function expression being captured in the param scope the hasownlocalinclosure will be false for param scope,`
	`4232`	`+ // as function expression symbol stays in the function expression scope. We don't have to set mustinstantiate for param scope in that case.`
	`4233`	`+ paramScope->SetMustInstantiate(paramScope->GetHasOwnLocalInClosure());`
	`4234`	`+ }`
	`4235`	`+ }`
`4223`	`4236`	`}`
`4224`	`4237`	`else`
`4225`	`4238`	`{`
Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,14 @@ var tests = [`
`186`	`186`	`};`
`187`	`187`	`f13();`
`188`	`188`
	`189`	`+ var f14 = function f15(a = (function() {`
	`190`	`+ return f15(1);`
	`191`	`+ })()) {`
	`192`	`+ with({}) {`
	`193`	`+ };`
	`194`	`+ return a === 1 ? 10 : a;`
	`195`	`+ };`
	`196`	`+ assert.areEqual(10, f14(), "Function expresison is captured in the param scope when no other formals are captured");`
`189`	`197`	`}`
`190`	`198`	`},`
`191`	`199`	`{`