Skip to content
Permalink
Browse files

[CVE-2019-1138]

  • Loading branch information...
wyrichte authored and MikeHolman committed Aug 1, 2019
1 parent 31f2588 commit 1e5d3f5e4f4feb37a6844f654d351ddcc53e2046
Showing with 17 additions and 7 deletions.
  1. +1 −1 lib/Backend/BackwardPass.cpp
  2. +16 −6 lib/Backend/GlobOpt.cpp
@@ -8742,7 +8742,7 @@ BackwardPass::RestoreInductionVariableValuesAfterMemOp(Loop *loop)
StackSym *sym = localFunc->m_symTable->FindStackSym(symId)->GetInt32EquivSym(localFunc);

IR::Opnd *inductionVariableOpnd = IR::RegOpnd::New(sym, IRType::TyInt32, localFunc);
IR::Opnd *sizeOpnd = globOpt->GenerateInductionVariableChangeForMemOp(loop, inductionVariableChangeInfo.unroll);
IR::Opnd *sizeOpnd = globOpt->GenerateInductionVariableChangeForMemOp(loop, inductionVariableChangeInfo.unroll, loop->memOpInfo->instr);
IR::Instr* restoreInductionVarInstr = IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc());

// The IR that restores the induction variable's value is placed before the MemOp. Since this IR can
@@ -2087,6 +2087,7 @@ bool GlobOpt::CollectMemcopyStElementI(IR::Instr *instr, Loop *loop)

// Consider: Can we remove the count field?
memcopyInfo->count++;
AssertOrFailFast(memcopyInfo->count <= 1);
memcopyInfo->base = baseSymID;

return true;
@@ -2226,7 +2227,14 @@ GlobOpt::CollectMemOpInfo(IR::Instr *instrBegin, IR::Instr *instr, Value *src1Va
{
Loop::InductionVariableChangeInfo inductionVariableChangeInfo = { 0, 0 };
inductionVariableChangeInfo = loop->memOpInfo->inductionVariableChangeInfoMap->Lookup(inductionSymID, inductionVariableChangeInfo);
inductionVariableChangeInfo.unroll++;

// If inductionVariableChangeInfo.unroll has been invalidated, do
// not modify the Js::Constants::InvalidLoopUnrollFactor value
if (inductionVariableChangeInfo.unroll != Js::Constants::InvalidLoopUnrollFactor)
{
inductionVariableChangeInfo.unroll++;
}

inductionVariableChangeInfo.isIncremental = isIncr;
loop->memOpInfo->inductionVariableChangeInfoMap->Item(inductionSymID, inductionVariableChangeInfo);
}
@@ -16677,6 +16685,7 @@ GlobOpt::GetOrGenerateLoopCountForMemOp(Loop *loop)
IR::Opnd *
GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::Instr *insertBeforeInstr)
{
AssertOrFailFast(unroll != Js::Constants::InvalidLoopUnrollFactor);
LoopCount *loopCount = loop->loopCount;
IR::Opnd *sizeOpnd = nullptr;
Assert(loopCount);
@@ -16714,11 +16723,12 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In

IR::Opnd *unrollOpnd = IR::IntConstOpnd::New(unroll, type, localFunc);

InsertInstr(IR::Instr::New(Js::OpCode::Mul_I4,
sizeOpnd,
loopCountOpnd,
unrollOpnd,
localFunc));
IR::Instr* inductionChangeMultiplier = IR::Instr::New(
Js::OpCode::Mul_I4, sizeOpnd, loopCountOpnd, unrollOpnd, localFunc);

InsertInstr(inductionChangeMultiplier);

inductionChangeMultiplier->ConvertToBailOutInstr(loop->bailOutInfo, IR::BailOutOnOverflow);

}
}

0 comments on commit 1e5d3f5

Please sign in to comment.
You can’t perform that action at this time.