Skip to content
Permalink
Browse files

CVE-2019-1023

  • Loading branch information...
MikeHolman authored and pleath committed May 17, 2019
1 parent e0ce3f0 commit c90622007977d0b4f0e4732e19cceceeaa8d5696
Showing with 22 additions and 18 deletions.
  1. +1 −0 Build/Common.Build.Default.props
  2. +21 −18 lib/Backend/Inline.cpp
@@ -17,6 +17,7 @@
<PlatformToolset Condition="'$(BuildToolVersion)'=='12.0'">v120</PlatformToolset>
<PlatformToolset Condition="'$(BuildToolVersion)'=='14.0'">v140</PlatformToolset>
<PlatformToolset Condition="'$(BuildToolVersion)'=='15.0'">v141</PlatformToolset>
<PlatformToolset Condition="'$(BuildToolVersion)'=='16.0'">v142</PlatformToolset>
</PropertyGroup>

<!-- Default ChakraDevConfigDir -->
@@ -69,7 +69,7 @@ Inline::Optimize(Func *func, __in_ecount_opt(callerArgOutCount) IR::Instr *calle

if (instr->AsLabelInstr()->m_isForInExit)
{
Assert(this->currentForInDepth != 0);
AssertOrFailFast(this->currentForInDepth != 0);
this->currentForInDepth--;
}
}
@@ -2158,14 +2158,12 @@ Inline::InlineBuiltInFunction(IR::Instr *callInstr, const FunctionJITTimeInfo *
IR::Instr *inlineBuiltInEndInstr = nullptr;
if (inlineCallOpCode == Js::OpCode::InlineFunctionApply)
{
inlineBuiltInEndInstr = InlineApply(callInstr, inlineeData, inlinerData, symCallerThis, pIsInlined, profileId, recursiveInlineDepth, inlineCallArgCount - (usesThisArgument ? 1 : 0));
return inlineBuiltInEndInstr->m_next;
return InlineApply(callInstr, inlineeData, inlinerData, symCallerThis, pIsInlined, profileId, recursiveInlineDepth, inlineCallArgCount - (usesThisArgument ? 1 : 0));
}

if (inlineCallOpCode == Js::OpCode::InlineFunctionCall)
{
inlineBuiltInEndInstr = InlineCall(callInstr, inlineeData, inlinerData, symCallerThis, pIsInlined, profileId, recursiveInlineDepth);
return inlineBuiltInEndInstr->m_next;
return InlineCall(callInstr, inlineeData, inlinerData, symCallerThis, pIsInlined, profileId, recursiveInlineDepth);
}


@@ -2415,9 +2413,10 @@ IR::Instr* Inline::InlineApply(IR::Instr *callInstr, const FunctionJITTimeInfo *
// We may still decide not to inline.
*pIsInlined = false;

IR::Instr* instrNext = callInstr->m_next;
if (argsCount == 0)
{
return callInstr;
return instrNext;
}

Js::BuiltinFunction builtInId = Js::JavascriptLibrary::GetBuiltInForFuncInfo(applyData->GetLocalFunctionId());
@@ -2459,7 +2458,7 @@ IR::Instr* Inline::InlineApply(IR::Instr *callInstr, const FunctionJITTimeInfo *
if (PHASE_OFF1(Js::InlineApplyWithoutArrayArgPhase))
{
*pIsInlined = false;
return callInstr;
return instrNext;
}
*pIsInlined = true;

@@ -2490,7 +2489,7 @@ IR::Instr* Inline::InlineApply(IR::Instr *callInstr, const FunctionJITTimeInfo *
{
INLINE_TESTTRACE(_u("INLINING: Skip Inline: Supporting inlining func.apply(this, array) or func.apply(this, arguments) with formals in the parent function only when func is a built-in inlinable as apply target \tCaller: %s (%s)\n"),
inlinerData->GetBody()->GetDisplayName(), inlinerData->GetDebugNumberSet(debugStringBuffer));
return callInstr;
return instrNext;
}
}

@@ -2506,6 +2505,7 @@ IR::Instr* Inline::InlineApply(IR::Instr *callInstr, const FunctionJITTimeInfo *

IR::Instr * Inline::InlineApplyWithArgumentsObject(IR::Instr * callInstr, IR::Instr * argsObjectArgInstr, const FunctionJITTimeInfo * funcInfo)
{
IR::Instr* instrNext = callInstr->m_next;
IR::Instr* ldHeapArguments = argsObjectArgInstr->GetSrc1()->GetStackSym()->GetInstrDef();
argsObjectArgInstr->ReplaceSrc1(ldHeapArguments->GetDst());

@@ -2595,14 +2595,15 @@ IR::Instr * Inline::InlineApplyWithArgumentsObject(IR::Instr * callInstr, IR::In

argout = IR::Instr::New(Js::OpCode::ArgOut_A_Dynamic, linkOpnd2, explicitThisArgOut->GetSrc1(), linkOpnd1, callInstr->m_func); // push explicit this as this pointer
callInstr->InsertBefore(argout);
return callInstr;
return instrNext;
}

/*
This method will only do CallDirect style inlining of built-in targets. No script function inlining.
*/
IR::Instr * Inline::InlineApplyBuiltInTargetWithArray(IR::Instr * callInstr, const FunctionJITTimeInfo * applyInfo, const FunctionJITTimeInfo * builtInInfo)
{
IR::Instr* instrNext = callInstr->m_next;
IR::Instr * implicitThisArgOut = nullptr;
IR::Instr * explicitThisArgOut = nullptr;
IR::Instr * arrayArgOut = nullptr;
@@ -2620,7 +2621,7 @@ IR::Instr * Inline::InlineApplyBuiltInTargetWithArray(IR::Instr * callInstr, con
IR::Instr* applyTargetLdInstr = nullptr;
if (!TryGetApplyAndTargetLdInstrs(callInstr, &applyLdInstr, &applyTargetLdInstr))
{
return callInstr;
return instrNext;
}
// Fixed function/function object checks for target built-in
callInstr->ReplaceSrc1(applyTargetLdInstr->GetDst());
@@ -2685,11 +2686,12 @@ IR::Instr * Inline::InlineApplyBuiltInTargetWithArray(IR::Instr * callInstr, con
callInstr->ReplaceSrc1(helperCallOpnd);
callInstr->ReplaceSrc2(argOut->GetDst());

return callInstr;
return instrNext;
}

IR::Instr * Inline::InlineApplyWithoutArrayArgument(IR::Instr *callInstr, const FunctionJITTimeInfo * applyInfo, const FunctionJITTimeInfo * applyTargetInfo)
{
IR::Instr* instrNext = callInstr->m_next;
IR::Instr * implicitThisArgOut = nullptr;
IR::Instr * explicitThisArgOut = nullptr;
IR::Instr * dummyInstr = nullptr;
@@ -2728,12 +2730,12 @@ IR::Instr * Inline::InlineApplyWithoutArrayArgument(IR::Instr *callInstr, const

if (!callTargetStackSym->IsSingleDef())
{
return callInstr;
return instrNext;
}

if (!applyTargetInfo)
{
return callInstr;
return instrNext;
}

bool safeThis = false;
@@ -2745,7 +2747,7 @@ IR::Instr * Inline::InlineApplyWithoutArrayArgument(IR::Instr *callInstr, const
callInstr->InsertBefore(bytecodeUses);
}

return callInstr;
return instrNext;
}

void Inline::GetArgInstrsForCallAndApply(IR::Instr* callInstr, IR::Instr** implicitThisArgOut, IR::Instr** explicitThisArgOut, IR::Instr** argumentsOrArrayArgOut, uint &argOutCount)
@@ -3015,7 +3017,7 @@ Inline::InlineCallApplyTarget_Shared(IR::Instr *callInstr, bool originalCallTarg
// instrNext
IR::Instr* instrNext = callInstr->m_next;

return InlineFunctionCommon(callInstr, originalCallTargetOpndIsJITOpt, originalCallTargetStackSym, inlineeData, inlinee, instrNext, returnValueOpnd, callInstr, nullptr, recursiveInlineDepth, safeThis, isApplyTarget)->m_prev;
return InlineFunctionCommon(callInstr, originalCallTargetOpndIsJITOpt, originalCallTargetStackSym, inlineeData, inlinee, instrNext, returnValueOpnd, callInstr, nullptr, recursiveInlineDepth, safeThis, isApplyTarget);
}

IR::Opnd *
@@ -3029,14 +3031,15 @@ Inline::ConvertToInlineBuiltInArgOut(IR::Instr * argInstr)
IR::Instr*
Inline::InlineCall(IR::Instr *callInstr, const FunctionJITTimeInfo *funcInfo, const FunctionJITTimeInfo * inlinerData, const StackSym *symCallerThis, bool* pIsInlined, uint callSiteId, uint recursiveInlineDepth)
{
IR::Instr* instrNext = callInstr->m_next;
Func *func = callInstr->m_func;
Js::BuiltinFunction builtInId = Js::JavascriptLibrary::GetBuiltInForFuncInfo(funcInfo->GetLocalFunctionId());

*pIsInlined = false;
if (PHASE_OFF(Js::InlineCallPhase, this->topFunc) || PHASE_OFF(Js::InlineCallPhase, func)
|| !this->topFunc->GetJITFunctionBody()->GetInParamsCount())
{
return callInstr;
return instrNext;
}

// Convert all the current ARG_OUT to ArgOut_A_InlineBuiltIn
@@ -3045,7 +3048,7 @@ Inline::InlineCall(IR::Instr *callInstr, const FunctionJITTimeInfo *funcInfo, co
if (!GetDefInstr(linkOpnd)->GetSrc2()->IsSymOpnd())
{
// There is no benefit of inlining.call() with no arguments.
return callInstr;
return instrNext;
}

*pIsInlined = true;
@@ -3125,7 +3128,7 @@ Inline::InlineCall(IR::Instr *callInstr, const FunctionJITTimeInfo *funcInfo, co
}
clonedArgout->SetSrc2(startCall->GetDst());
Assert(GetDefInstr(orgLinkOpnd) == argImplicitInstr);
return callInstr;
return instrNext;
}

bool

0 comments on commit c906220

Please sign in to comment.
You can’t perform that action at this time.