Skip to content
Permalink
Browse files

[CVE-2019-0913][CVE-2019-0914][CVE-2019-0915][CVE-2019-0916]

  • Loading branch information...
MikeHolman committed Apr 17, 2019
1 parent 1a550c6 commit d85b5025b047f10784c53c6c1dd771775d417f5f
Showing with 37 additions and 0 deletions.
  1. +5 −0 lib/Backend/GlobOpt.cpp
  2. +7 −0 lib/Backend/GlobOptExpr.cpp
  3. +25 −0 lib/Backend/GlobOptFields.cpp
@@ -13199,6 +13199,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
const bool useValueTypes = !IsLoopPrePass(); // Source value types are not guaranteed to be correct in a loop prepass
switch(instr->m_opcode)
{
case Js::OpCode::StElemC:
case Js::OpCode::StElemI_A:
case Js::OpCode::StElemI_A_Strict:
{
@@ -13249,6 +13250,10 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
}
break;

case Js::OpCode::ConsoleScopedStFld:
case Js::OpCode::ConsoleScopedStFldStrict:
case Js::OpCode::ScopedStFld:
case Js::OpCode::ScopedStFldStrict:
case Js::OpCode::StFld:
case Js::OpCode::StFldStrict:
case Js::OpCode::StSuperFld:
@@ -814,10 +814,15 @@ GlobOpt::ProcessArrayValueKills(IR::Instr *instr)
{
switch (instr->m_opcode)
{
case Js::OpCode::StElemC:
case Js::OpCode::StElemI_A:
case Js::OpCode::StElemI_A_Strict:
case Js::OpCode::DeleteElemI_A:
case Js::OpCode::DeleteElemIStrict_A:
case Js::OpCode::ConsoleScopedStFld:
case Js::OpCode::ConsoleScopedStFldStrict:
case Js::OpCode::ScopedStFld:
case Js::OpCode::ScopedStFldStrict:
case Js::OpCode::StFld:
case Js::OpCode::StRootFld:
case Js::OpCode::StFldStrict:
@@ -829,6 +834,8 @@ GlobOpt::ProcessArrayValueKills(IR::Instr *instr)
case Js::OpCode::DeleteRootFld:
case Js::OpCode::DeleteFldStrict:
case Js::OpCode::DeleteRootFldStrict:
case Js::OpCode::ScopedDeleteFld:
case Js::OpCode::ScopedDeleteFldStrict:
case Js::OpCode::StArrViewElem:
// These array helpers may change A.length (and A[i] could be A.length)...
case Js::OpCode::InlineArrayPush:
@@ -335,6 +335,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
IR::JnHelperMethod fnHelper;
switch(instr->m_opcode)
{
case Js::OpCode::StElemC:
case Js::OpCode::StElemI_A:
case Js::OpCode::StElemI_A_Strict:
Assert(dstOpnd != nullptr);
@@ -366,6 +367,8 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
case Js::OpCode::DeleteRootFld:
case Js::OpCode::DeleteFldStrict:
case Js::OpCode::DeleteRootFldStrict:
case Js::OpCode::ScopedDeleteFld:
case Js::OpCode::ScopedDeleteFldStrict:
sym = instr->GetSrc1()->AsSymOpnd()->m_sym;
KillLiveFields(sym->AsPropertySym(), bv);
if (inGlobOpt)
@@ -387,7 +390,29 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
this->KillAllObjectTypes(bv);
}
break;

case Js::OpCode::ConsoleScopedStFld:
case Js::OpCode::ConsoleScopedStFldStrict:
case Js::OpCode::ScopedStFld:
case Js::OpCode::ScopedStFldStrict:
// This is already taken care of for FastFld opcodes

if (inGlobOpt)
{
KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
}

// fall through

case Js::OpCode::InitFld:
case Js::OpCode::InitConstFld:
case Js::OpCode::InitLetFld:
case Js::OpCode::InitRootFld:
case Js::OpCode::InitRootConstFld:
case Js::OpCode::InitRootLetFld:
#if !FLOATVAR
case Js::OpCode::StSlotBoxTemp:
#endif
case Js::OpCode::StFld:
case Js::OpCode::StRootFld:
case Js::OpCode::StFldStrict:

0 comments on commit d85b502

Please sign in to comment.
You can’t perform that action at this time.