Skip to content
Permalink
Browse files

CVE-2019-0989

  • Loading branch information...
wyrichte authored and pleath committed May 16, 2019
1 parent 66ab97c commit e0ce3f01c83c53f93e7299d7c8b389b17084aa1f
Showing with 22 additions and 12 deletions.
  1. +4 −1 lib/Backend/BackwardPass.cpp
  2. +8 −1 lib/Backend/IR.cpp
  3. +10 −10 lib/Runtime/ByteCode/OpCodes.h
@@ -4318,7 +4318,10 @@ BackwardPass::ProcessNoImplicitCallDef(IR::Instr *const instr)
const bool transferArrayLengthSymUse = !!currentBlock->noImplicitCallArrayLengthSymUses->TestAndClear(dstSym->m_id);

IR::Opnd *const src = instr->GetSrc1();
if(!src || instr->GetSrc2())

// Stop attempting to transfer noImplicitCallUses symbol if the instr is not a transfer instr (based on the opcode's
// flags) or does not have the attributes to be a transfer instr (based on the existance of src and src2).
if(!src || (instr->GetSrc2() && !OpCodeAttr::NonIntTransfer(instr->m_opcode)))
{
return;
}
@@ -3307,7 +3307,14 @@ bool Instr::TransfersSrcValue()

// Consider: Add opcode attribute to indicate whether the opcode would use the value or not

return this->GetDst() != nullptr && this->GetSrc2() == nullptr && !OpCodeAttr::DoNotTransfer(this->m_opcode) && !this->CallsAccessor();
return
this->GetDst() != nullptr &&

// The lack of a Src2 does not always indicate that the instr is not a transfer instr (ex: StSlotChkUndecl).
(this->GetSrc2() == nullptr || OpCodeAttr::NonIntTransfer(this->m_opcode)) &&

!OpCodeAttr::DoNotTransfer(this->m_opcode) &&
!this->CallsAccessor();
}


@@ -464,21 +464,21 @@ MACRO_WMS( StEnvSlot, ElementSlotI2, None)
MACRO_WMS( StInnerSlot, ElementSlotI2, None)
MACRO_WMS( StLocalSlot, ElementSlotI1, None)
MACRO_EXTEND_WMS( StParamSlot, ElementSlotI1, None)
MACRO_BACKEND_ONLY( StSlotChkUndecl, ElementSlot, OpSideEffect)
MACRO_EXTEND_WMS( StEnvSlotChkUndecl, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StInnerSlotChkUndecl, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StLocalSlotChkUndecl, ElementSlotI1, OpSideEffect)
MACRO_EXTEND_WMS( StParamSlotChkUndecl, ElementSlotI1, OpSideEffect)
MACRO_BACKEND_ONLY( StSlotChkUndecl, ElementSlot, OpSideEffect|OpNonIntTransfer) // Src1 is transferred to Dst, Src2 holds the same value as Dst to communicate Dst's liveness.
MACRO_EXTEND_WMS( StEnvSlotChkUndecl, ElementSlotI2, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StInnerSlotChkUndecl, ElementSlotI2, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StLocalSlotChkUndecl, ElementSlotI1, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StParamSlotChkUndecl, ElementSlotI1, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StObjSlot, ElementSlot, OpSideEffect)
MACRO_EXTEND_WMS( StInnerObjSlot, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StLocalObjSlot, ElementSlotI1, OpSideEffect)
MACRO_EXTEND_WMS( StParamObjSlot, ElementSlotI1, OpSideEffect)
MACRO_EXTEND_WMS( StLocalObjSlotChkUndecl, ElementSlotI1, OpSideEffect)
MACRO_EXTEND_WMS( StParamObjSlotChkUndecl, ElementSlotI1, OpSideEffect)
MACRO_EXTEND_WMS( StLocalObjSlotChkUndecl, ElementSlotI1, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StParamObjSlotChkUndecl, ElementSlotI1, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StEnvObjSlot, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StObjSlotChkUndecl, ElementSlot, OpSideEffect)
MACRO_EXTEND_WMS( StInnerObjSlotChkUndecl, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StEnvObjSlotChkUndecl, ElementSlotI2, OpSideEffect)
MACRO_EXTEND_WMS( StObjSlotChkUndecl, ElementSlot, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StInnerObjSlotChkUndecl, ElementSlotI2, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StEnvObjSlotChkUndecl, ElementSlotI2, OpSideEffect|OpNonIntTransfer)
MACRO_EXTEND_WMS( StModuleSlot, ElementSlotI2, OpSideEffect)
MACRO_BACKEND_ONLY( LdAsmJsFunc, ElementSlot, OpTempNumberSources|OpCanCSE)
MACRO_BACKEND_ONLY( LdWasmFunc, ElementSlot, OpSideEffect)

0 comments on commit e0ce3f0

Please sign in to comment.
You can’t perform that action at this time.