Skip to content
Permalink
Browse files

[CVE-2019-1298]

  • Loading branch information...
pleath authored and MikeHolman committed Jul 15, 2019
1 parent 1e5d3f5 commit fe8f981f8e426ff61159e750a368e94ecbb87782
@@ -5422,7 +5422,14 @@ BackwardPass::TrackObjTypeSpecProperties(IR::PropertySymOpnd *opnd, BasicBlock *
// Some instr protected by this one requires a monomorphic type check. (E.g., final type opt,
// fixed field not loaded from prototype.) Note the IsTypeAvailable test above: only do this at
// the initial type check that protects this path.
opnd->SetMonoGuardType(bucket->GetMonoGuardType());
if (!opnd->SetMonoGuardType(bucket->GetMonoGuardType()))
{
// We can't safely check for the required type here. Clear the objtypespec info to disable optimization
// using this inline cache, since there appears to be a mismatch, and re-jit.
// (Dead store pass is too late to generate the bailout points we need to use this type correctly.)
this->currentInstr->m_func->ClearObjTypeSpecFldInfo(opnd->m_inlineCacheIndex);
throw Js::RejitException(RejitReason::FailedEquivalentTypeCheck);
}
this->currentInstr->ChangeEquivalentToMonoTypeCheckBailOut();
}
bucket->SetMonoGuardType(nullptr);
@@ -348,6 +348,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
case RejitReason::MemOpDisabled:
outputData->disableMemOp = TRUE;
break;
case RejitReason::FailedEquivalentTypeCheck:
// No disable flag. The thrower of the re-jit exception must guarantee that objtypespec is disabled where appropriate.
break;
default:
Assume(UNREACHED);
}
@@ -1521,6 +1524,12 @@ Func::GetObjTypeSpecFldInfo(const uint index) const
return GetWorkItem()->GetJITTimeInfo()->GetObjTypeSpecFldInfo(index);
}

void
Func::ClearObjTypeSpecFldInfo(const uint index)
{
GetWorkItem()->GetJITTimeInfo()->ClearObjTypeSpecFldInfo(index);
}

ObjTypeSpecFldInfo*
Func::GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const
{
@@ -579,6 +579,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
Js::Var AllocateNumber(double value);

ObjTypeSpecFldInfo* GetObjTypeSpecFldInfo(const uint index) const;
void ClearObjTypeSpecFldInfo(const uint index);
ObjTypeSpecFldInfo* GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const;

// Gets an inline cache pointer to use in jitted code. Cached data may not be stable while jitting. Does not return null.
@@ -311,6 +311,18 @@ FunctionJITTimeInfo::GetObjTypeSpecFldInfo(uint index) const
return reinterpret_cast<ObjTypeSpecFldInfo *>(m_data.objTypeSpecFldInfoArray[index]);
}

void
FunctionJITTimeInfo::ClearObjTypeSpecFldInfo(uint index)
{
if (m_data.objTypeSpecFldInfoArray == nullptr)
{
return;
}
AssertOrFailFast(index < m_data.objTypeSpecFldInfoCount);

m_data.objTypeSpecFldInfoArray[index] = nullptr;
}

ObjTypeSpecFldInfo *
FunctionJITTimeInfo::GetGlobalObjTypeSpecFldInfo(uint index) const
{
@@ -38,6 +38,7 @@ class FunctionJITTimeInfo
const BVFixed * GetInlineesBV() const;
const FunctionJITTimeInfo * GetJitTimeDataFromFunctionInfoAddr(intptr_t polyFuncInfo) const;
ObjTypeSpecFldInfo * GetObjTypeSpecFldInfo(uint index) const;
void ClearObjTypeSpecFldInfo(uint index);
ObjTypeSpecFldInfo * GetGlobalObjTypeSpecFldInfo(uint index) const;
uint GetGlobalObjTypeSpecFldInfoCount() const;
const FunctionJITRuntimeInfo * GetInlineeForTargetInlineeRuntimeData(const Js::ProfileId profiledCallSiteId, intptr_t inlineeFuncBodyAddr) const;
@@ -799,9 +799,17 @@ class PropertySymOpnd sealed : public SymOpnd
return this->monoGuardType;
}

void SetMonoGuardType(JITTypeHolder type)
bool SetMonoGuardType(JITTypeHolder type)
{
if (!(this->monoGuardType == nullptr || this->monoGuardType == type) ||
!((HasEquivalentTypeSet() && GetEquivalentTypeSet()->Contains(type)) ||
(!HasEquivalentTypeSet() && GetType() == type)))
{
// Required type is not in the available set, or we already set the type to something else. Inform the caller.
return false;
}
this->monoGuardType = type;
return true;
}

bool NeedsMonoCheck() const

0 comments on commit fe8f981

Please sign in to comment.
You can’t perform that action at this time.