[1.11>master] [MERGE #6087 @akroshg] April servicing update for ChakraCore

akroshg · akroshg · commit 49a33287c905 · 2019-04-10T10:10:48.000-07:00
Merge pull request #6087 from akroshg:stage1904 Fixes CVE-2019-0739 CVE-2019-0806 CVE-2019-0810 CVE-2019-0812 CVE-2019-0829 CVE-2019-0860 CVE-2019-0861
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -3286,10 +3286,14 @@ GlobOpt::OptSrc(IR::Opnd *opnd, IR::Instr * *pInstr, Value **indirIndexValRef, I
         }
         originalPropertySym = sym->AsPropertySym();
 
-        // Dont give a value to 'arguments' property sym to prevent field copy prop of 'arguments'
+        // Don't give a value to 'arguments' property sym to prevent field copy prop of 'arguments'
         if (originalPropertySym->AsPropertySym()->m_propertyId == Js::PropertyIds::arguments &&
             originalPropertySym->AsPropertySym()->m_fieldKind == PropertyKindData)
         {
+            if (opnd->AsSymOpnd()->IsPropertySymOpnd())
+            {
+                this->FinishOptPropOp(instr, opnd->AsPropertySymOpnd());
+            }
             return nullptr;
         }
 
@@ -4841,7 +4845,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
         }
         else
         {
-            return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber(), dst);
+            return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber().SetCanBeTaggedValue(true), dst);
         }
         break;
 
@@ -4902,7 +4906,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
         {
             valueType = ValueType::Number;
         }
-        return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);
+        return CreateDstUntransferredValue(valueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);
     }
 
     case Js::OpCode::Add_A:
@@ -4936,12 +4940,12 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
                     {
                         // If one of them is a float, the result probably is a float instead of just int
                         // but should always be a number.
-                        valueType = ValueType::Float;
+                        valueType = ValueType::Float.SetCanBeTaggedValue(true);
                     }
                     else
                     {
                         // Could be int, could be number
-                        valueType = ValueType::Number;
+                        valueType = ValueType::Number.SetCanBeTaggedValue(true);
                     }
                 }
                 else if (src1ValueInfo->IsLikelyFloat() || src2ValueInfo->IsLikelyFloat())
@@ -4965,7 +4969,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
             && (src2Val && src2ValueInfo->IsNotString() && src2ValueInfo->IsPrimitive()))
         {
             // If src1 and src2 are not strings and primitive, add should yield a number.
-            valueType = ValueType::Number;
+            valueType = ValueType::Number.SetCanBeTaggedValue(true);
         }
         else if((src1Val && src1ValueInfo->IsLikelyString()) || (src2Val && src2ValueInfo->IsLikelyString()))
         {
@@ -4986,7 +4990,7 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
             ValueType divValueType = GetDivValueType(instr, src1Val, src2Val, false);
             if (divValueType.IsLikelyInt() || divValueType.IsFloat())
             {
-                return CreateDstUntransferredValue(divValueType, instr, src1Val, src2Val);
+                return CreateDstUntransferredValue(divValueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);
             }
         }
         // fall-through
@@ -5018,11 +5022,11 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
             // This should ideally be NewNumberAndLikelyFloatValue since we know the result is a number but not sure if it will
             // be a float value. However, that Number/LikelyFloat value type doesn't exist currently and all the necessary
             // checks are done for float values (tagged int checks, etc.) so it's sufficient to just create a float value here.
-            valueType = ValueType::Float;
+            valueType = ValueType::Float.SetCanBeTaggedValue(true);
         }
         else
         {
-            valueType = ValueType::Number;
+            valueType = ValueType::Number.SetCanBeTaggedValue(true);
         }
 
         return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -229,10 +229,17 @@ GlobOpt::KillLiveElems(IR::IndirOpnd * indirOpnd, BVSparse<JitArenaAllocator> *
         this->KillAllFields(bv); // This also kills all property type values, as the same bit-vector tracks those stack syms
         SetAnyPropertyMayBeWrittenTo();
     }
-    else if (inGlobOpt && indexOpnd && !indexOpnd->GetValueType().IsInt() && !currentBlock->globOptData.IsInt32TypeSpecialized(indexOpnd->m_sym))
+    else if (inGlobOpt)
     {
-        // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout
-        this->KillAllObjectTypes(bv);
+        Value * indexValue = indexOpnd ? this->currentBlock->globOptData.FindValue(indexOpnd->GetSym()) : nullptr;
+        ValueInfo * indexValueInfo = indexValue ? indexValue->GetValueInfo() : nullptr;
+        int indexLowerBound = 0;
+
+        if (indirOpnd->GetOffset() < 0 || (indexOpnd && (!indexValueInfo || !indexValueInfo->TryGetIntConstantLowerBound(&indexLowerBound, false) || indexLowerBound < 0)))
+        {
+            // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout
+            this->KillAllObjectTypes(bv);
+        }
     }
 }
 
@@ -479,7 +486,9 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
     case Js::OpCode::NewScObjectNoCtor:
         if (inGlobOpt)
         {
-            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+            // Opcodes that make an object into a prototype may break object-header-inlining and final type opt.
+            // Kill all known object layouts.
+            KillAllObjectTypes(bv);
         }
         break;
 
diff --git a/lib/Backend/JITType.cpp b/lib/Backend/JITType.cpp
@@ -35,7 +35,7 @@ JITType::BuildFromJsType(__in Js::Type * jsType, __out JITType * jitType)
 
         Js::DynamicTypeHandler * handler = dynamicType->GetTypeHandler();
         data->handler.isObjectHeaderInlinedTypeHandler = handler->IsObjectHeaderInlinedTypeHandler();
-        data->handler.isLocked = handler->GetIsLocked();
+        data->handler.flags = handler->GetFlags();
         data->handler.inlineSlotCapacity = handler->GetInlineSlotCapacity();
         data->handler.offsetOfInlineSlots = handler->GetOffsetOfInlineSlots();
         data->handler.slotCapacity = handler->GetSlotCapacity();
diff --git a/lib/Backend/JITTypeHandler.cpp b/lib/Backend/JITTypeHandler.cpp
@@ -19,7 +19,13 @@ JITTypeHandler::IsObjectHeaderInlinedTypeHandler() const
 bool
 JITTypeHandler::IsLocked() const
 {
-    return m_data.isLocked != FALSE;
+    return Js::DynamicTypeHandler::GetIsLocked(m_data.flags);
+}
+
+bool
+JITTypeHandler::IsPrototype() const
+{
+    return Js::DynamicTypeHandler::GetIsPrototype(m_data.flags);
 }
 
 uint16
diff --git a/lib/Backend/JITTypeHandler.h b/lib/Backend/JITTypeHandler.h
@@ -12,6 +12,7 @@ class JITTypeHandler
 
     bool IsObjectHeaderInlinedTypeHandler() const;
     bool IsLocked() const;
+    bool IsPrototype() const;
 
     uint16 GetInlineSlotCapacity() const;
     uint16 GetOffsetOfInlineSlots() const;
diff --git a/lib/Backend/Lower.cpp b/lib/Backend/Lower.cpp
@@ -6208,7 +6208,7 @@ Lowerer::GenerateLdFldWithCachedType(IR::Instr * instrLdFld, bool* continueAsHel
 
     // Load the value from the slot, getting the slot ID from the cache.
     uint16 index = propertySymOpnd->GetSlotIndex();
-    Assert(index != -1);
+    AssertOrFailFast(index != (uint16)-1);
 
     if (opndSlotArray->IsRegOpnd())
     {
@@ -7247,7 +7247,7 @@ Lowerer::GenerateDirectFieldStore(IR::Instr* instrStFld, IR::PropertySymOpnd* pr
 
     // Store the value to the slot, getting the slot index from the cache.
     uint16 index = propertySymOpnd->GetSlotIndex();
-    Assert(index != -1);
+    AssertOrFailFast(index != (uint16)-1);
 
 #if defined(RECYCLER_WRITE_BARRIER_JIT) && (defined(_M_IX86) || defined(_M_AMD64))
     if (opndSlotArray->IsRegOpnd())
@@ -7399,6 +7399,19 @@ Lowerer::GenerateStFldWithCachedType(IR::Instr *instrStFld, bool* continueAsHelp
             !instrStFld->HasBailOutInfo() || instrStFld->OnlyHasLazyBailOut(),
             "Why does a direct field store have bailout that is not lazy?"
         );
+
+        if (propertySymOpnd->HasInitialType() && propertySymOpnd->HasFinalType())
+        {
+            bool isPrototypeTypeHandler = propertySymOpnd->GetInitialType()->GetTypeHandler()->IsPrototype();
+            if (isPrototypeTypeHandler)
+            {
+                LoadScriptContext(instrStFld);
+                m_lowererMD.LoadHelperArgument(instrStFld, IR::IntConstOpnd::New(propertySymOpnd->GetPropertyId(), TyInt32, m_func, true));
+                IR::Instr * invalidateCallInstr = IR::Instr::New(Js::OpCode::Call, m_func);
+                instrStFld->InsertBefore(invalidateCallInstr);
+                m_lowererMD.ChangeToHelperCall(invalidateCallInstr, IR::HelperInvalidateProtoCaches);
+            }
+        }
         instrStFld->Remove();
         return true;
     }
@@ -8215,6 +8228,16 @@ Lowerer::GenerateFieldStoreWithTypeChange(IR::Instr * instrStFld, IR::PropertySy
 
     // Now do the store.
     GenerateDirectFieldStore(instrStFld, propertySymOpnd);
+
+    bool isPrototypeTypeHandler = initialType->GetTypeHandler()->IsPrototype();
+    if (isPrototypeTypeHandler)
+    {
+        LoadScriptContext(instrStFld);
+        m_lowererMD.LoadHelperArgument(instrStFld, IR::IntConstOpnd::New(propertySymOpnd->GetPropertyId(), TyInt32, m_func, true));
+        IR::Instr * invalidateCallInstr = IR::Instr::New(Js::OpCode::Call, m_func);
+        instrStFld->InsertBefore(invalidateCallInstr);
+        m_lowererMD.ChangeToHelperCall(invalidateCallInstr, IR::HelperInvalidateProtoCaches);
+    }
 }
 
 bool
diff --git a/lib/JITIDL/JITTypes.h b/lib/JITIDL/JITTypes.h
@@ -90,7 +90,7 @@ typedef IDL_DEF([ref]) PSCRIPTCONTEXT_HANDLE * PPSCRIPTCONTEXT_HANDLE;
 typedef struct TypeHandlerIDL
 {
     IDL_Field(boolean) isObjectHeaderInlinedTypeHandler;
-    IDL_Field(boolean) isLocked;
+    IDL_Field(unsigned char) flags;
 
     IDL_Field(unsigned short) inlineSlotCapacity;
     IDL_Field(unsigned short) offsetOfInlineSlots;
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -9849,6 +9849,11 @@ using namespace Js;
 
             Var result = CALL_ENTRYPOINT(threadContext, marshalledFunction->GetEntryPoint(), function, CallInfo(flags, 2), thisVar, putValue);
             Assert(result);
+
+            // Set implicit call flags so we bail out if we're trying to propagate the stored value forward. We can't count on the getter/setter
+            // to produce the stored value on a LdFld.
+            threadContext->AddImplicitCallFlags(ImplicitCall_Accessor);
+
             return nullptr;
         });
     }
diff --git a/lib/Runtime/Library/JavascriptRegExpConstructor.cpp b/lib/Runtime/Library/JavascriptRegExpConstructor.cpp
@@ -360,6 +360,10 @@ namespace Js
                 EnsureValues(); // The last match info relies on the last input. Use it before it is changed.
                 this->lastInput = tempInput;
             }
+
+            // Set implicit call flags since we are not necessarily making the original stored value available on re-load
+            // and are killing the store that backs two exposed properties.
+            this->GetScriptContext()->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor);
             *result = true;
             return true;
         case PropertyIds::lastMatch:
diff --git a/lib/Runtime/Types/DictionaryTypeHandler.cpp b/lib/Runtime/Types/DictionaryTypeHandler.cpp
@@ -139,7 +139,7 @@ namespace Js
                 PropertyString* propertyString = scriptContext->GetPropertyString(*propertyId);
                 *propertyStringName = propertyString;
                 T dataSlot = descriptor.template GetDataPropertyIndex<false>();
-                if (dataSlot != NoSlots && (attribs & PropertyWritable))
+                if (dataSlot != NoSlots && (attribs & PropertyWritable) && type == typeToEnumerate)
                 {
                     PropertyValueInfo::SetCacheInfo(info, propertyString, propertyString->GetLdElemInlineCache(), false);
                     SetPropertyValueInfo(info, instance, dataSlot, &descriptor);
diff --git a/lib/Runtime/Types/SimpleTypeHandler.cpp b/lib/Runtime/Types/SimpleTypeHandler.cpp
@@ -326,7 +326,7 @@ namespace Js
                 *propertyStringName = propStr;
 
                 PropertyValueInfo::SetCacheInfo(info, propStr, propStr->GetLdElemInlineCache(), false);
-                if ((attribs & PropertyWritable) == PropertyWritable)
+                if ((attribs & PropertyWritable) == PropertyWritable && type == typeToEnumerate)
                 {
                     PropertyValueInfo::Set(info, instance, index, attribs);
                 }
diff --git a/lib/Runtime/Types/TypeHandler.h b/lib/Runtime/Types/TypeHandler.h
@@ -348,13 +348,17 @@ namespace Js
              (v) Seal
             (vi) Freeze
         */
-        bool GetIsLocked() const { return (this->flags & IsLockedFlag) != 0; }
+        bool GetIsLocked() const { return GetIsLocked(this->flags); }
+        static bool GetIsLocked(byte flags) { return (flags & IsLockedFlag) != 0; }
 
         bool GetIsShared() const { return (this->flags & IsSharedFlag) != 0; }
         bool GetMayBecomeShared() const { return (this->flags & MayBecomeSharedFlag) != 0; }
         bool GetIsOrMayBecomeShared() const { return (this->flags & (MayBecomeSharedFlag | IsSharedFlag)) != 0; }
         bool GetHasKnownSlot0() const { return (this->flags & HasKnownSlot0Flag) != 0; }
-        bool GetIsPrototype() const { return (this->flags & IsPrototypeFlag) != 0; }
+
+        bool GetIsPrototype() const { return GetIsPrototype(this->flags); }
+        static bool GetIsPrototype(byte flags) { return (flags & IsPrototypeFlag) != 0; }
+
         bool GetIsInlineSlotCapacityLocked() const { return (this->propertyTypes & PropertyTypesInlineSlotCapacityLocked) != 0; }
 
         void LockTypeHandler() { Assert(IsLockable()); SetFlags(IsLockedFlag); }

Original file line number	Diff line number	Diff line change
`@@ -3286,10 +3286,14 @@ GlobOpt::OptSrc(IR::Opnd opnd, IR::Instr pInstr, Value *indirIndexValRef, I`
`3286`	`3286`	`}`
`3287`	`3287`	`originalPropertySym = sym->AsPropertySym();`
`3288`	`3288`
`3289`		`- // Dont give a value to 'arguments' property sym to prevent field copy prop of 'arguments'`
	`3289`	`+ // Don't give a value to 'arguments' property sym to prevent field copy prop of 'arguments'`
`3290`	`3290`	`if (originalPropertySym->AsPropertySym()->m_propertyId == Js::PropertyIds::arguments &&`
`3291`	`3291`	`originalPropertySym->AsPropertySym()->m_fieldKind == PropertyKindData)`
`3292`	`3292`	`{`
	`3293`	`+ if (opnd->AsSymOpnd()->IsPropertySymOpnd())`
	`3294`	`+ {`
	`3295`	`+ this->FinishOptPropOp(instr, opnd->AsPropertySymOpnd());`
	`3296`	`+ }`
`3293`	`3297`	`return nullptr;`
`3294`	`3298`	`}`
`3295`	`3299`
`@@ -4841,7 +4845,7 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`4841`	`4845`	`}`
`4842`	`4846`	`else`
`4843`	`4847`	`{`
`4844`		`- return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber(), dst);`
	`4848`	`+ return NewGenericValue(src1ValueInfo->Type().ToDefiniteAnyNumber().SetCanBeTaggedValue(true), dst);`
`4845`	`4849`	`}`
`4846`	`4850`	`break;`
`4847`	`4851`
`@@ -4902,7 +4906,7 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`4902`	`4906`	`{`
`4903`	`4907`	`valueType = ValueType::Number;`
`4904`	`4908`	`}`
`4905`		`- return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);`
	`4909`	`+ return CreateDstUntransferredValue(valueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);`
`4906`	`4910`	`}`
`4907`	`4911`
`4908`	`4912`	`case Js::OpCode::Add_A:`
`@@ -4936,12 +4940,12 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`4936`	`4940`	`{`
`4937`	`4941`	`// If one of them is a float, the result probably is a float instead of just int`
`4938`	`4942`	`// but should always be a number.`
`4939`		`- valueType = ValueType::Float;`
	`4943`	`+ valueType = ValueType::Float.SetCanBeTaggedValue(true);`
`4940`	`4944`	`}`
`4941`	`4945`	`else`
`4942`	`4946`	`{`
`4943`	`4947`	`// Could be int, could be number`
`4944`		`- valueType = ValueType::Number;`
	`4948`	`+ valueType = ValueType::Number.SetCanBeTaggedValue(true);`
`4945`	`4949`	`}`
`4946`	`4950`	`}`
`4947`	`4951`	`else if (src1ValueInfo->IsLikelyFloat() \|\| src2ValueInfo->IsLikelyFloat())`
`@@ -4965,7 +4969,7 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`4965`	`4969`	`&& (src2Val && src2ValueInfo->IsNotString() && src2ValueInfo->IsPrimitive()))`
`4966`	`4970`	`{`
`4967`	`4971`	`// If src1 and src2 are not strings and primitive, add should yield a number.`
`4968`		`- valueType = ValueType::Number;`
	`4972`	`+ valueType = ValueType::Number.SetCanBeTaggedValue(true);`
`4969`	`4973`	`}`
`4970`	`4974`	`else if((src1Val && src1ValueInfo->IsLikelyString()) \|\| (src2Val && src2ValueInfo->IsLikelyString()))`
`4971`	`4975`	`{`
`@@ -4986,7 +4990,7 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`4986`	`4990`	`ValueType divValueType = GetDivValueType(instr, src1Val, src2Val, false);`
`4987`	`4991`	`if (divValueType.IsLikelyInt() \|\| divValueType.IsFloat())`
`4988`	`4992`	`{`
`4989`		`- return CreateDstUntransferredValue(divValueType, instr, src1Val, src2Val);`
	`4993`	`+ return CreateDstUntransferredValue(divValueType.SetCanBeTaggedValue(true), instr, src1Val, src2Val);`
`4990`	`4994`	`}`
`4991`	`4995`	`}`
`4992`	`4996`	`// fall-through`
`@@ -5018,11 +5022,11 @@ GlobOpt::ValueNumberDst(IR::Instr *pInstr, Value src1Val, Value *src2Val)`
`5018`	`5022`	`// This should ideally be NewNumberAndLikelyFloatValue since we know the result is a number but not sure if it will`
`5019`	`5023`	`// be a float value. However, that Number/LikelyFloat value type doesn't exist currently and all the necessary`
`5020`	`5024`	`// checks are done for float values (tagged int checks, etc.) so it's sufficient to just create a float value here.`
`5021`		`- valueType = ValueType::Float;`
	`5025`	`+ valueType = ValueType::Float.SetCanBeTaggedValue(true);`
`5022`	`5026`	`}`
`5023`	`5027`	`else`
`5024`	`5028`	`{`
`5025`		`- valueType = ValueType::Number;`
	`5029`	`+ valueType = ValueType::Number.SetCanBeTaggedValue(true);`
`5026`	`5030`	`}`
`5027`	`5031`
`5028`	`5032`	`return CreateDstUntransferredValue(valueType, instr, src1Val, src2Val);`
Original file line number	Diff line number	Diff line change
`@@ -229,10 +229,17 @@ GlobOpt::KillLiveElems(IR::IndirOpnd * indirOpnd, BVSparse<JitArenaAllocator> *`
`229`	`229`	`this->KillAllFields(bv); // This also kills all property type values, as the same bit-vector tracks those stack syms`
`230`	`230`	`SetAnyPropertyMayBeWrittenTo();`
`231`	`231`	`}`
`232`		`- else if (inGlobOpt && indexOpnd && !indexOpnd->GetValueType().IsInt() && !currentBlock->globOptData.IsInt32TypeSpecialized(indexOpnd->m_sym))`
	`232`	`+ else if (inGlobOpt)`
`233`	`233`	`{`
`234`		`- // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout`
`235`		`- this->KillAllObjectTypes(bv);`
	`234`	`+ Value * indexValue = indexOpnd ? this->currentBlock->globOptData.FindValue(indexOpnd->GetSym()) : nullptr;`
	`235`	`+ ValueInfo * indexValueInfo = indexValue ? indexValue->GetValueInfo() : nullptr;`
	`236`	`+ int indexLowerBound = 0;`
	`237`	`+`
	`238`	`+ if (indirOpnd->GetOffset() < 0 \|\| (indexOpnd && (!indexValueInfo \|\| !indexValueInfo->TryGetIntConstantLowerBound(&indexLowerBound, false) \|\| indexLowerBound < 0)))`
	`239`	`+ {`
	`240`	`+ // Write/delete to a non-integer numeric index can't alias a name on the RHS of a dot, but it change object layout`
	`241`	`+ this->KillAllObjectTypes(bv);`
	`242`	`+ }`
`236`	`243`	`}`
`237`	`244`	`}`
`238`	`245`
`@@ -479,7 +486,9 @@ GlobOpt::ProcessFieldKills(IR::Instr instr, BVSparse<JitArenaAllocator> bv, bo`
`479`	`486`	`case Js::OpCode::NewScObjectNoCtor:`
`480`	`487`	`if (inGlobOpt)`
`481`	`488`	`{`
`482`		`- KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);`
	`489`	`+ // Opcodes that make an object into a prototype may break object-header-inlining and final type opt.`
	`490`	`+ // Kill all known object layouts.`
	`491`	`+ KillAllObjectTypes(bv);`
`483`	`492`	`}`
`484`	`493`	`break;`
`485`	`494`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,13 @@ JITTypeHandler::IsObjectHeaderInlinedTypeHandler() const`
`19`	`19`	`bool`
`20`	`20`	`JITTypeHandler::IsLocked() const`
`21`	`21`	`{`
`22`		`- return m_data.isLocked != FALSE;`
	`22`	`+ return Js::DynamicTypeHandler::GetIsLocked(m_data.flags);`
	`23`	`+}`
	`24`	`+`
	`25`	`+bool`
	`26`	`+JITTypeHandler::IsPrototype() const`
	`27`	`+{`
	`28`	`+ return Js::DynamicTypeHandler::GetIsPrototype(m_data.flags);`
`23`	`29`	`}`
`24`	`30`
`25`	`31`	`uint16`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ typedef IDL_DEF([ref]) PSCRIPTCONTEXT_HANDLE * PPSCRIPTCONTEXT_HANDLE;`
`90`	`90`	`typedef struct TypeHandlerIDL`
`91`	`91`	`{`
`92`	`92`	`IDL_Field(boolean) isObjectHeaderInlinedTypeHandler;`
`93`		`- IDL_Field(boolean) isLocked;`
	`93`	`+ IDL_Field(unsigned char) flags;`
`94`	`94`
`95`	`95`	`IDL_Field(unsigned short) inlineSlotCapacity;`
`96`	`96`	`IDL_Field(unsigned short) offsetOfInlineSlots;`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ namespace Js`
`139`	`139`	`PropertyString* propertyString = scriptContext->GetPropertyString(*propertyId);`
`140`	`140`	`*propertyStringName = propertyString;`
`141`	`141`	`T dataSlot = descriptor.template GetDataPropertyIndex<false>();`
`142`		`- if (dataSlot != NoSlots && (attribs & PropertyWritable))`
	`142`	`+ if (dataSlot != NoSlots && (attribs & PropertyWritable) && type == typeToEnumerate)`
`143`	`143`	`{`
`144`	`144`	`PropertyValueInfo::SetCacheInfo(info, propertyString, propertyString->GetLdElemInlineCache(), false);`
`145`	`145`	`SetPropertyValueInfo(info, instance, dataSlot, &descriptor);`