[MERGE #5395 @paolosevMSFT] OS#17614914 - SCCLiveness::ProcessStackSymUse lifetime nullptr deref

paolosevMSFT · paolosevMSFT · commit 5ec0ca7f78c5 · 2018-06-29T15:25:16.000-07:00
Merge pull request #5395 from paolosevMSFT:17614914 In bug 17614914 JIT is causing a bad code gen, but the root problem is that with a script like: ``` Object.prototype.length = undefined; var ary = new Array(); var func0 = function() { for (var _strvar2 in ary) { console.log(_strvar2); } }; func0(); ``` a built-in property like Array.length should not be enumerated even if it is defined in Object.prototype. This PR fixes this problem by ignoring the builtin properties in ForInObjectEnumerator::MoveAndGetNext().
diff --git a/lib/Runtime/Library/ForInObjectEnumerator.cpp b/lib/Runtime/Library/ForInObjectEnumerator.cpp
@@ -210,6 +210,8 @@ namespace Js
                     return nullptr;
                 }
 
+                RecyclableObject* previousObject = this->shadowData->currentObject;
+
                 RecyclableObject * object;
                 if (!this->enumeratingPrototype)
                 {
@@ -249,6 +251,21 @@ namespace Js
                     }
                 }
                 while (true);
+
+                // Ignore special properties (ex: Array.length)
+                if (previousObject != nullptr)
+                {
+                    uint specialPropertyCount = previousObject->GetSpecialPropertyCount();
+                    if (specialPropertyCount > 0)
+                    {
+                        PropertyId const* specialPropertyIds = previousObject->GetSpecialPropertyIds();
+                        Assert(specialPropertyIds != nullptr);
+                        for (uint i = 0; i < specialPropertyCount; i++)
+                        {
+                            TestAndSetEnumerated(specialPropertyIds[i]);
+                        }
+                    }
+                }
             }
         }
     }
diff --git a/test/Bugs/bug_OS17614914.js b/test/Bugs/bug_OS17614914.js
@@ -0,0 +1,18 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+Object.prototype.length = undefined;
+var ary = Array();
+ary.prop1 = 1;
+Object.defineProperty(ary, "prop2", {
+    value: 1,
+    enumerable: false
+});
+for (var prop in ary) {
+    if (prop !== "prop1") {
+        console.log(`Fail: ${prop} property should not show in for-in`);
+    }
+}
+console.log("pass");
diff --git a/test/Bugs/rlexe.xml b/test/Bugs/rlexe.xml
@@ -501,4 +501,9 @@
       <files>withSplitScope.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_OS17614914.js</files>
+    </default>
+  </test>  
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,8 @@ namespace Js`
`210`	`210`	`return nullptr;`
`211`	`211`	`}`
`212`	`212`
	`213`	`+ RecyclableObject* previousObject = this->shadowData->currentObject;`
	`214`	`+`
`213`	`215`	`RecyclableObject * object;`
`214`	`216`	`if (!this->enumeratingPrototype)`
`215`	`217`	`{`
`@@ -249,6 +251,21 @@ namespace Js`
`249`	`251`	`}`
`250`	`252`	`}`
`251`	`253`	`while (true);`
	`254`	`+`
	`255`	`+ // Ignore special properties (ex: Array.length)`
	`256`	`+ if (previousObject != nullptr)`
	`257`	`+ {`
	`258`	`+ uint specialPropertyCount = previousObject->GetSpecialPropertyCount();`
	`259`	`+ if (specialPropertyCount > 0)`
	`260`	`+ {`
	`261`	`+ PropertyId const* specialPropertyIds = previousObject->GetSpecialPropertyIds();`
	`262`	`+ Assert(specialPropertyIds != nullptr);`
	`263`	`+ for (uint i = 0; i < specialPropertyCount; i++)`
	`264`	`+ {`
	`265`	`+ TestAndSetEnumerated(specialPropertyIds[i]);`
	`266`	`+ }`
	`267`	`+ }`
	`268`	`+ }`
`252`	`269`	`}`
`253`	`270`	`}`
`254`	`271`	`}`