[MERGE #6196 @atulkatti] ChakraCore servicing update for July, 2019

atulkatti · atulkatti · commit 75162b7f2d8a · 2019-07-09T12:12:14.000-07:00
Merge pull request #6196 from atulkatti:servicing/1907 This release addresses the following issues: CVE-2019-1001 CVE-2019-1062 CVE-2019-1092 CVE-2019-1103 CVE-2019-1106 CVE-2019-1107
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.11.10
+1.11.11
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -4151,13 +4151,17 @@ BackwardPass::UpdateImplicitCallBailOutKind(IR::Instr *const instr, bool needsBa
 
     IR::BailOutKind implicitCallBailOutKind = needsBailOutOnImplicitCall ? IR::BailOutOnImplicitCalls : IR::BailOutInvalid;
 
-    const IR::BailOutKind instrBailOutKind = instr->GetBailOutKind();
+    IR::BailOutKind instrBailOutKind = instr->GetBailOutKind();
     if (instrBailOutKind & IR::BailOutMarkTempObject)
     {
-        // Don't remove the implicit call pre op bailout for mark temp object
         // Remove the mark temp object bit, as we don't need it after the dead store pass
-        instr->SetBailOutKind(instrBailOutKind & ~IR::BailOutMarkTempObject);
-        return true;
+        instrBailOutKind &= ~IR::BailOutMarkTempObject;
+        instr->SetBailOutKind(instrBailOutKind);
+
+        if (!instr->GetBailOutInfo()->canDeadStore)
+        {
+            return true;
+        }
     }
 
     const IR::BailOutKind instrImplicitCallBailOutKind = instrBailOutKind & ~IR::BailOutKindBits;
diff --git a/lib/Backend/BailOut.h b/lib/Backend/BailOut.h
@@ -27,7 +27,7 @@ class BailOutInfo
     BailOutInfo(uint32 bailOutOffset, Func* bailOutFunc) :
         bailOutOffset(bailOutOffset), bailOutFunc(bailOutFunc),
         byteCodeUpwardExposedUsed(nullptr), polymorphicCacheIndex((uint)-1), startCallCount(0), startCallInfo(nullptr), bailOutInstr(nullptr),
-        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false),
+        totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false), canDeadStore(true),
         outParamInlinedArgSlot(nullptr), liveVarSyms(nullptr), liveLosslessInt32Syms(nullptr), liveFloat64Syms(nullptr),
         branchConditionOpnd(nullptr),
         stackLiteralBailOutInfoCount(0), stackLiteralBailOutInfo(nullptr)
@@ -69,6 +69,7 @@ class BailOutInfo
 #endif
     bool wasCloned;
     bool isInvertedBranch;
+    bool canDeadStore;
     bool sharedBailOutKind;
     bool isLoopTopBailOutInfo;
 
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -345,6 +345,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
             case RejitReason::TrackIntOverflowDisabled:
                 outputData->disableTrackCompoundedIntOverflow = TRUE;
                 break;
+            case RejitReason::MemOpDisabled:
+                outputData->disableMemOp = TRUE;
+                break;
             default:
                 Assume(UNREACHED);
             }
@@ -1124,6 +1127,12 @@ Func::IsTrackCompoundedIntOverflowDisabled() const
     return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsTrackCompoundedIntOverflowDisabled()) || m_output.IsTrackCompoundedIntOverflowDisabled();
 }
 
+bool
+Func::IsMemOpDisabled() const
+{
+    return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsMemOpDisabled()) || m_output.IsMemOpDisabled();
+}
+
 bool
 Func::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/Func.h b/lib/Backend/Func.h
@@ -995,6 +995,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     void SetScopeObjSym(StackSym * sym);
     StackSym * GetScopeObjSym();
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -2624,7 +2624,7 @@ GlobOpt::OptInstr(IR::Instr *&instr, bool* isInstrRemoved)
         !(instr->IsJitProfilingInstr()) &&
         this->currentBlock->loop && !IsLoopPrePass() &&
         !func->IsJitInDebugMode() &&
-        (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&
+        !func->IsMemOpDisabled() &&
         this->currentBlock->loop->doMemOp)
     {
         CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);
@@ -16531,6 +16531,7 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
         if (instr->HasBailOutInfo())
         {
             instr->SetBailOutKind(instr->GetBailOutKind() | IR::BailOutMarkTempObject);
+            instr->GetBailOutInfo()->canDeadStore = false;
         }
         else
         {
@@ -16540,6 +16541,11 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
                 || (instr->m_opcode == Js::OpCode::FromVar && !opnd->GetValueType().IsPrimitive())
                 || propertySymOpnd == nullptr
                 || !propertySymOpnd->IsTypeCheckProtected())
+            {
+                this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
+                instr->GetBailOutInfo()->canDeadStore = false;
+            }
+            else if (propertySymOpnd->MayHaveImplicitCall())
             {
                 this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
             }
@@ -16680,7 +16686,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In
     }
     else
     {
-        uint size = (loopCount->LoopCountMinusOneConstantValue() + 1)  * unroll;
+        int32 loopCountMinusOnePlusOne;
+        int32 size;
+        if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) ||
+            Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))
+        {
+            throw Js::RejitException(RejitReason::MemOpDisabled);
+        }
+        Assert(size > 0);
         sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);
     }
     loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);
diff --git a/lib/Backend/GlobOptBlockData.cpp b/lib/Backend/GlobOptBlockData.cpp
@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(
                 fromDataValueInfo->AsArrayValueInfo(),
                 fromDataSym,
                 symsRequiringCompensation,
-                symsCreatedForMerge);
+                symsCreatedForMerge,
+                isLoopBackEdge);
     }
 
     // Consider: If both values are VarConstantValueInfo with the same value, we could
@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
     const ArrayValueInfo *const fromDataValueInfo,
     Sym *const arraySym,
     BVSparse<JitArenaAllocator> *const symsRequiringCompensation,
-    BVSparse<JitArenaAllocator> *const symsCreatedForMerge)
+    BVSparse<JitArenaAllocator> *const symsCreatedForMerge,
+    bool isLoopBackEdge)
 {
     Assert(mergedValueType.IsAnyOptimizedArray());
     Assert(toDataValueInfo);
@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 // Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.
                 Assert(symsRequiringCompensation);
@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
diff --git a/lib/Backend/GlobOptBlockData.h b/lib/Backend/GlobOptBlockData.h
@@ -264,7 +264,7 @@ class GlobOptBlockData
     Value *                 MergeValues(Value *toDataValue, Value *fromDataValue, Sym *fromDataSym, bool isLoopBackEdge, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     ValueInfo *             MergeValueInfo(Value *toDataVal, Value *fromDataVal, Sym *fromDataSym, bool isLoopBackEdge, bool sameValueNumber, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     JsTypeValueInfo *       MergeJsTypeValueInfo(JsTypeValueInfo * toValueInfo, JsTypeValueInfo * fromValueInfo, bool isLoopBackEdge, bool sameValueNumber);
-    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
+    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge, bool isLoopBackEdge);
 
     // Argument Tracking
 public:
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -410,6 +410,14 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
         if (inGlobOpt)
         {
             KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
+            if (this->objectTypeSyms)
+            {
+                if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)
+                {
+                    this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);
+                }
+                this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);
+            }
         }
 
         // fall through
diff --git a/lib/Backend/JITOutput.cpp b/lib/Backend/JITOutput.cpp
@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const
     return m_outputData->disableTrackCompoundedIntOverflow != FALSE;
 }
 
+bool
+JITOutput::IsMemOpDisabled() const
+{
+    return m_outputData->disableMemOp != FALSE;
+}
+
 bool
 JITOutput::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/JITOutput.h b/lib/Backend/JITOutput.h
@@ -22,6 +22,7 @@ class JITOutput
     void RecordXData(BYTE * xdata);
 #endif
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -1234,6 +1234,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor
         {
             body->GetAnyDynamicProfileInfo()->DisableTrackCompoundedIntOverflow();
         }
+        if (jitWriteData.disableMemOp)
+        {
+            body->GetAnyDynamicProfileInfo()->DisableMemOp();
+        }
     }
 
     if (jitWriteData.disableInlineApply)
diff --git a/lib/Backend/Opnd.cpp b/lib/Backend/Opnd.cpp
@@ -962,7 +962,8 @@ PropertySymOpnd::IsObjectHeaderInlined() const
 bool
 PropertySymOpnd::ChangesObjectLayout() const
 {
-    JITTypeHolder cachedType = this->IsMono() ? this->GetType() : this->GetFirstEquivalentType();
+    JITTypeHolder cachedType = this->HasInitialType() ? this->GetInitialType() : 
+        this->IsMono() ? this->GetType() : this->GetFirstEquivalentType();
 
     JITTypeHolder finalType = this->GetFinalType();
 
@@ -987,13 +988,11 @@ PropertySymOpnd::ChangesObjectLayout() const
         // This is the case where the type transition actually occurs. (This is the only case that's detectable
         // during the loop pre-pass, since final types are not in place yet.)
 
-        Assert(cachedType != nullptr && Js::DynamicType::Is(cachedType->GetTypeId()));
-
-        const JITTypeHandler * cachedTypeHandler = cachedType->GetTypeHandler();
         const JITTypeHandler * initialTypeHandler = initialType->GetTypeHandler();
 
-        return cachedTypeHandler->GetInlineSlotCapacity() != initialTypeHandler->GetInlineSlotCapacity() ||
-            cachedTypeHandler->GetOffsetOfInlineSlots() != initialTypeHandler->GetOffsetOfInlineSlots();
+        // If no final type has been set in the forward pass, then we have no way of knowing how the object shape will evolve here.
+        // If the initial type is object-header-inlined, assume that the layout may change.
+        return initialTypeHandler->IsObjectHeaderInlinedTypeHandler();
     }
 
     return false;
diff --git a/lib/Backend/Opnd.h b/lib/Backend/Opnd.h
@@ -1138,7 +1138,8 @@ class PropertySymOpnd sealed : public SymOpnd
     // fall back on live cache.  Similarly, for fixed method checks.
     bool MayHaveImplicitCall() const
     {
-        return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected());
+        return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected()
+            || (IsLoadedFromProto() && NeedsWriteGuardTypeCheck()));
     }
 
     // Is the instruction involving this operand part of a type check sequence? This is different from IsObjTypeSpecOptimized
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 10
+#define CHAKRA_CORE_PATCH_VERSION 11
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------
diff --git a/lib/JITIDL/JITTypes.h b/lib/JITIDL/JITTypes.h
@@ -838,37 +838,42 @@ typedef struct JITOutputIDL
     boolean disableStackArgOpt;
     boolean disableSwitchOpt;
     boolean disableTrackCompoundedIntOverflow;
-    boolean isInPrereservedRegion;
+    boolean disableMemOp;
 
+    boolean isInPrereservedRegion;
     boolean hasBailoutInstr;
-
     boolean hasJittedStackClosure;
+    IDL_PAD1(0)
 
     unsigned short pdataCount;
     unsigned short xdataSize;
 
     unsigned short argUsedForBranch;
+    IDL_PAD2(1)
 
     int localVarSlotsOffset; // FunctionEntryPointInfo only
+
     int localVarChangedOffset; // FunctionEntryPointInfo only
     unsigned int frameHeight;
 
-
     unsigned int codeSize;
     unsigned int throwMapOffset;
+
     unsigned int throwMapCount;
     unsigned int inlineeFrameOffsetArrayOffset;
-    unsigned int inlineeFrameOffsetArrayCount;
 
+    unsigned int inlineeFrameOffsetArrayCount;
     unsigned int propertyGuardCount;
+
     unsigned int ctorCachesCount;
+    X64_PAD4(2)
 
 #if TARGET_64
     CHAKRA_PTR xdataAddr;
 #elif defined(_M_ARM)
     unsigned int xdataOffset;
 #else
-    X86_PAD4(0)
+    X86_PAD4(3)
 #endif
     CHAKRA_PTR codeAddress;
     CHAKRA_PTR thunkAddress;

Original file line number	Diff line number	Diff line change
`@@ -2624,7 +2624,7 @@ GlobOpt::OptInstr(IR::Instr &instr, bool isInstrRemoved)`
`2624`	`2624`	`!(instr->IsJitProfilingInstr()) &&`
`2625`	`2625`	`this->currentBlock->loop && !IsLoopPrePass() &&`
`2626`	`2626`	`!func->IsJitInDebugMode() &&`
`2627`		`- (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&`
	`2627`	`+ !func->IsMemOpDisabled() &&`
`2628`	`2628`	`this->currentBlock->loop->doMemOp)`
`2629`	`2629`	`{`
`2630`	`2630`	`CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);`
`@@ -16531,6 +16531,7 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn`
`16531`	`16531`	`if (instr->HasBailOutInfo())`
`16532`	`16532`	`{`
`16533`	`16533`	`instr->SetBailOutKind(instr->GetBailOutKind() \| IR::BailOutMarkTempObject);`
	`16534`	`+ instr->GetBailOutInfo()->canDeadStore = false;`
`16534`	`16535`	`}`
`16535`	`16536`	`else`
`16536`	`16537`	`{`
`@@ -16540,6 +16541,11 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn`
`16540`	`16541`	`\|\| (instr->m_opcode == Js::OpCode::FromVar && !opnd->GetValueType().IsPrimitive())`
`16541`	`16542`	`\|\| propertySymOpnd == nullptr`
`16542`	`16543`	`\|\| !propertySymOpnd->IsTypeCheckProtected())`
	`16544`	`+ {`
	`16545`	`+ this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);`
	`16546`	`+ instr->GetBailOutInfo()->canDeadStore = false;`
	`16547`	`+ }`
	`16548`	`+ else if (propertySymOpnd->MayHaveImplicitCall())`
`16543`	`16549`	`{`
`16544`	`16550`	`this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);`
`16545`	`16551`	`}`
`@@ -16680,7 +16686,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In`
`16680`	`16686`	`}`
`16681`	`16687`	`else`
`16682`	`16688`	`{`
`16683`		`- uint size = (loopCount->LoopCountMinusOneConstantValue() + 1) * unroll;`
	`16689`	`+ int32 loopCountMinusOnePlusOne;`
	`16690`	`+ int32 size;`
	`16691`	`+ if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) \|\|`
	`16692`	`+ Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))`
	`16693`	`+ {`
	`16694`	`+ throw Js::RejitException(RejitReason::MemOpDisabled);`
	`16695`	`+ }`
	`16696`	`+ Assert(size > 0);`
`16684`	`16697`	`sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);`
`16685`	`16698`	`}`
`16686`	`16699`	`loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);`
Original file line number	Diff line number	Diff line change
`@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(`
`974`	`974`	`fromDataValueInfo->AsArrayValueInfo(),`
`975`	`975`	`fromDataSym,`
`976`	`976`	`symsRequiringCompensation,`
`977`		`- symsCreatedForMerge);`
	`977`	`+ symsCreatedForMerge,`
	`978`	`+ isLoopBackEdge);`
`978`	`979`	`}`
`979`	`980`
`980`	`981`	`// Consider: If both values are VarConstantValueInfo with the same value, we could`
`@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1072`	`1073`	`const ArrayValueInfo *const fromDataValueInfo,`
`1073`	`1074`	`Sym *const arraySym,`
`1074`	`1075`	`BVSparse<JitArenaAllocator> *const symsRequiringCompensation,`
`1075`		`- BVSparse<JitArenaAllocator> *const symsCreatedForMerge)`
	`1076`	`+ BVSparse<JitArenaAllocator> *const symsCreatedForMerge,`
	`1077`	`+ bool isLoopBackEdge)`
`1076`	`1078`	`{`
`1077`	`1079`	`Assert(mergedValueType.IsAnyOptimizedArray());`
`1078`	`1080`	`Assert(toDataValueInfo);`
`@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1095`	`1097`	`}`
`1096`	`1098`	`else`
`1097`	`1099`	`{`
`1098`		`- if (!this->globOpt->IsLoopPrePass())`
	`1100`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1099`	`1101`	`{`
`1100`	`1102`	`// Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.`
`1101`	`1103`	`Assert(symsRequiringCompensation);`
`@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1123`	`1125`	`}`
`1124`	`1126`	`else`
`1125`	`1127`	`{`
`1126`		`- if (!this->globOpt->IsLoopPrePass())`
	`1128`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1127`	`1129`	`{`
`1128`	`1130`	`Assert(symsRequiringCompensation);`
`1129`	`1131`	`symsRequiringCompensation->Set(arraySym->m_id);`
`@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1150`	`1152`	`}`
`1151`	`1153`	`else`
`1152`	`1154`	`{`
`1153`		`- if (!this->globOpt->IsLoopPrePass())`
	`1155`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1154`	`1156`	`{`
`1155`	`1157`	`Assert(symsRequiringCompensation);`
`1156`	`1158`	`symsRequiringCompensation->Set(arraySym->m_id);`
Original file line number	Diff line number	Diff line change
`@@ -410,6 +410,14 @@ GlobOpt::ProcessFieldKills(IR::Instr instr, BVSparse<JitArenaAllocator> bv, bo`
`410`	`410`	`if (inGlobOpt)`
`411`	`411`	`{`
`412`	`412`	`KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);`
	`413`	`+ if (this->objectTypeSyms)`
	`414`	`+ {`
	`415`	`+ if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)`
	`416`	`+ {`
	`417`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);`
	`418`	`+ }`
	`419`	`+ this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);`
	`420`	`+ }`
`413`	`421`	`}`
`414`	`422`
`415`	`423`	`// fall through`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const`
`65`	`65`	`return m_outputData->disableTrackCompoundedIntOverflow != FALSE;`
`66`	`66`	`}`
`67`	`67`
	`68`	`+bool`
	`69`	`+JITOutput::IsMemOpDisabled() const`
	`70`	`+{`
	`71`	`+ return m_outputData->disableMemOp != FALSE;`
	`72`	`+}`
	`73`	`+`
`68`	`74`	`bool`
`69`	`75`	`JITOutput::IsArrayCheckHoistDisabled() const`
`70`	`76`	`{`