[1.11>master] [MERGE #6279 @MikeHolman] September 2019 Security Update

MikeHolman · MikeHolman · commit 8595cce58fbc · 2019-09-10T17:58:49.000-07:00
Merge pull request #6279 from MikeHolman:servicing/1909 September 2019 Security Update that addresses the following issues in ChakraCore: CVE-2019-1138 CVE-2019-1217 CVE-2019-1237 CVE-2019-1298 CVE-2019-1300
diff --git a/.gitignore b/.gitignore
@@ -39,11 +39,7 @@ build_*.log
 build_*.wrn
 Build/ipch/
 Build/swum-cache.txt
-Build/VCBuild.Lite/
-Build/VCBuild.NoJIT/
-Build/VCBuild.SWB/
-Build/VCBuild.ClangCL/
-Build/VCBuild/
+Build/VCBuild*/
 buildchk.*
 buildfre.*
 out/
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -5636,7 +5636,14 @@ BackwardPass::TrackObjTypeSpecProperties(IR::PropertySymOpnd *opnd, BasicBlock *
                         // Some instr protected by this one requires a monomorphic type check. (E.g., final type opt,
                         // fixed field not loaded from prototype.) Note the IsTypeAvailable test above: only do this at
                         // the initial type check that protects this path.
-                        opnd->SetMonoGuardType(bucket->GetMonoGuardType());
+                        if (!opnd->SetMonoGuardType(bucket->GetMonoGuardType()))
+                        {
+                            // We can't safely check for the required type here. Clear the objtypespec info to disable optimization
+                            // using this inline cache, since there appears to be a mismatch, and re-jit.
+                            // (Dead store pass is too late to generate the bailout points we need to use this type correctly.)
+                            this->currentInstr->m_func->ClearObjTypeSpecFldInfo(opnd->m_inlineCacheIndex);
+                            throw Js::RejitException(RejitReason::FailedEquivalentTypeCheck);
+                        }
                         this->currentInstr->ChangeEquivalentToMonoTypeCheckBailOut();
                     }
                     bucket->SetMonoGuardType(nullptr);
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -359,6 +359,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
             case RejitReason::MemOpDisabled:
                 outputData->disableMemOp = TRUE;
                 break;
+            case RejitReason::FailedEquivalentTypeCheck:
+                // No disable flag. The thrower of the re-jit exception must guarantee that objtypespec is disabled where appropriate.
+                break;
             default:
                 Assume(UNREACHED);
             }
@@ -1531,6 +1534,12 @@ Func::GetObjTypeSpecFldInfo(const uint index) const
     return GetWorkItem()->GetJITTimeInfo()->GetObjTypeSpecFldInfo(index);
 }
 
+void
+Func::ClearObjTypeSpecFldInfo(const uint index)
+{
+    GetWorkItem()->GetJITTimeInfo()->ClearObjTypeSpecFldInfo(index);
+}
+
 ObjTypeSpecFldInfo*
 Func::GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const
 {
diff --git a/lib/Backend/Func.h b/lib/Backend/Func.h
@@ -560,6 +560,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     Js::Var AllocateNumber(double value);
 
     ObjTypeSpecFldInfo* GetObjTypeSpecFldInfo(const uint index) const;
+    void ClearObjTypeSpecFldInfo(const uint index);
     ObjTypeSpecFldInfo* GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const;
 
     // Gets an inline cache pointer to use in jitted code. Cached data may not be stable while jitting. Does not return null.
diff --git a/lib/Backend/FunctionJITTimeInfo.cpp b/lib/Backend/FunctionJITTimeInfo.cpp
@@ -336,6 +336,18 @@ FunctionJITTimeInfo::GetObjTypeSpecFldInfo(uint index) const
     return reinterpret_cast<ObjTypeSpecFldInfo *>(m_data.objTypeSpecFldInfoArray[index]);
 }
 
+void
+FunctionJITTimeInfo::ClearObjTypeSpecFldInfo(uint index)
+{
+    if (m_data.objTypeSpecFldInfoArray == nullptr)
+    {
+        return;
+    }
+    AssertOrFailFast(index < m_data.objTypeSpecFldInfoCount);
+
+    m_data.objTypeSpecFldInfoArray[index] = nullptr;
+}
+
 ObjTypeSpecFldInfo *
 FunctionJITTimeInfo::GetGlobalObjTypeSpecFldInfo(uint index) const
 {
diff --git a/lib/Backend/FunctionJITTimeInfo.h b/lib/Backend/FunctionJITTimeInfo.h
@@ -40,6 +40,7 @@ class FunctionJITTimeInfo
     const BVFixed * GetInlineesBV() const;
     const FunctionJITTimeInfo * GetJitTimeDataFromFunctionInfoAddr(intptr_t polyFuncInfo) const;
     ObjTypeSpecFldInfo * GetObjTypeSpecFldInfo(uint index) const;
+    void ClearObjTypeSpecFldInfo(uint index);
     ObjTypeSpecFldInfo * GetGlobalObjTypeSpecFldInfo(uint index) const;
     uint GetGlobalObjTypeSpecFldInfoCount() const;
     const FunctionJITRuntimeInfo * GetInlineeForTargetInlineeRuntimeData(const Js::ProfileId profiledCallSiteId, intptr_t inlineeFuncBodyAddr) const;
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -1182,6 +1182,10 @@ void GlobOpt::InsertValueCompensation(
     IR::Instr *insertBeforeInstr = predecessor->GetLastInstr();
     Func *const func = insertBeforeInstr->m_func;
     bool setLastInstrInPredecessor;
+    // If this is a loop back edge, and the successor has been completed, don't attempt to update its block data.
+    // The update is unnecessary, and the data has likely been freed.
+    bool updateSuccessorBlockData = !this->isPerformingLoopBackEdgeCompensation || successor->GetDataUseCount() > 0;
+
     if(insertBeforeInstr->IsBranchInstr() || insertBeforeInstr->m_opcode == Js::OpCode::BailTarget)
     {
         // Don't insert code between the branch and the corresponding ByteCodeUses instructions
@@ -1272,29 +1276,33 @@ void GlobOpt::InsertValueCompensation(
             // Merge the head segment length value
             Assert(predecessorBlockData.liveVarSyms->Test(predecessorHeadSegmentLengthSym->m_id));
             predecessorBlockData.liveVarSyms->Set(mergedHeadSegmentLengthSym->m_id);
-            successorBlockData.liveVarSyms->Set(mergedHeadSegmentLengthSym->m_id);
             Value *const predecessorHeadSegmentLengthValue =
                 predecessorBlockData.FindValue(predecessorHeadSegmentLengthSym);
             Assert(predecessorHeadSegmentLengthValue);
             predecessorBlockData.SetValue(predecessorHeadSegmentLengthValue, mergedHeadSegmentLengthSym);
-            Value *const mergedHeadSegmentLengthValue = successorBlockData.FindValue(mergedHeadSegmentLengthSym);
-            if(mergedHeadSegmentLengthValue)
+
+            if (updateSuccessorBlockData)
             {
-                Assert(mergedHeadSegmentLengthValue->GetValueNumber() != predecessorHeadSegmentLengthValue->GetValueNumber());
-                if(predecessorHeadSegmentLengthValue->GetValueInfo() != mergedHeadSegmentLengthValue->GetValueInfo())
+                successorBlockData.liveVarSyms->Set(mergedHeadSegmentLengthSym->m_id);
+                Value *const mergedHeadSegmentLengthValue = successorBlockData.FindValue(mergedHeadSegmentLengthSym);
+                if(mergedHeadSegmentLengthValue)
                 {
-                    mergedHeadSegmentLengthValue->SetValueInfo(
-                        ValueInfo::MergeLikelyIntValueInfo(
-                            this->alloc,
-                            mergedHeadSegmentLengthValue,
-                            predecessorHeadSegmentLengthValue,
-                            mergedHeadSegmentLengthValue->GetValueInfo()->Type()
-                                .Merge(predecessorHeadSegmentLengthValue->GetValueInfo()->Type())));
+                    Assert(mergedHeadSegmentLengthValue->GetValueNumber() != predecessorHeadSegmentLengthValue->GetValueNumber());
+                    if(predecessorHeadSegmentLengthValue->GetValueInfo() != mergedHeadSegmentLengthValue->GetValueInfo())
+                    {
+                        mergedHeadSegmentLengthValue->SetValueInfo(
+                            ValueInfo::MergeLikelyIntValueInfo(
+                                this->alloc,
+                                mergedHeadSegmentLengthValue,
+                                predecessorHeadSegmentLengthValue,
+                                mergedHeadSegmentLengthValue->GetValueInfo()->Type()
+                                    .Merge(predecessorHeadSegmentLengthValue->GetValueInfo()->Type())));
+                    }
+                }
+                else
+                {
+                    successorBlockData.SetValue(CopyValue(predecessorHeadSegmentLengthValue), mergedHeadSegmentLengthSym);
                 }
-            }
-            else
-            {
-                successorBlockData.SetValue(CopyValue(predecessorHeadSegmentLengthValue), mergedHeadSegmentLengthSym);
             }
         }
 
@@ -1315,27 +1323,31 @@ void GlobOpt::InsertValueCompensation(
             // Merge the length value
             Assert(predecessorBlockData.liveVarSyms->Test(predecessorLengthSym->m_id));
             predecessorBlockData.liveVarSyms->Set(mergedLengthSym->m_id);
-            successorBlockData.liveVarSyms->Set(mergedLengthSym->m_id);
             Value *const predecessorLengthValue = predecessorBlockData.FindValue(predecessorLengthSym);
             Assert(predecessorLengthValue);
             predecessorBlockData.SetValue(predecessorLengthValue, mergedLengthSym);
-            Value *const mergedLengthValue = successorBlockData.FindValue(mergedLengthSym);
-            if(mergedLengthValue)
+
+            if (updateSuccessorBlockData)
             {
-                Assert(mergedLengthValue->GetValueNumber() != predecessorLengthValue->GetValueNumber());
-                if(predecessorLengthValue->GetValueInfo() != mergedLengthValue->GetValueInfo())
+                successorBlockData.liveVarSyms->Set(mergedLengthSym->m_id);
+                Value *const mergedLengthValue = successorBlockData.FindValue(mergedLengthSym);
+                if(mergedLengthValue)
                 {
-                    mergedLengthValue->SetValueInfo(
-                        ValueInfo::MergeLikelyIntValueInfo(
-                            this->alloc,
-                            mergedLengthValue,
-                            predecessorLengthValue,
-                            mergedLengthValue->GetValueInfo()->Type().Merge(predecessorLengthValue->GetValueInfo()->Type())));
+                    Assert(mergedLengthValue->GetValueNumber() != predecessorLengthValue->GetValueNumber());
+                    if(predecessorLengthValue->GetValueInfo() != mergedLengthValue->GetValueInfo())
+                    {
+                        mergedLengthValue->SetValueInfo(
+                            ValueInfo::MergeLikelyIntValueInfo(
+                                this->alloc,
+                                mergedLengthValue,
+                                predecessorLengthValue,
+                                mergedLengthValue->GetValueInfo()->Type().Merge(predecessorLengthValue->GetValueInfo()->Type())));
+                    }
+                }
+                else
+                {
+                    successorBlockData.SetValue(CopyValue(predecessorLengthValue), mergedLengthSym);
                 }
-            }
-            else
-            {
-                successorBlockData.SetValue(CopyValue(predecessorLengthValue), mergedLengthSym);
             }
         }
 
@@ -2116,6 +2128,7 @@ bool GlobOpt::CollectMemcopyStElementI(IR::Instr *instr, Loop *loop)
 
     // Consider: Can we remove the count field?
     memcopyInfo->count++;
+    AssertOrFailFast(memcopyInfo->count <= 1);
     memcopyInfo->base = baseSymID;
 
     return true;
@@ -2277,6 +2290,7 @@ GlobOpt::CollectMemOpInfo(IR::Instr *instrBegin, IR::Instr *instr, Value *src1Va
                     {
                         inductionVariableChangeInfo.unroll++;
                     }
+                    
                     inductionVariableChangeInfo.isIncremental = isIncr;
                     loop->memOpInfo->inductionVariableChangeInfoMap->Item(inductionSymID, inductionVariableChangeInfo);
                     if (sym->m_id != inductionSymID)
@@ -17007,6 +17021,7 @@ GlobOpt::GetOrGenerateLoopCountForMemOp(Loop *loop)
 IR::Opnd *
 GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::Instr *insertBeforeInstr)
 {
+    AssertOrFailFast(unroll != Js::Constants::InvalidLoopUnrollFactor);
     LoopCount *loopCount = loop->loopCount;
     IR::Opnd *sizeOpnd = nullptr;
     Assert(loopCount);
diff --git a/lib/Backend/Opnd.h b/lib/Backend/Opnd.h
@@ -801,9 +801,17 @@ class PropertySymOpnd sealed : public SymOpnd
         return this->monoGuardType;
     }
 
-    void SetMonoGuardType(JITTypeHolder type)
+    bool SetMonoGuardType(JITTypeHolder type)
     {
+        if (!(this->monoGuardType == nullptr || this->monoGuardType == type) ||
+            !((HasEquivalentTypeSet() && GetEquivalentTypeSet()->Contains(type)) ||
+              (!HasEquivalentTypeSet() && GetType() == type)))
+        {
+            // Required type is not in the available set, or we already set the type to something else. Inform the caller.
+            return false;
+        }
         this->monoGuardType = type;
+        return true;
     }
 
     bool NeedsMonoCheck() const
diff --git a/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h b/lib/Runtime/ByteCode/ByteCodeCacheReleaseFileVersion.h
@@ -5,6 +5,6 @@
 // NOTE: If there is a merge conflict the correct fix is to make a new GUID.
 // This file was generated with tools\update_bytecode_version.ps1
 
-// {3096A219-129D-4A4A-A61C-186D03BB25B7}
+// {81AEEA4B-AE4E-40C0-848F-6DB7C5F49F55}
 const GUID byteCodeCacheReleaseFileVersion =
-{ 0x3096a219, 0x129d, 0x4a4a, { 0xa6, 0x1c, 0x18, 0x6d, 0x3, 0xbb, 0x25, 0xb7 } };
+{ 0x81AEEA4B, 0xAE4E, 0x40C0, { 0x84, 0x8F, 0x6D, 0xB7, 0xC5, 0xF4, 0x9F, 0x55 } };
diff --git a/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js b/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js
@@ -13,6 +13,14 @@
     var Symbol = platform.Symbol;
     var CreateObject = platform.builtInJavascriptObjectEntryCreate;
 
+    let FunctionsEnum = {
+        ArrayValues: setPrototype({ className: "Array", methodName: "values", argumentsCount: 0, forceInline: true /*optional*/, alias: "Symbol.iterator" }, null),
+        ArrayKeys: setPrototype({ className: "Array", methodName: "keys", argumentsCount: 0, forceInline: true /*optional*/ }, null),
+        ArrayEntries: setPrototype({ className: "Array", methodName: "entries", argumentsCount: 0, forceInline: true /*optional*/ }, null),
+        ArrayIndexOf: setPrototype({ className: "Array", methodName: "indexOf", argumentsCount: 1, forceInline: true /*optional*/ }, null),
+        ArrayFilter: setPrototype({ className: "Array", methodName: "filter", argumentsCount: 1, forceInline: true /*optional*/ }, null),
+    };
+
     platform.registerChakraLibraryFunction("ArrayIterator", function (arrayObj, iterationKind) {
         __chakraLibrary.InitInternalProperties(this, 4, "__$arrayObj$__", "__$nextIndex$__", "__$kind$__", "__$internalDone$__");
         this.__$arrayObj$__ = arrayObj;
diff --git a/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.bc.32b.h b/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.bc.32b.h
diff --git a/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.bc.64b.h b/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.bc.64b.h
diff --git a/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.nojit.bc.32b.h b/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.nojit.bc.32b.h
diff --git a/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.nojit.bc.64b.h b/lib/Runtime/Library/JsBuiltIn/JsBuiltIn.js.nojit.bc.64b.h

Original file line number	Diff line number	Diff line change
`@@ -801,9 +801,17 @@ class PropertySymOpnd sealed : public SymOpnd`
`801`	`801`	`return this->monoGuardType;`
`802`	`802`	`}`
`803`	`803`
`804`		`- void SetMonoGuardType(JITTypeHolder type)`
	`804`	`+ bool SetMonoGuardType(JITTypeHolder type)`
`805`	`805`	`{`
	`806`	`+ if (!(this->monoGuardType == nullptr \|\| this->monoGuardType == type) \|\|`
	`807`	`+ !((HasEquivalentTypeSet() && GetEquivalentTypeSet()->Contains(type)) \|\|`
	`808`	`+ (!HasEquivalentTypeSet() && GetType() == type)))`
	`809`	`+ {`
	`810`	`+ // Required type is not in the available set, or we already set the type to something else. Inform the caller.`
	`811`	`+ return false;`
	`812`	`+ }`
`806`	`813`	`this->monoGuardType = type;`
	`814`	`+ return true;`
`807`	`815`	`}`
`808`	`816`
`809`	`817`	`bool NeedsMonoCheck() const`