[MERGE #5292 @rajatd] Catching typed array OOB AVs coming from stack allocated functions. OS #17785360

rajatd · rajatd · commit af35f2690756 · 2018-06-11T16:42:13.000-07:00
Merge pull request #5292 from rajatd:stackfuncAV
diff --git a/lib/Runtime/Library/JavascriptFunction.cpp b/lib/Runtime/Library/JavascriptFunction.cpp
@@ -1905,12 +1905,11 @@ void __cdecl _alloca_probe_16()
             RecyclerHeapObjectInfo heapObject;
             Recycler* recycler = threadContext->GetRecycler();
 
-            bool isFuncObjHeapAllocated = recycler->FindHeapObject(func, FindHeapObjectFlags_NoFlags, heapObject); // recheck if this needs to be removed
             bool isEntryPointHeapAllocated = recycler->FindHeapObject(func->GetEntryPointInfo(), FindHeapObjectFlags_NoFlags, heapObject);
             bool isFunctionBodyHeapAllocated = recycler->FindHeapObject(func->GetFunctionBody(), FindHeapObjectFlags_NoFlags, heapObject);
 
             // ensure that all our objects are heap allocated
-            if (!(isFuncObjHeapAllocated && isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))
+            if (!(isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))
             {
                 return nullptr;
             }
diff --git a/test/Bugs/bug17785360.js b/test/Bugs/bug17785360.js
@@ -0,0 +1,25 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+arr = new Uint8Array(0x40000);
+var obj = {x : 1.1};
+function test2()
+{
+    return obj.x;
+}
+function test()
+{
+    function test1()
+    {
+        for(var i=0; i < arr.length; i++)
+        {
+            arr[i] = arr[i+1] = arr[i+2] = Math.floor(test2() / 4294967295 * 128), arr[i + 3] = 255;
+        }
+    }
+    test1(arr);
+}
+
+test();
+print("passed");
diff --git a/test/Bugs/rlexe.xml b/test/Bugs/rlexe.xml
@@ -484,4 +484,9 @@
       <compile-flags>-forceNative -forcejitloopbody -off:aggressiveinttypespec -off:ArrayCheckHoist</compile-flags> 
     </default> 
   </test> 
+  <test>
+    <default>
+      <files>bug17785360.js</files>
+    </default>
+  </test> 
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -1905,12 +1905,11 @@ void __cdecl _alloca_probe_16()`
`1905`	`1905`	`RecyclerHeapObjectInfo heapObject;`
`1906`	`1906`	`Recycler* recycler = threadContext->GetRecycler();`
`1907`	`1907`
`1908`		`- bool isFuncObjHeapAllocated = recycler->FindHeapObject(func, FindHeapObjectFlags_NoFlags, heapObject); // recheck if this needs to be removed`
`1909`	`1908`	`bool isEntryPointHeapAllocated = recycler->FindHeapObject(func->GetEntryPointInfo(), FindHeapObjectFlags_NoFlags, heapObject);`
`1910`	`1909`	`bool isFunctionBodyHeapAllocated = recycler->FindHeapObject(func->GetFunctionBody(), FindHeapObjectFlags_NoFlags, heapObject);`
`1911`	`1910`
`1912`	`1911`	`// ensure that all our objects are heap allocated`
`1913`		`- if (!(isFuncObjHeapAllocated && isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))`
	`1912`	`+ if (!(isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))`
`1914`	`1913`	`{`
`1915`	`1914`	`return nullptr;`
`1916`	`1915`	`}`