[MERGE #5433 @VSadov] Fixing possible overflow in BoundFunction::NewInstance.

VSadov · VSadov · commit b9f60df00fd1 · 2018-07-09T14:27:42.000-07:00
Merge pull request #5433 from VSadov:oacr1 Not sure if the possibility is practically reachable, but the static checker complains about a possible overflow. We allocate an extra element in `newValues` based only on `CallFlags_ExtraArg` flag. Therefore we should be consistent when writing to that element. `args.HasExtraArg` looks at more flags and, in theory, could result in writing to an element that does not exist. That seems to be making OACR unhappy. Fixes: OS:#17999665 Fixes: OS:#18010300
diff --git a/lib/Runtime/Base/CallInfo.cpp b/lib/Runtime/Base/CallInfo.cpp
@@ -16,7 +16,7 @@ namespace Js
     {
         AssertOrFailFastMsg(count < Constants::UShortMaxValue - 1, "ArgList too large");
         ArgSlot argSlotCount = (ArgSlot)count;
-        if (flags & CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             argSlotCount++;
         }
@@ -25,7 +25,7 @@ namespace Js
 
     uint CallInfo::GetLargeArgCountWithExtraArgs(CallFlags flags, uint count)
     {
-        if (flags & CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             UInt32Math::Inc(count);
         }
@@ -35,7 +35,7 @@ namespace Js
     ArgSlot CallInfo::GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count)
     {
         ArgSlot newCount = count;
-        if (flags & Js::CallFlags_ExtraArg)
+        if (CallInfo::HasExtraArg(flags))
         {
             if (count == 0)
             {
diff --git a/lib/Runtime/Base/CallInfo.h b/lib/Runtime/Base/CallInfo.h
@@ -77,7 +77,7 @@ namespace Js
 
         bool HasExtraArg() const
         {
-            return (this->Flags & CallFlags_ExtraArg) || this->HasNewTarget();
+            return  CallInfo::HasExtraArg(this->Flags);
         }
 
         bool HasNewTarget() const
@@ -91,6 +91,15 @@ namespace Js
 
         static ArgSlot GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count);
 
+        static bool HasExtraArg(CallFlags flags)
+        {
+            // Generally HasNewTarget should not be true if CallFlags_ExtraArg is not set.
+            Assert(!CallInfo::HasNewTarget(flags) || flags & CallFlags_ExtraArg);
+
+            // we will still check HasNewTarget to be safe in case if above invariant does not hold.
+            return (flags & CallFlags_ExtraArg) || CallInfo::HasNewTarget(flags);
+        }
+
         static bool HasNewTarget(CallFlags flags)
         {
             return (flags & CallFlags_NewTarget) == CallFlags_NewTarget;

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ namespace Js`
`16`	`16`	`{`
`17`	`17`	`AssertOrFailFastMsg(count < Constants::UShortMaxValue - 1, "ArgList too large");`
`18`	`18`	`ArgSlot argSlotCount = (ArgSlot)count;`
`19`		`- if (flags & CallFlags_ExtraArg)`
	`19`	`+ if (CallInfo::HasExtraArg(flags))`
`20`	`20`	`{`
`21`	`21`	`argSlotCount++;`
`22`	`22`	`}`
`@@ -25,7 +25,7 @@ namespace Js`
`25`	`25`
`26`	`26`	`uint CallInfo::GetLargeArgCountWithExtraArgs(CallFlags flags, uint count)`
`27`	`27`	`{`
`28`		`- if (flags & CallFlags_ExtraArg)`
	`28`	`+ if (CallInfo::HasExtraArg(flags))`
`29`	`29`	`{`
`30`	`30`	`UInt32Math::Inc(count);`
`31`	`31`	`}`
`@@ -35,7 +35,7 @@ namespace Js`
`35`	`35`	`ArgSlot CallInfo::GetArgCountWithoutExtraArgs(CallFlags flags, ArgSlot count)`
`36`	`36`	`{`
`37`	`37`	`ArgSlot newCount = count;`
`38`		`- if (flags & Js::CallFlags_ExtraArg)`
	`38`	`+ if (CallInfo::HasExtraArg(flags))`
`39`	`39`	`{`
`40`	`40`	`if (count == 0)`
`41`	`41`	`{`