[CVE-2019-1092] Chakra JIT OOB R/W

MikeHolman · atulkatti · commit d4e767fb9461 · 2019-07-01T12:08:48.000-07:00
diff --git a/lib/Backend/GlobOptBlockData.cpp b/lib/Backend/GlobOptBlockData.cpp
@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(
                 fromDataValueInfo->AsArrayValueInfo(),
                 fromDataSym,
                 symsRequiringCompensation,
-                symsCreatedForMerge);
+                symsCreatedForMerge,
+                isLoopBackEdge);
     }
 
     // Consider: If both values are VarConstantValueInfo with the same value, we could
@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
     const ArrayValueInfo *const fromDataValueInfo,
     Sym *const arraySym,
     BVSparse<JitArenaAllocator> *const symsRequiringCompensation,
-    BVSparse<JitArenaAllocator> *const symsCreatedForMerge)
+    BVSparse<JitArenaAllocator> *const symsCreatedForMerge,
+    bool isLoopBackEdge)
 {
     Assert(mergedValueType.IsAnyOptimizedArray());
     Assert(toDataValueInfo);
@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 // Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.
                 Assert(symsRequiringCompensation);
@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(
         }
         else
         {
-            if (!this->globOpt->IsLoopPrePass())
+            if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)
             {
                 Assert(symsRequiringCompensation);
                 symsRequiringCompensation->Set(arraySym->m_id);
diff --git a/lib/Backend/GlobOptBlockData.h b/lib/Backend/GlobOptBlockData.h
@@ -264,7 +264,7 @@ class GlobOptBlockData
     Value *                 MergeValues(Value *toDataValue, Value *fromDataValue, Sym *fromDataSym, bool isLoopBackEdge, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     ValueInfo *             MergeValueInfo(Value *toDataVal, Value *fromDataVal, Sym *fromDataSym, bool isLoopBackEdge, bool sameValueNumber, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
     JsTypeValueInfo *       MergeJsTypeValueInfo(JsTypeValueInfo * toValueInfo, JsTypeValueInfo * fromValueInfo, bool isLoopBackEdge, bool sameValueNumber);
-    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge);
+    ValueInfo *             MergeArrayValueInfo(const ValueType mergedValueType, const ArrayValueInfo *const toDataValueInfo, const ArrayValueInfo *const fromDataValueInfo, Sym *const arraySym, BVSparse<JitArenaAllocator> *const symsRequiringCompensation, BVSparse<JitArenaAllocator> *const symsCreatedForMerge, bool isLoopBackEdge);
 
     // Argument Tracking
 public:

Original file line number	Diff line number	Diff line change
`@@ -974,7 +974,8 @@ GlobOptBlockData::MergeValueInfo(`
`974`	`974`	`fromDataValueInfo->AsArrayValueInfo(),`
`975`	`975`	`fromDataSym,`
`976`	`976`	`symsRequiringCompensation,`
`977`		`- symsCreatedForMerge);`
	`977`	`+ symsCreatedForMerge,`
	`978`	`+ isLoopBackEdge);`
`978`	`979`	`}`
`979`	`980`
`980`	`981`	`// Consider: If both values are VarConstantValueInfo with the same value, we could`
`@@ -1072,7 +1073,8 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1072`	`1073`	`const ArrayValueInfo *const fromDataValueInfo,`
`1073`	`1074`	`Sym *const arraySym,`
`1074`	`1075`	`BVSparse<JitArenaAllocator> *const symsRequiringCompensation,`
`1075`		`- BVSparse<JitArenaAllocator> *const symsCreatedForMerge)`
	`1076`	`+ BVSparse<JitArenaAllocator> *const symsCreatedForMerge,`
	`1077`	`+ bool isLoopBackEdge)`
`1076`	`1078`	`{`
`1077`	`1079`	`Assert(mergedValueType.IsAnyOptimizedArray());`
`1078`	`1080`	`Assert(toDataValueInfo);`
`@@ -1095,7 +1097,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1095`	`1097`	`}`
`1096`	`1098`	`else`
`1097`	`1099`	`{`
`1098`		`- if (!this->globOpt->IsLoopPrePass())`
	`1100`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1099`	`1101`	`{`
`1100`	`1102`	`// Adding compensation code in the prepass won't help, as the symstores would again be different in the main pass.`
`1101`	`1103`	`Assert(symsRequiringCompensation);`
`@@ -1123,7 +1125,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1123`	`1125`	`}`
`1124`	`1126`	`else`
`1125`	`1127`	`{`
`1126`		`- if (!this->globOpt->IsLoopPrePass())`
	`1128`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1127`	`1129`	`{`
`1128`	`1130`	`Assert(symsRequiringCompensation);`
`1129`	`1131`	`symsRequiringCompensation->Set(arraySym->m_id);`
`@@ -1150,7 +1152,7 @@ ValueInfo *GlobOptBlockData::MergeArrayValueInfo(`
`1150`	`1152`	`}`
`1151`	`1153`	`else`
`1152`	`1154`	`{`
`1153`		`- if (!this->globOpt->IsLoopPrePass())`
	`1155`	`+ if (!this->globOpt->IsLoopPrePass() && !isLoopBackEdge)`
`1154`	`1156`	`{`
`1155`	`1157`	`Assert(symsRequiringCompensation);`
`1156`	`1158`	`symsRequiringCompensation->Set(arraySym->m_id);`