From 9dd36b4c1120c40ffc4c62bc1b727b784c10a7d4 Mon Sep 17 00:00:00 2001 From: Michael Holman Date: Thu, 12 Nov 2020 10:20:40 -0800 Subject: [PATCH] [CVE-2020-17131] --- lib/Backend/BackwardPass.cpp | 55 +++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp index 2cdeac4c9ca..0403f185a23 100644 --- a/lib/Backend/BackwardPass.cpp +++ b/lib/Backend/BackwardPass.cpp @@ -3856,7 +3856,7 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) IR::Instr * instr = this->currentInstr; Func * currFunc = instr->m_func; - if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled() && !IsPrePass()) + if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled()) { switch (instr->m_opcode) { @@ -3875,28 +3875,37 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) if (IsFormalParamSym(currFunc, sym)) { AssertMsg(!currFunc->GetJITFunctionBody()->HasImplicitArgIns(), "We don't have mappings between named formals and arguments object here"); - - instr->m_opcode = Js::OpCode::Ld_A; + PropertySym * propSym = sym->AsPropertySym(); Js::ArgSlot value = (Js::ArgSlot)propSym->m_propertyId; Assert(currFunc->HasStackSymForFormal(value)); StackSym * paramStackSym = currFunc->GetStackSymForFormal(value); - IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc); - instr->ReplaceSrc1(srcOpnd); - this->ProcessSymUse(paramStackSym, true, true); - if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase)) + if (!IsPrePass()) { - Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber()); - Output::Flush(); + IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc); + instr->ReplaceSrc1(srcOpnd); + instr->m_opcode = Js::OpCode::Ld_A; + + if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase)) + { + Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber()); + Output::Flush(); + } } + + this->ProcessSymUse(paramStackSym, true, true); } } break; } case Js::OpCode::CommitScope: { + if (IsPrePass()) + { + break; + } if (instr->GetSrc1()->IsScopeObjOpnd(currFunc)) { instr->Remove(); @@ -3907,6 +3916,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) case Js::OpCode::BrFncCachedScopeEq: case Js::OpCode::BrFncCachedScopeNeq: { + if (IsPrePass()) + { + break; + } if (instr->GetSrc2()->IsScopeObjOpnd(currFunc)) { instr->Remove(); @@ -3916,6 +3929,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) } case Js::OpCode::CallHelper: { + if (IsPrePass()) + { + break; + } //Remove the CALL and all its Argout instrs. if (instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper == IR::JnHelperMethod::HelperOP_InitCachedFuncs) { @@ -3954,15 +3971,21 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) if (instr->GetSrc1()->IsScopeObjOpnd(currFunc)) { - instr->m_opcode = Js::OpCode::NewScFunc; - IR::Opnd * intConstOpnd = instr->UnlinkSrc2(); - Assert(intConstOpnd->IsIntConstOpnd()); + StackSym * frameDisplaySym = currFunc->GetLocalFrameDisplaySym(); + if (!IsPrePass()) + { + instr->m_opcode = Js::OpCode::NewScFunc; + IR::Opnd * intConstOpnd = instr->UnlinkSrc2(); + Assert(intConstOpnd->IsIntConstOpnd()); - uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32()); - intConstOpnd->Free(instr->m_func); + uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32()); + intConstOpnd->Free(instr->m_func); + + instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func)); + instr->SetSrc2(IR::RegOpnd::New(frameDisplaySym, IRType::TyVar, currFunc)); + } - instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func)); - instr->SetSrc2(IR::RegOpnd::New(currFunc->GetLocalFrameDisplaySym(), IRType::TyVar, currFunc)); + this->ProcessSymUse(frameDisplaySym, true, true); } break; }