[CVE-2017-11918] JIT: Escape analysis bug - Google, Inc.

lib/Backend/GlobOpt.cpp

@@ -18165,8 +18165,8 @@ GlobOpt::TrackTempObjectSyms(IR::Instr * instr, IR::RegOpnd * opnd)
             (instr->GetSrc1()->IsRegOpnd() && globOptData.canStoreTempObjectSyms->Test(instr->GetSrc1()->AsRegOpnd()->m_sym->m_id))
             && (!instr->GetSrc2() || (instr->GetSrc2()->IsRegOpnd() && globOptData.canStoreTempObjectSyms->Test(instr->GetSrc2()->AsRegOpnd()->m_sym->m_id))));
 
-        Assert(!canStoreTemp || instr->dstIsTempObject);
-        Assert(!maybeTemp || instr->dstIsTempObject);
+        AssertOrFailFast(!canStoreTemp || instr->dstIsTempObject);
+        AssertOrFailFast(!maybeTemp || instr->dstIsTempObject);
     }
 
     // Need to get the var equiv sym as assignment of type specialized sym kill the var sym value anyway.

lib/Backend/TempTracker.cpp

@@ -1026,7 +1026,7 @@ ObjectTemp::IsTempUseOpCodeSym(IR::Instr * instr, Js::OpCode opcode, Sym * sym)
         return instr->GetSrc1()->AsIndirOpnd()->GetBaseOpnd()->m_sym == sym;
     case Js::OpCode::StElemI_A:
     case Js::OpCode::StElemI_A_Strict:
-        return instr->GetDst()->AsIndirOpnd()->GetBaseOpnd()->m_sym == sym;
+        return instr->GetDst()->AsIndirOpnd()->GetBaseOpnd()->m_sym == sym && instr->GetSrc1()->GetStackSym() != sym;
     case Js::OpCode::Memset:
         return instr->GetDst()->AsIndirOpnd()->GetBaseOpnd()->m_sym == sym || (instr->GetSrc1()->IsRegOpnd() && instr->GetSrc1()->AsRegOpnd()->m_sym == sym);
     case Js::OpCode::Memcopy: