Trang chủ Khám phá Trợ giúp
Đăng nhập
SunnyMirror
/
ChakraCore
mirror of https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

CVE-2018-8617

Paul Leathers 7 năm trước cách đây
mục cha
69a259c8c3
commit
c04787f16e
2 tập tin đã thay đổi với 25 bổ sung9 xóa
Split View Hiển thị tình trạng sai khác
  1. 0 6
      lib/Backend/GlobOpt.cpp
  2. 25 3
      lib/Backend/GlobOptFields.cpp

+ 0 - 6
lib/Backend/GlobOpt.cpp
Xem Tập Tin 

@@ -2852,12 +2852,6 @@ GlobOpt::OptDst(
 
         {
 
             this->FinishOptPropOp(instr, opnd->AsPropertySymOpnd());
 
         }
 
-        else if (instr->m_opcode == Js::OpCode::StElemI_A ||
 
-                 instr->m_opcode == Js::OpCode::StElemI_A_Strict ||
 
-                 instr->m_opcode == Js::OpCode::InitComputedProperty)
 
-        {
 
-            this->KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
 
-        }
 
 
         if (opnd->IsIndirOpnd() && !this->IsLoopPrePass())
 
         {

+ 25 - 3
lib/Backend/GlobOptFields.cpp
Xem Tập Tin 

@@ -328,10 +328,20 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
 
         Assert(dstOpnd != nullptr);
 
         KillLiveFields(this->lengthEquivBv, bv);
 
         KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func);
 
+        if (inGlobOpt)
 
+        {
 
+            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
 
+        }
 
         break;
 
 
     case Js::OpCode::InitComputedProperty:
 
+    case Js::OpCode::InitGetElemI:
 
+    case Js::OpCode::InitSetElemI:
 
         KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func);
 
+        if (inGlobOpt)
 
+        {
 
+            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
 
+        }
 
         break;
 
 
     case Js::OpCode::DeleteElemI_A:
 
@@ -394,6 +404,10 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
 
     case Js::OpCode::InlineArrayPush:
 
     case Js::OpCode::InlineArrayPop:
 
         KillLiveFields(this->lengthEquivBv, bv);
 
+        if (inGlobOpt)
 
+        {
 
+            KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
 
+        }
 
         break;
 
 
     case Js::OpCode::InlineeStart:
 
@@ -410,10 +424,18 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
 
         fnHelper = instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper;
 
 
         // Kill length field for built-ins that can update it.
 
-        if(nullptr != this->lengthEquivBv && (fnHelper == IR::JnHelperMethod::HelperArray_Shift || fnHelper == IR::JnHelperMethod::HelperArray_Splice
 
-            || fnHelper == IR::JnHelperMethod::HelperArray_Unshift))
 
+        if(fnHelper == IR::JnHelperMethod::HelperArray_Shift 
+           || fnHelper == IR::JnHelperMethod::HelperArray_Splice
 
+           || fnHelper == IR::JnHelperMethod::HelperArray_Unshift)
 
         {
 
-            KillLiveFields(this->lengthEquivBv, bv);
 
+            if (nullptr != this->lengthEquivBv)
 
+            {
 
+                KillLiveFields(this->lengthEquivBv, bv);
 
+            }
 
+            if (inGlobOpt)
 
+            {
 
+                KillObjectHeaderInlinedTypeSyms(this->currentBlock, false);
 
+            }
 
         }
 
 
         if ((fnHelper == IR::JnHelperMethod::HelperRegExp_Exec)