Página Principal Explorar Ajuda
Iniciar Sessão
SunnyMirror
/
ChakraCore
mirror de https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Ficheiros Problemas 0 Wiki
Ver Fonte

[CVE-2018-8355] Edge - Chakra: JIT: Type confusion with localeCompare - Google, Inc.

Chakra Automation há 7 anos atrás
pai
91bb6d68bf
commit
cf3ef50623
4 ficheiros alterados com 2 adições e 10 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 0 4
      lib/Backend/Inline.cpp
  2. 0 1
      lib/Backend/InliningDecider.cpp
  3. 2 4
      lib/Runtime/Library/JavascriptLibrary.cpp
  4. 0 1
      lib/Runtime/LibraryFunction.h

+ 0 - 4
lib/Backend/Inline.cpp
Ver Ficheiro 

@@ -3418,10 +3418,6 @@ Inline::SetupInlineInstrForCallDirect(Js::BuiltinFunction builtInId, IR::Instr*
 
         callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_Link, callInstr->m_func));
 
         break;
 
 
-    case Js::BuiltinFunction::JavascriptString_LocaleCompare:
 
-        callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_LocaleCompare, callInstr->m_func));
 
-        break;
 
-
 
     case Js::BuiltinFunction::JavascriptString_Match:
 
         callInstr->SetSrc1(IR::HelperCallOpnd::New(IR::JnHelperMethod::HelperString_Match, callInstr->m_func));
 
         break;

+ 0 - 1
lib/Backend/InliningDecider.cpp
Ver Ficheiro 

@@ -491,7 +491,6 @@ bool InliningDecider::GetBuiltInInfoCommon(
 
     case Js::JavascriptBuiltInFunction::JavascriptArray_Splice:
 
 
     case Js::JavascriptBuiltInFunction::JavascriptString_Link:
 
-    case Js::JavascriptBuiltInFunction::JavascriptString_LocaleCompare:
 
         goto CallDirectCommon;
 
 
     case Js::JavascriptBuiltInFunction::JavascriptArray_Join:

+ 2 - 4
lib/Runtime/Library/JavascriptLibrary.cpp
Ver Ficheiro 

@@ -3277,9 +3277,6 @@ namespace Js
 
         case PropertyIds::link:
 
             return BuiltinFunction::JavascriptString_Link;
 
 
-        case PropertyIds::localeCompare:
 
-            return BuiltinFunction::JavascriptString_LocaleCompare;
 
-
 
         case PropertyIds::match:
 
             return BuiltinFunction::JavascriptString_Match;
 
 
@@ -3842,7 +3839,8 @@ namespace Js
 
         builtinFuncs[BuiltinFunction::JavascriptString_CharAt]            = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::charAt,             &JavascriptString::EntryInfo::CharAt,               1);
 
         builtinFuncs[BuiltinFunction::JavascriptString_CharCodeAt]        = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::charCodeAt,         &JavascriptString::EntryInfo::CharCodeAt,           1);
 
         builtinFuncs[BuiltinFunction::JavascriptString_Concat]            = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::concat,             &JavascriptString::EntryInfo::Concat,               1);
 
-        builtinFuncs[BuiltinFunction::JavascriptString_LocaleCompare]     = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::localeCompare,      &JavascriptString::EntryInfo::LocaleCompare,        1);
 
+        // OS#17824730: Don't inline String.prototype.localeCompare because it immediately calls back into Intl.js, which can break implicitCallFlags
 
+        /* No inlining                String_LocaleCompare */               library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::localeCompare,      &JavascriptString::EntryInfo::LocaleCompare,        1);
 
         builtinFuncs[BuiltinFunction::JavascriptString_Match]             = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::match,              &JavascriptString::EntryInfo::Match,                1);
 
         builtinFuncs[BuiltinFunction::JavascriptString_Split]             = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::split,              &JavascriptString::EntryInfo::Split,                2);
 
         builtinFuncs[BuiltinFunction::JavascriptString_Substring]         = library->AddFunctionToLibraryObject(stringPrototype, PropertyIds::substring,          &JavascriptString::EntryInfo::Substring,            2);

+ 0 - 1
lib/Runtime/LibraryFunction.h
Ver Ficheiro 

@@ -28,7 +28,6 @@ LIBRARY_FUNCTION(JavascriptString,        FromCodePoint,      1,    BIF_None
 
 LIBRARY_FUNCTION(JavascriptString,        IndexOf,            3,    BIF_UseSrc0 | BIF_VariableArgsNumber              , JavascriptString::EntryInfo::IndexOf)
 
 LIBRARY_FUNCTION(JavascriptString,        LastIndexOf,        3,    BIF_UseSrc0 | BIF_VariableArgsNumber              , JavascriptString::EntryInfo::LastIndexOf)
 
 LIBRARY_FUNCTION(JavascriptString,        Link,               2,    BIF_UseSrc0                                       , JavascriptString::EntryInfo::Link)
 
-LIBRARY_FUNCTION(JavascriptString,        LocaleCompare,      2,    BIF_UseSrc0                                       , JavascriptString::EntryInfo::LocaleCompare)
 
 LIBRARY_FUNCTION(JavascriptString,        Match,              2,    BIF_UseSrc0 | BIF_IgnoreDst                       , JavascriptString::EntryInfo::Match)
 
 LIBRARY_FUNCTION(JavascriptString,        Replace,            3,    BIF_UseSrc0 | BIF_IgnoreDst                       , JavascriptString::EntryInfo::Replace)
 
 LIBRARY_FUNCTION(JavascriptString,        Search,             2,    BIF_UseSrc0                                       , JavascriptString::EntryInfo::Search)