[MERGE #6491 @akroshg] ChakraCore Servicing update for 2020.08B

Merge pull request #6491 from akroshg:servicing_2008 [CVE-2020-1555]
chakra-core · Aug 11, 2020 · a44ff07 · a44ff07
2 parents 75d5a92 + 28a1f06
commit a44ff07
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 6 deletions.
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.11.20
+1.11.21
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 20
+#define CHAKRA_CORE_PATCH_VERSION 21
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------

diff --git a/lib/Runtime/Base/FunctionBody.cpp b/lib/Runtime/Base/FunctionBody.cpp
@@ -6283,7 +6283,7 @@ namespace Js
         Assert(polymorphicInlineCache && polymorphicInlineCache->CanAllocateBigger());
         uint16 polymorphicInlineCacheSize = polymorphicInlineCache->GetSize();
         uint16 newPolymorphicInlineCacheSize = PolymorphicInlineCache::GetNextSize(polymorphicInlineCacheSize);
-        Assert(newPolymorphicInlineCacheSize > polymorphicInlineCacheSize);
+        AssertOrFailFast(newPolymorphicInlineCacheSize > polymorphicInlineCacheSize);
         PolymorphicInlineCache * newPolymorphicInlineCache = CreatePolymorphicInlineCache(index, newPolymorphicInlineCacheSize);
         polymorphicInlineCache->CopyTo(propertyId, m_scriptContext, newPolymorphicInlineCache);
 #ifdef ENABLE_DEBUG_CONFIG_OPTIONS

diff --git a/lib/Runtime/Language/CacheOperators.h b/lib/Runtime/Language/CacheOperators.h
@@ -18,7 +18,7 @@ namespace Js
             bool IsAccessor,
             bool IsRead,
             bool IncludeTypePropertyCache>
-        static void Cache(const bool isProto, DynamicObject *const objectWithProperty, const bool isRoot, Type *const type, Type *const typeWithoutProperty, const PropertyId propertyId, const PropertyIndex propertyIndex, const bool isInlineSlot, const bool isMissing, const int requiredAuxSlotCapacity, const PropertyValueInfo *const info, ScriptContext *const requestContext);
+        static void Cache(const bool isProto, DynamicObject *const objectWithProperty, const bool isRoot, Type *const type, Type *const typeWithoutProperty, const PropertyId propertyId, const PropertyIndex propertyIndex, const bool isInlineSlot, const bool isMissing, const int requiredAuxSlotCapacity, PropertyValueInfo *const info, ScriptContext *const requestContext);
 
         template<
             bool CheckLocal,

diff --git a/lib/Runtime/Language/CacheOperators.inl b/lib/Runtime/Language/CacheOperators.inl
@@ -312,7 +312,7 @@ namespace Js
         const bool isInlineSlot,
         const bool isMissing,
         const int requiredAuxSlotCapacity,
-        const PropertyValueInfo *const info,
+        PropertyValueInfo *const info,
         ScriptContext *const requestContext)
     {
         CompileAssert(!IsAccessor || !IncludeTypePropertyCache);
@@ -375,6 +375,9 @@ namespace Js
                  : !PHASE_OFF1(Js::TypePropertyCachePhase)
             );
         bool createTypePropertyCache = false;
+
+        // Side-effects may have changed the cache, so make sure the info has the latest.
+        info->UpdatePolymorphicInlineCache(IsRead);
         PolymorphicInlineCache *polymorphicInlineCache = info->GetPolymorphicInlineCache();
         if(!polymorphicInlineCache && info->GetFunctionBody())
         {

diff --git a/lib/Runtime/Types/RecyclableObject.cpp b/lib/Runtime/Types/RecyclableObject.cpp
@@ -109,6 +109,14 @@ namespace Js
         }
     }
 
+    void PropertyValueInfo::UpdatePolymorphicInlineCache(bool isRead)
+    {
+        if (GetPropertyRecordUsageCache())
+        {
+            this->polymorphicInlineCache = isRead ? GetPropertyRecordUsageCache()->GetLdElemInlineCache() : GetPropertyRecordUsageCache()->GetStElemInlineCache();
+        }
+    }
+
 #if DBG || defined(PROFILE_TYPES)
     // Used only by the GlobalObject, because it's typeHandler can't be fully initialized
     // with the globalobject which is currently being created.

diff --git a/lib/Runtime/Types/RecyclableObject.h b/lib/Runtime/Types/RecyclableObject.h
@@ -93,6 +93,7 @@ namespace Js {
             bool allowResizing);
         static void SetCacheInfo(_Out_ PropertyValueInfo* info, _In_ PolymorphicInlineCache *const polymorphicInlineCache, bool allowResizing);
         static void ClearCacheInfo(PropertyValueInfo* info);
+        void UpdatePolymorphicInlineCache(bool isRead);
 
         InlineCache * GetInlineCache() const
         {

diff --git a/test/AsmJs/rlexe.xml b/test/AsmJs/rlexe.xml
@@ -977,7 +977,7 @@
       <compile-flags>-testtrace:asmjs -args 14000 -endargs -EnableFatalErrorOnOOM-</compile-flags>
       <!-- todo:: On unix platforms there is more stack available,
            so we need to find the right limit to test in order to not timeout -->
-      <tags>exclude_dynapogo,exclude_mac</tags>
+      <tags>exclude_dynapogo,exclude_mac,Slow</tags>
     </default>
   </test>
   <test>