[MERGE #6500 @boingoing] ChakraCore Servicing update for 2020.09B

Merge pull request #6500 from boingoing:servicing/2009

[CVE-2020-0878]
[CVE-2020-1180]
[CVE-2020-1057]
[CVE-2020-1172]

Author: boingoing

Build/NuGet/.pack-version

@@ -1 +1 @@
-1.11.21
+1.11.22

lib/Backend/BackwardPass.cpp

@@ -8648,20 +8648,7 @@ BackwardPass::SetWriteThroughSymbolsSetForRegion(BasicBlock * catchOrFinallyBloc
 bool
 BackwardPass::CheckWriteThroughSymInRegion(Region* region, StackSym* sym)
 {
-    if (region->GetType() == RegionTypeRoot)
-    {
-        return false;
-    }
-
-    // if the current region is a try region, check in its write-through set,
-    // otherwise (current = catch region) look in the first try ancestor's write-through set
-    Region * selfOrFirstTryAncestor = region->GetSelfOrFirstTryAncestor();
-    if (!selfOrFirstTryAncestor)
-    {
-        return false;
-    }
-    Assert(selfOrFirstTryAncestor->GetType() == RegionTypeTry);
-    return selfOrFirstTryAncestor->writeThroughSymbolsSet && selfOrFirstTryAncestor->writeThroughSymbolsSet->Test(sym->m_id);
+    return region->CheckWriteThroughSym(sym);
 }
 
 #if DBG

lib/Backend/Func.cpp

@@ -55,6 +55,7 @@ Func::Func(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
     m_localClosureSym(nullptr),
     m_paramClosureSym(nullptr),
     m_localFrameDisplaySym(nullptr),
+    m_inlineeFrameDisplaySyms(nullptr),
     m_bailoutReturnValueSym(nullptr),
     m_hasBailedOutSym(nullptr),
     m_inlineeFrameStartSym(nullptr),
@@ -1124,6 +1125,16 @@ void Func::InitLocalClosureSyms()
     }
 }
 
+void
+Func::AddInlineeFrameDisplaySym(StackSym *inlineeFrameDisplaySym)
+{
+    if (m_inlineeFrameDisplaySyms == nullptr)
+    {
+        m_inlineeFrameDisplaySyms = JitAnew(this->m_alloc, SList<StackSym*>, this->m_alloc);
+    }
+    m_inlineeFrameDisplaySyms->Prepend(inlineeFrameDisplaySym);
+}
+
 bool
 Func::IsTrackCompoundedIntOverflowDisabled() const
 {

lib/Backend/Func.h

@@ -441,6 +441,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
 
     StackSym *GetLocalFrameDisplaySym() const { return m_localFrameDisplaySym; }
     void SetLocalFrameDisplaySym(StackSym *sym) { m_localFrameDisplaySym = sym; }
+    void AddInlineeFrameDisplaySym(StackSym *sym);
 
     intptr_t GetJittedLoopIterationsSinceLastBailoutAddress() const;
     void EnsurePinnedTypeRefs();
@@ -678,6 +679,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     StackSym *          m_paramClosureSym;
     StackSym *          m_localFrameDisplaySym;
     StackSym *          m_bailoutReturnValueSym;
+    SList<StackSym*> *  m_inlineeFrameDisplaySyms;
     StackSym *          m_hasBailedOutSym;
     uint                m_forInLoopMaxDepth;
     uint                m_forInLoopBaseDepth;

lib/Backend/GlobOpt.h

@@ -960,6 +960,8 @@ class GlobOpt
     void                    KillAllObjectTypes(BVSparse<JitArenaAllocator>* liveFields = nullptr);
     void                    EndFieldLifetime(IR::SymOpnd *symOpnd);
     PropertySym *           CopyPropPropertySymObj(IR::SymOpnd *opnd, IR::Instr *instr);
+    void                    OnCopyPropInPrePass(StackSym * copySym, IR::Instr * instr, BasicBlock * block);
+    void                    UpdateUpwardExposedUses(StackSym * sym, IR::Instr * instrLast, BasicBlock * block, JsUtil::Stack<BasicBlock*, JitArenaAllocator, true> *blockStack, BVSparse<JitArenaAllocator>* blocksProcessed);
     static bool             NeedsTypeCheckBailOut(const IR::Instr *instr, IR::PropertySymOpnd *propertySymOpnd, bool isStore, bool* pIsTypeCheckProtected, IR::BailOutKind *pBailOutKind);
     IR::Instr *             PreOptPeep(IR::Instr *instr);
     IR::Instr *             OptPeep(IR::Instr *instr, Value *src1Val, Value *src2Val);

lib/Backend/GlobOptFields.cpp

@@ -1917,6 +1917,11 @@ GlobOpt::CopyPropPropertySymObj(IR::SymOpnd *symOpnd, IR::Instr *instr)
                 symOpnd->m_sym = newProp;
                 symOpnd->SetIsJITOptimizedReg(true);
 
+                if (this->IsLoopPrePass())
+                {
+                    this->OnCopyPropInPrePass(copySym, instr, this->currentBlock);
+                }
+
                 if (symOpnd->IsPropertySymOpnd())
                 {
                     IR::PropertySymOpnd *propertySymOpnd = symOpnd->AsPropertySymOpnd();
@@ -1959,6 +1964,77 @@ GlobOpt::CopyPropPropertySymObj(IR::SymOpnd *symOpnd, IR::Instr *instr)
     return propertySym;
 }
 
+void
+GlobOpt::OnCopyPropInPrePass(StackSym * copySym, IR::Instr * instr, BasicBlock * block)
+{
+    // Copy prop in the prepass may make upwardExposedUses out of date. Update it now.
+
+    if (block->upwardExposedUses->Test(copySym->m_id))
+    {
+        // Nothing to do
+        return;
+    }
+
+    // Use a to-do stack to avoid recursion and a bv to avoid repeated work
+    JsUtil::Stack<BasicBlock*, JitArenaAllocator, true> blockStack(this->tempAlloc);
+    BVSparse<JitArenaAllocator> blocksProcessed(this->tempAlloc);
+
+    blocksProcessed.Set(block->GetBlockNum());
+    this->UpdateUpwardExposedUses(copySym, instr, block, &blockStack, &blocksProcessed);
+
+    while (!blockStack.Empty())
+    {
+        block = blockStack.Pop();
+        Assert(blocksProcessed.Test(block->GetBlockNum()));
+        this->UpdateUpwardExposedUses(copySym, block->GetLastInstr(), block, &blockStack, &blocksProcessed);
+    }
+}
+
+void
+GlobOpt::UpdateUpwardExposedUses(StackSym * sym, IR::Instr * instrLast, BasicBlock * block, JsUtil::Stack<BasicBlock*, JitArenaAllocator, true> *blockStack, BVSparse<JitArenaAllocator>* blocksProcessed)
+{
+    Assert(blocksProcessed->Test(block->GetBlockNum()));
+    Assert(!block->upwardExposedUses->Test(sym->m_id));
+
+    // Walk the block backward looking for a def. If the sym is write-through in this block, though,
+    // treat it as upward-exposed regardless of the presence of defs.
+    IR::LabelInstr * instrFirst = block->GetFirstInstr()->AsLabelInstr();
+    Region * region = instrFirst->GetRegion();
+    if (region == nullptr || !region->CheckWriteThroughSym(sym))
+    {
+        FOREACH_INSTR_BACKWARD_IN_RANGE(instr, instrLast, instrFirst)
+        {
+            // If the instr defines the sym, quit without setting upwardExposedUses
+            IR::Opnd * dst = instr->GetDst();
+            if (dst != nullptr && dst->GetStackSym() == sym)
+            {
+                return;
+            }
+            Assert(dst == nullptr || dst->GetStackSym() == nullptr || dst->GetStackSym()->m_id != sym->m_id);
+        }
+        NEXT_INSTR_BACKWARD_IN_RANGE;
+    }
+
+    // The sym is upward exposed at this block. Now update the to-do set with the predecessors.
+
+    Assert(block->GetBlockNum() != 0);
+    block->upwardExposedUses->Set(sym->m_id);
+    FOREACH_PREDECESSOR_BLOCK(blockPred, block)
+    {
+        if (blockPred->upwardExposedUses == nullptr || blockPred->upwardExposedUses->Test(sym->m_id))
+        {
+            // If the bv is null, that means the main pass is done with this block
+            // and so done with its predecessors
+            continue;
+        }
+        if (!blocksProcessed->TestAndSet(blockPred->GetBlockNum()))
+        {
+            blockStack->Push(blockPred);
+        }
+    }
+    NEXT_PREDECESSOR_BLOCK;
+}
+
 void
 GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)
 {

lib/Backend/IRBuilder.cpp

@@ -661,6 +661,11 @@ IRBuilder::Build()
                             dstOpnd, m_func),
                         offset);
                 }
+                else if (m_func->GetTopFunc()->DoStackFrameDisplay())
+                {
+                    Assert(m_func->GetLocalFrameDisplaySym() != nullptr);
+                    m_func->GetTopFunc()->AddInlineeFrameDisplaySym(m_func->GetLocalFrameDisplaySym());
+                }
             }
         }
     }

lib/Backend/Lower.cpp

@@ -49,9 +49,11 @@ Lowerer::Lower()
     {
         EnsureStackFunctionListStackSym();
     }
+    StackSym * symInlineeFrameDisplayEnd = nullptr;
     if (m_func->DoStackFrameDisplay() && !m_func->IsLoopBody())
     {
-        AllocStackClosure();
+        symInlineeFrameDisplayEnd = StackSym::New(m_func);
+        AllocStackClosure(symInlineeFrameDisplayEnd);
     }
 
     AllocStackForInObjectEnumeratorArray();
@@ -140,6 +142,11 @@ Lowerer::Lower()
         EnsureZeroLastStackFunctionNext();
     }
 
+    if (symInlineeFrameDisplayEnd != nullptr)
+    {
+        InitializeInlineeFrameDisplays(symInlineeFrameDisplayEnd);
+    }
+
     if (!m_func->IsSimpleJit())
     {
 #if 0 // TODO michhol oop jit, reenable assert
@@ -6755,10 +6762,40 @@ Lowerer::EnsureStackFunctionListStackSym()
 }
 
 void
-Lowerer::AllocStackClosure()
+Lowerer::AllocStackClosure(StackSym * symInlineeFrameDisplayEnd)
 {
     m_func->StackAllocate(m_func->GetLocalFrameDisplaySym(), sizeof(Js::Var));
     m_func->StackAllocate(m_func->GetLocalClosureSym(), sizeof(Js::Var));
+
+    if (m_func->m_inlineeFrameDisplaySyms != nullptr)
+    {
+        FOREACH_SLIST_ENTRY(StackSym*, sym, m_func->m_inlineeFrameDisplaySyms)
+        {
+            m_func->StackAllocate(sym, sizeof(Js::Var));
+        }
+        NEXT_SLIST_ENTRY;
+    }
+    m_func->StackAllocate(symInlineeFrameDisplayEnd, sizeof(Js::Var));
+}
+
+void
+Lowerer::InitializeInlineeFrameDisplays(StackSym * symInlineeFrameDisplayEnd)
+{
+    if (m_func->m_inlineeFrameDisplaySyms != nullptr)
+    {
+        FOREACH_SLIST_ENTRY(StackSym*, sym, m_func->m_inlineeFrameDisplaySyms)
+        {
+            Assert(sym->IsAllocated());
+            InsertMove(IR::SymOpnd::New(sym, TyMachReg, m_func),
+                       IR::AddrOpnd::New(m_func->GetThreadContextInfo()->GetNullFrameDisplayAddr(), IR::AddrOpndKindDynamicMisc, m_func),
+                       m_func->GetFunctionEntryInsertionPoint());
+        }
+        NEXT_SLIST_ENTRY;
+    }
+    Assert(symInlineeFrameDisplayEnd->IsAllocated());
+    InsertMove(IR::SymOpnd::New(symInlineeFrameDisplayEnd, TyMachReg, m_func),
+               IR::AddrOpnd::New((void*)0, IR::AddrOpndKindDynamicMisc, m_func),
+               m_func->GetFunctionEntryInsertionPoint());
 }
 
 void
@@ -27112,6 +27149,12 @@ void Lowerer::LowerLdFrameDisplay(IR::Instr *instr, bool doStackFrameDisplay)
     else
     {
         GenerateRecyclerAlloc(IR::HelperAllocMemForFrameDisplay, allocSize, dstOpnd, instr);
+        if (instr->m_func != this->m_func && this->m_func->DoStackFrameDisplay())
+        {
+            StackSym * inlineeFrameDisplaySym = instr->m_func->GetLocalFrameDisplaySym();
+            Assert(inlineeFrameDisplaySym->IsAllocated());
+            InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);
+        }
     }
 
     // Copy contents of environment

lib/Backend/Lower.h

@@ -196,7 +196,8 @@ class Lowerer
 
     void            EnsureStackFunctionListStackSym();
     void            EnsureZeroLastStackFunctionNext();
-    void            AllocStackClosure();
+    void            AllocStackClosure(StackSym * symInlineeFrameDisplayEnd);
+    void            InitializeInlineeFrameDisplays(StackSym * symInlineeFrameDisplayEnd);
     IR::Instr *     GenerateNewStackScFunc(IR::Instr * newScFuncInstr, IR::RegOpnd ** ppEnvOpnd);
     void            GenerateStackScriptFunctionInit(StackSym * stackSym, Js::FunctionInfoPtrPtr nestedInfo);
     void            GenerateScriptFunctionInit(IR::RegOpnd * regOpnd, IR::Opnd * vtableAddressOpnd,

lib/Backend/Region.cpp

@@ -103,3 +103,21 @@ Region::GetFirstAncestorOfNonExceptingFinally()
     return ancestor;
 }
 
+bool
+Region::CheckWriteThroughSym(StackSym * sym)
+{
+    if (this->GetType() == RegionTypeRoot)
+    {
+        return false;
+    }
+
+    // if the current region is a try region, check in its write-through set,
+    // otherwise (current = catch region) look in the first try ancestor's write-through set
+    Region * selfOrFirstTryAncestor = this->GetSelfOrFirstTryAncestor();
+    if (!selfOrFirstTryAncestor)
+    {
+        return false;
+    }
+    Assert(selfOrFirstTryAncestor->GetType() == RegionTypeTry);
+    return selfOrFirstTryAncestor->writeThroughSymbolsSet && selfOrFirstTryAncestor->writeThroughSymbolsSet->Test(sym->m_id);
+}

lib/Backend/Region.h

@@ -68,6 +68,7 @@ class Region
     Region * GetSelfOrFirstTryAncestor();
     Region * GetFirstAncestorOfNonExceptingFinallyParent();
     Region * GetFirstAncestorOfNonExceptingFinally();
+    bool   CheckWriteThroughSym(StackSym * sym);
 
 private:
     RegionType                      type;

lib/Common/ChakraCoreVersion.h

@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 21
+#define CHAKRA_CORE_PATCH_VERSION 22
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------

lib/Parser/Scan.h

@@ -241,15 +241,24 @@ class UTF8EncodingPolicyBase
     OLECHAR ReadRest(OLECHAR ch, EncodedCharPtr &p, EncodedCharPtr last)
     {
         EncodedCharPtr s;
+        utf8::DecodeOptions decodeOptions = m_decodeOptions;
         if (bScan)
         {
             s = p;
         }
         OLECHAR result = utf8::DecodeTail(ch, p, last, m_decodeOptions);
         if (bScan)
         {
-            // If we are scanning, update m_cMultiUnits counter.
-            m_cMultiUnits += p - s;
+            if ((decodeOptions & utf8::doSecondSurrogatePair) && (p - s > 2))
+            {
+                // 4 byte utf8 chars equals 2 utf16 chars + 2 multi-unit chars only (refer to case4: in utf8::DecodeTail()).
+                m_cMultiUnits += 2;
+            }
+            else
+            {
+                // If we are scanning, update m_cMultiUnits counter.
+                m_cMultiUnits += p - s;
+            }
         }
         return result;
     }

lib/Runtime/Base/Constants.h

@@ -132,10 +132,12 @@ namespace Js
         static const int StackNestedFuncList = 2;
         static const int StackFrameDisplay = 3;
         static const int StackScopeSlots = 4;
+        static const int InlineeFrameDisplays = 5;
 #if _M_IX86 || _M_AMD64
         static const int StackNestedFuncListWithNoArg = 1;
         static const int StackFrameDisplayWithNoArg = 2;
         static const int StackScopeSlotsWithNoArg = 3;
+        static const int InlineeFrameDisplaysWithNoArg = 4;
 #endif
 
         static const DWORD NonWebWorkerContextId = 0;

lib/Runtime/Language/JavascriptFunctionArgIndex.h

@@ -13,10 +13,12 @@ namespace Js
         JavascriptFunctionArgIndex_StackNestedFuncListWithNoArg = JavascriptFunctionArgIndex_Frame - Js::Constants::StackNestedFuncListWithNoArg,
         JavascriptFunctionArgIndex_StackFrameDisplayNoArg = JavascriptFunctionArgIndex_Frame - Js::Constants::StackFrameDisplayWithNoArg,
         JavascriptFunctionArgIndex_StackScopeSlotsNoArg = JavascriptFunctionArgIndex_Frame - Js::Constants::StackScopeSlotsWithNoArg,
+        JavascriptFunctionArgIndex_InlineeFrameDisplaysNoArg = JavascriptFunctionArgIndex_Frame - Js::Constants::InlineeFrameDisplaysWithNoArg,
 #endif
         JavascriptFunctionArgIndex_StackNestedFuncList = JavascriptFunctionArgIndex_Frame - Js::Constants::StackNestedFuncList,
         JavascriptFunctionArgIndex_StackFrameDisplay = JavascriptFunctionArgIndex_Frame - Js::Constants::StackFrameDisplay,
         JavascriptFunctionArgIndex_StackScopeSlots = JavascriptFunctionArgIndex_Frame - Js::Constants::StackScopeSlots,
+        JavascriptFunctionArgIndex_InlineeFrameDisplays = JavascriptFunctionArgIndex_Frame - Js::Constants::InlineeFrameDisplays,
         JavascriptFunctionArgIndex_Function        = 0,
         JavascriptFunctionArgIndex_CallInfo        = 1,
         JavascriptFunctionArgIndex_This            = 2, /* (hidden) first script arg */