ChakraCore 2018-04 security updates

lib/Backend/GlobOpt.cpp

@@ -14402,7 +14402,8 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
                                 currentBlock->next,
                                 hoistBlock,
                                 hoistInfo.IndexSym(),
-                                hoistInfo.IndexValueNumber());
+                                hoistInfo.IndexValueNumber(),
+                                true);
                             it.IsValid();
                             it.MoveNext())
                         {
@@ -14670,7 +14671,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
                     Assert(!hoistInfo.Loop() || hoistBlock != currentBlock);
                     if(hoistBlock != currentBlock)
                     {
-                        for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr);
+                        for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr, InvalidValueNumber, true);
                             it.IsValid();
                             it.MoveNext())
                         {
@@ -17116,12 +17117,15 @@ InvariantBlockBackwardIterator::InvariantBlockBackwardIterator(
     BasicBlock *const exclusiveBeginBlock,
     BasicBlock *const inclusiveEndBlock,
     StackSym *const invariantSym,
-    const ValueNumber invariantSymValueNumber)
+    const ValueNumber invariantSymValueNumber,
+    bool followFlow)
     : globOpt(globOpt),
     exclusiveEndBlock(inclusiveEndBlock->prev),
     invariantSym(invariantSym),
     invariantSymValueNumber(invariantSymValueNumber),
-    block(exclusiveBeginBlock)
+    block(exclusiveBeginBlock),
+    blockBV(globOpt->tempAlloc),
+    followFlow(followFlow)
 #if DBG
     ,
     inclusiveEndBlock(inclusiveEndBlock)
@@ -17159,6 +17163,11 @@ InvariantBlockBackwardIterator::MoveNext()
             break;
         }
 
+        if (!this->UpdatePredBlockBV())
+        {
+            continue;
+        }
+
         if(block->isDeleted)
         {
             continue;
@@ -17186,6 +17195,28 @@ InvariantBlockBackwardIterator::MoveNext()
     }
 }
 
+bool
+InvariantBlockBackwardIterator::UpdatePredBlockBV()
+{
+    if (!this->followFlow)
+    {
+        return true;
+    }
+
+    // Track blocks we've visited to ensure that we only iterate over predecessor blocks
+    if (!this->blockBV.IsEmpty() && !this->blockBV.Test(this->block->GetBlockNum()))
+    {
+        return false;
+    }
+
+    FOREACH_SLISTBASECOUNTED_ENTRY(FlowEdge*, edge, this->block->GetPredList())
+    {
+        this->blockBV.Set(edge->GetPred()->GetBlockNum());
+    } NEXT_SLISTBASECOUNTED_ENTRY;
+
+    return true;
+}
+
 BasicBlock *
 InvariantBlockBackwardIterator::Block() const
 {

lib/Backend/GlobOpt.h

@@ -364,13 +364,16 @@ class InvariantBlockBackwardIterator
     const ValueNumber invariantSymValueNumber;
     BasicBlock *block;
     Value *invariantSymValue;
+    BVSparse<JitArenaAllocator> blockBV;
+    bool followFlow;
 
 #if DBG
     BasicBlock *const inclusiveEndBlock;
 #endif
 
+    bool UpdatePredBlockBV();
 public:
-    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber);
+    InvariantBlockBackwardIterator(GlobOpt *const globOpt, BasicBlock *const exclusiveBeginBlock, BasicBlock *const inclusiveEndBlock, StackSym *const invariantSym, const ValueNumber invariantSymValueNumber = InvalidValueNumber, bool followFlow = false);
 
 public:
     bool IsValid() const;

lib/Runtime/Base/ThreadContext.cpp

@@ -72,6 +72,7 @@ const Js::PropertyRecord * const ThreadContext::builtInPropertyRecords[] =
 };
 
 ThreadContext::RecyclableData::RecyclableData(Recycler *const recycler) :
+    pendingFinallyException(nullptr),
     soErrorObject(nullptr, nullptr, nullptr, true),
     oomErrorObject(nullptr, nullptr, nullptr, true),
     terminatedErrorObject(nullptr, nullptr, nullptr),
@@ -94,7 +95,6 @@ ThreadContext::ThreadContext(AllocationPolicyManager * allocationPolicyManager,
     isThreadBound(false),
     hasThrownPendingException(false),
     hasBailedOutBitPtr(nullptr),
-    pendingFinallyException(nullptr),
     noScriptScope(false),
     heapEnum(nullptr),
     threadContextFlags(ThreadContextFlagNoFlag),

lib/Runtime/Base/ThreadContext.h

@@ -441,8 +441,6 @@ class ThreadContext sealed :
 
 private:
     const Js::PropertyRecord * emptyStringPropertyRecord;
-
-    Js::JavascriptExceptionObject * pendingFinallyException;
     bool noScriptScope;
 
 #ifdef ENABLE_SCRIPT_DEBUGGING
@@ -557,6 +555,8 @@ class ThreadContext sealed :
         Field(Js::TempArenaAllocatorObject *) temporaryArenaAllocators[MaxTemporaryArenaAllocators];
         Field(Js::TempGuestArenaAllocatorObject *) temporaryGuestArenaAllocators[MaxTemporaryArenaAllocators];
 
+        Field(Js::JavascriptExceptionObject *) pendingFinallyException;
+
         Field(Js::JavascriptExceptionObject *) exceptionObject;
         Field(bool) propagateException;
 
@@ -1292,12 +1292,12 @@ class ThreadContext sealed :
 
     void SetPendingFinallyException(Js::JavascriptExceptionObject * exceptionObj)
     {
-        pendingFinallyException = exceptionObj;
+        recyclableData->pendingFinallyException = exceptionObj;
     }
 
     Js::JavascriptExceptionObject * GetPendingFinallyException()
     {
-        return pendingFinallyException;
+        return recyclableData->pendingFinallyException;
     }
 
     Js::EntryPointInfo ** RegisterEquivalentTypeCacheEntryPoint(Js::EntryPointInfo * entryPoint);