Skip to content

Commit

Permalink
[MERGE #6420 @boingoing] ChakraCore Servicing Update for 2020.04B
Browse files Browse the repository at this point in the history
Merge pull request #6420 from boingoing:servicing_2004_b

ChakraCore Servicing Update for 2020.04B

Changes to address the following issues:

[CVE-2020-0970]
[CVE-2020-0969]
  • Loading branch information
boingoing committed Apr 14, 2020
2 parents 9298227 + d75b21c commit 473286e
Show file tree
Hide file tree
Showing 9 changed files with 65 additions and 20 deletions.
2 changes: 1 addition & 1 deletion Build/NuGet/.pack-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.11.17
1.11.18
2 changes: 1 addition & 1 deletion lib/Common/ChakraCoreVersion.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
#define CHAKRA_CORE_MINOR_VERSION 11
#define CHAKRA_CORE_PATCH_VERSION 17
#define CHAKRA_CORE_PATCH_VERSION 18
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.

// -------------
Expand Down
52 changes: 37 additions & 15 deletions lib/Runtime/ByteCode/ByteCodeEmitter.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -4262,21 +4262,33 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot
funcInfo->FindOrAddReferencedPropertyId(propertyId),
envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));

Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister();

AssertOrFailFast(scope->GetIsObject());
this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg,
envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));

Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A;

this->m_writer.Reg2(op, instLocation, tmpReg);
if (thisLocation != Js::Constants::NoRegister)
if (unwrapWithObj)
{
this->m_writer.Reg2(op, thisLocation, tmpReg);
Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister();

this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg,
envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));

this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, tmpReg);
if (thisLocation != Js::Constants::NoRegister)
{
this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, tmpReg);
}

funcInfo->ReleaseTmpRegister(tmpReg);
}
else
{
this->m_writer.SlotI1(Js::OpCode::LdEnvObj, instLocation,
envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var));

funcInfo->ReleaseTmpRegister(tmpReg);
if (thisLocation != Js::Constants::NoRegister)
{
this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
}
}
}
else if (scopeLocation != Js::Constants::NoRegister && scopeLocation == funcInfo->frameObjRegister)
{
Expand All @@ -4288,19 +4300,29 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot
this->m_writer.Reg1(Js::OpCode::LdLocalObj, instLocation);
if (thisLocation != Js::Constants::NoRegister)
{
this->m_writer.Reg1(Js::OpCode::LdLocalObj, thisLocation);
this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
}
}
else
{
this->m_writer.BrProperty(Js::OpCode::BrOnNoProperty, nextLabel, scopeLocation,
funcInfo->FindOrAddReferencedPropertyId(propertyId));

Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A;
this->m_writer.Reg2(op, instLocation, scopeLocation);
if (thisLocation != Js::Constants::NoRegister)
if (unwrapWithObj)
{
this->m_writer.Reg2(op, thisLocation, scopeLocation);
this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, scopeLocation);
if (thisLocation != Js::Constants::NoRegister)
{
this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, scopeLocation);
}
}
else
{
this->m_writer.Reg2(Js::OpCode::Ld_A, instLocation, scopeLocation);
if (thisLocation != Js::Constants::NoRegister)
{
this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister);
}
}
}

Expand Down
3 changes: 1 addition & 2 deletions lib/Runtime/Language/JavascriptOperators.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2072,8 +2072,7 @@ using namespace Js;
// HasProperty will call UnscopablesWrapperObject's HasProperty which will do the filtering
// All we have to do here is unwrap the object hence the api call

*thisVar = obj->GetThisObjectOrUnWrap();
return *thisVar;
return obj->GetThisAndUnwrappedInstance(thisVar);
}
}

Expand Down
10 changes: 10 additions & 0 deletions lib/Runtime/Types/PathTypeHandler.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2013,6 +2013,16 @@ namespace Js
{
newSetters = this->UpdateSetterSlots(recycler, oldSetters, oldPathSize, newTypePath->GetPathSize());
}

#if ENABLE_FIXED_FIELDS
#ifdef SUPPORT_FIXED_FIELDS_ON_PATH_TYPES
if (PathTypeHandlerBase::FixPropsOnPathTypes())
{
Assert(this->HasSingletonInstanceOnlyIfNeeded());
this->GetTypePath()->ClearSingletonInstanceIfSame(instance);
}
#endif
#endif
}
else if (growing)
{
Expand Down
6 changes: 6 additions & 0 deletions lib/Runtime/Types/RecyclableObject.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,12 @@ namespace Js
return this;
}

RecyclableObject* RecyclableObject::GetThisAndUnwrappedInstance(Var* thisVar) const
{
*thisVar = this->GetLibrary()->GetUndefined();
return (RecyclableObject*)this;
}

// In order to avoid a branch, every object has an entry point if it gets called like a
// function - however, if it can't be called like a function, it's set to DefaultEntryPoint
// which will emit an error.
Expand Down
1 change: 1 addition & 0 deletions lib/Runtime/Types/RecyclableObject.h
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,7 @@ namespace Js {
virtual uint GetSpecialPropertyCount() const { return 0; }
virtual PropertyId const * GetSpecialPropertyIds() const { return nullptr; }
virtual RecyclableObject* GetThisObjectOrUnWrap(); // Due to the withScope object there are times we need to unwrap
virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const;

virtual BOOL HasInstance(Var instance, ScriptContext* scriptContext, IsInstInlineCache* inlineCache = NULL);

Expand Down
6 changes: 6 additions & 0 deletions lib/Runtime/Types/UnscopablesWrapperObject.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ namespace Js
return static_cast<UnscopablesWrapperObject*>(aValue);
}

RecyclableObject * UnscopablesWrapperObject::GetThisAndUnwrappedInstance(Var* thisVar) const
{
*thisVar = this->GetWrappedObject();
return this->GetWrappedObject();
}

PropertyQueryFlags UnscopablesWrapperObject::HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info)
{
return JavascriptConversion::BooleanToPropertyQueryFlags(JavascriptOperators::HasPropertyUnscopables(wrappedObject, propertyId));
Expand Down
3 changes: 2 additions & 1 deletion lib/Runtime/Types/UnscopablesWrapperObject.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ namespace Js
static bool Is(Var aValue);
static UnscopablesWrapperObject* FromVar(Var value);
static UnscopablesWrapperObject* UnsafeFromVar(Var value);
RecyclableObject *GetWrappedObject() { return wrappedObject; }
RecyclableObject *GetWrappedObject() const { return wrappedObject; }
virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const override;
virtual PropertyQueryFlags HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info) override;
virtual BOOL HasOwnProperty(PropertyId propertyId) override;
virtual BOOL SetProperty(PropertyId propertyId, Var value, PropertyOperationFlags flags, PropertyValueInfo* info) override;
Expand Down

0 comments on commit 473286e

Please # to comment.