Skip to content

Commit

Permalink
CVE-2018-8629 OOB bug in Edge WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@rajatd @akroshg
rajatd authored and akroshg committed Dec 10, 2018
1 parent 5db4218 commit 69a259c
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 6 deletions.
8 changes: 7 additions & 1 deletion lib/Backend/FlowGraph.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5266,7 +5266,7 @@ BasicBlock::MergePredBlocksValueMaps(GlobOpt* globOpt)
}
if(symsRequiringCompensationToMergedValueInfoMap.Count() != 0)
{
globOpt->InsertValueCompensation(pred, symsRequiringCompensationToMergedValueInfoMap);
globOpt->InsertValueCompensation(pred, &symsRequiringCompensationToMergedValueInfoMap);
}
}
} NEXT_PREDECESSOR_EDGE_EDITING;
Expand Down Expand Up @@ -5325,6 +5325,12 @@ BasicBlock::MergePredBlocksValueMaps(GlobOpt* globOpt)
loop->liveFieldsOnEntry = JitAnew(globOpt->alloc, BVSparse<JitArenaAllocator>, globOpt->alloc);
loop->liveFieldsOnEntry->Copy(this->globOptData.liveFields);

if (symsRequiringCompensationToMergedValueInfoMap.Count() != 0)
{
loop->symsRequiringCompensationToMergedValueInfoMap = JitAnew(globOpt->alloc, SymToValueInfoMap, globOpt->alloc);
loop->symsRequiringCompensationToMergedValueInfoMap->Copy(&symsRequiringCompensationToMergedValueInfoMap);
}

if(globOpt->DoBoundCheckHoist() && loop->inductionVariables)
{
globOpt->FinalizeInductionVariables(loop, &blockData);
Expand Down
4 changes: 3 additions & 1 deletion lib/Backend/FlowGraph.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,7 @@ class Loop
BVSparse<JitArenaAllocator> *lossyInt32SymsOnEntry; // see GlobOptData::liveLossyInt32Syms
BVSparse<JitArenaAllocator> *float64SymsOnEntry;
BVSparse<JitArenaAllocator> *liveFieldsOnEntry;
SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap;

BVSparse<JitArenaAllocator> *symsUsedBeforeDefined; // stack syms that are live in the landing pad, and used before they are defined in the loop
BVSparse<JitArenaAllocator> *likelyIntSymsUsedBeforeDefined; // stack syms that are live in the landing pad with a likely-int value, and used before they are defined in the loop
Expand Down Expand Up @@ -742,7 +743,8 @@ class Loop
allFieldsKilled(false),
isLeaf(true),
isProcessed(false),
initialValueFieldMap(alloc)
initialValueFieldMap(alloc),
symsRequiringCompensationToMergedValueInfoMap(nullptr)
{
this->loopNumber = ++func->loopCount;
}
Expand Down
11 changes: 8 additions & 3 deletions lib/Backend/GlobOpt.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,11 @@ GlobOpt::OptBlock(BasicBlock *block)
this->tempBv->And(liveOnBackEdge);
this->ToFloat64(this->tempBv, block->loop->landingPad);

if (block->loop->symsRequiringCompensationToMergedValueInfoMap)
{
InsertValueCompensation(block, block->loop->symsRequiringCompensationToMergedValueInfoMap);
}

// Now that we're done with the liveFields within this loop, trim the set to those syms
// that the backward pass told us were live out of the loop.
// This assumes we have no further need of the liveFields within the loop.
Expand Down Expand Up @@ -1151,10 +1156,10 @@ void GlobOpt::FieldPRE(Loop *loop)

void GlobOpt::InsertValueCompensation(
BasicBlock *const predecessor,
const SymToValueInfoMap &symsRequiringCompensationToMergedValueInfoMap)
const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap)
{
Assert(predecessor);
Assert(symsRequiringCompensationToMergedValueInfoMap.Count() != 0);
Assert(symsRequiringCompensationToMergedValueInfoMap->Count() != 0);

IR::Instr *insertBeforeInstr = predecessor->GetLastInstr();
Func *const func = insertBeforeInstr->m_func;
Expand Down Expand Up @@ -1193,7 +1198,7 @@ void GlobOpt::InsertValueCompensation(
}
};
JsUtil::List<DelayChangeValueInfo, ArenaAllocator> delayChangeValueInfo(alloc);
for(auto it = symsRequiringCompensationToMergedValueInfoMap.GetIterator(); it.IsValid(); it.MoveNext())
for(auto it = symsRequiringCompensationToMergedValueInfoMap->GetIterator(); it.IsValid(); it.MoveNext())
{
const auto &entry = it.Current();
Sym *const sym = entry.Key();
Expand Down
2 changes: 1 addition & 1 deletion lib/Backend/GlobOpt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -737,7 +737,7 @@ class GlobOpt
void PreLowerCanonicalize(IR::Instr *instr, Value **pSrc1Val, Value **pSrc2Val);
void ProcessKills(IR::Instr *instr);
void InsertCloneStrs(BasicBlock *toBlock, GlobOptBlockData *toData, GlobOptBlockData *fromData);
void InsertValueCompensation(BasicBlock *const predecessor, const SymToValueInfoMap &symsRequiringCompensationToMergedValueInfoMap);
void InsertValueCompensation(BasicBlock *const predecessor, const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap);
IR::Instr * ToVarUses(IR::Instr *instr, IR::Opnd *opnd, bool isDst, Value *val);
void ToVar(BVSparse<JitArenaAllocator> *bv, BasicBlock *block);
IR::Instr * ToVar(IR::Instr *instr, IR::RegOpnd *regOpnd, BasicBlock *block, Value *val, bool needsUpdate);
Expand Down

0 comments on commit 69a259c

Please sign in to comment.