17-10 Security Update that addresses the following issues in ChakraCore #3917

…e callback function with updating ImplicitCallFlags. JIT inline string.prototype.replace for case a.replace(b,c) if 'a' and 'c' are strings and 'b' is a regex and calls helper for other cases. If c is a function RegexHelper::StringReplace will call c, this should be marked as implicit call so that JIT can bailout on implicit call check.

…g patterns. Due to a bug in super property access we were reaching the code path where we had src2 on instrcution but didn't freed it before generating bailout. After the fix for issue chakra-core#3423/chakra-core#3064 went in 2b9da66 the bu no longer reproes but for previous branches I am putting a conservative fix to always free src2 if we have it and don't have src1. For RS4 we have a WI to add asserts to better track no. of surces on instruction and add checks.

… StackScriptFunction::BoxState::Box. If closure init is not done in INTERPRETERLOOPNAME due to PROBE_STACK failing, we can’t access framedisplay scopes and scopeslots slotArray. When setting frameDisplay and ScopeSlots during initialization start with a length of 0 so that even if they are un-initialized no one can use the un-initialized array.

… read/write

… the return value of a foreign import call.

…erating byte code. The FuncInfo holds a reference to the FunctionBody, and redeferral will clean up the FunctionBody and any entry points that have been created for it, as well as pointing the FunctionInfo to a new proxy. Restore the (re-)deferral attribute on candidate functions when the ByteCodeGenerator instance is being destroyed. Also make sure that disabling the CanDefer attribute doesn't prevent generation of scope info we will need if we redefer later.

…rossSite thunk. Allocation happens when the thunk marshals cross-site arguments, and this can result in redeferral, which can cause us to try to jit and/or execute a collected entry point.

… spec is disabled. We are not able to handle a non-int-type-specialized index operand on a switch table branch (today, it will cause us to read the wrong jump target and possibly read past the end of the jump table). Another option is to force type specialization of the index operand, but this seems not worth the risk as a servicing fix.

…B read/write in RPC - Internal

…array destructuring is used as call arg Destructuring will create try/catch/finally bytecode when emitting. This pattern can appear as an arg to the call node. We were emitting Argouts as when emit a parameter, so it possible that we have try/catch/finally in between argouts. The Finally optimization did not like the fact that Argouts are seperated. In order to fix we use temps to store those argouts temporarily and then later those temps will be emitted as argouts. Since we are emitting lots of temps, this change is done when we determine that args contain destructuring (We took parser help for that).

…ap if not needed Currently we always pass the newtarget flag to the function when called through a Proxy's function call trap. This is not necessary if the call is not a constructor call.

Disabling the creationg of deferred stubs. For precise capturing we can't get the information about symbol capturing for functions in deferred stubs with the current design. We will have to rethink the right design for this feature.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

17-10 Security Update that addresses the following issues in ChakraCore #3917

17-10 Security Update that addresses the following issues in ChakraCore #3917

Commits on Oct 10, 2017