[CVE-2018-0777] JIT: Loop analysis bug - Google, Inc.

chakra-core · Jan 5, 2018 · 14c752b · 14c752b
1 parent ee5ac64
commit 14c752b
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -7072,6 +7072,18 @@ GlobOpt::OptConstFoldUnary(
             this->ToFloat64Dst(instr, dst->AsRegOpnd(), this->currentBlock);
         }
     }
+
+    // If this is an induction variable, then treat it the way the prepass would have if it had seen
+    // the assignment and the resulting change to the value number, and mark it as indeterminate.
+    for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
+    {
+        InductionVariable *iv = nullptr;
+        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
+        {
+            iv->SetChangeIsIndeterminate();
+        }
+    }
+
     return true;
 }
 
@@ -12391,6 +12403,17 @@ GlobOpt::OptConstFoldBinary(
         this->ToInt32Dst(instr, dst->AsRegOpnd(), this->currentBlock);
     }
 
+    // If this is an induction variable, then treat it the way the prepass would have if it had seen
+    // the assignment and the resulting change to the value number, and mark it as indeterminate.
+    for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
+    {
+        InductionVariable *iv = nullptr;
+        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
+        {
+            iv->SetChangeIsIndeterminate();
+        }
+    }
+
     return true;
 }
 

diff --git a/test/Optimizer/bug42111.js b/test/Optimizer/bug42111.js
@@ -0,0 +1,23 @@
+function opt(arr, start, end) {
+    for (let i = start; i < end; i++) {
+        if (i === 10) {
+            i += 0;
+        }
+        arr[i] = 2.3023e-320;
+    }
+}
+
+let arr = new Array(100);
+
+function main() {
+    arr.fill(1.1);
+
+    for (let i = 0; i < 1000; i++)
+        opt(arr, 0, 3);
+
+    opt(arr, 0, 100000);
+}
+
+main();
+
+WScript.Echo(arr[0] === 2.3023e-320 ? 'pass' : 'fail');
diff --git a/test/Optimizer/rlexe.xml b/test/Optimizer/rlexe.xml
@@ -10,6 +10,11 @@
       <files>bug41530.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug42111.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>bug70.js</files>