From 234730468ea619e4a0ef91615bab35c1eb50d059 Mon Sep 17 00:00:00 2001 From: chakrabot Date: Mon, 24 Jul 2017 14:23:01 -0700 Subject: [PATCH] [Merge Microsoft/Chakracore@e76b30e5ca] [1.6>1.7] [MERGE #3389 @sigatrev] OS#12528802 fix crash accessing FuncObjectOpnd when function object is inlined Merge pull request #3389 from sigatrev:NewScopeObject --- deps/chakrashim/core/lib/Backend/Lower.cpp | 2 +- .../Runtime/Language/JavascriptOperators.cpp | 4 ++-- .../Runtime/Language/JavascriptOperators.h | 2 +- .../core/test/inlining/bug12528802.js | 24 +++++++++++++++++++ deps/chakrashim/core/test/inlining/rlexe.xml | 5 ++++ 5 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 deps/chakrashim/core/test/inlining/bug12528802.js diff --git a/deps/chakrashim/core/lib/Backend/Lower.cpp b/deps/chakrashim/core/lib/Backend/Lower.cpp index 396d76b75cd..3ab3e5a4941 100644 --- a/deps/chakrashim/core/lib/Backend/Lower.cpp +++ b/deps/chakrashim/core/lib/Backend/Lower.cpp @@ -306,7 +306,7 @@ Lowerer::LowerRange(IR::Instr *instrStart, IR::Instr *instrEnd, bool defaultDoFa this->m_lowererMD.LoadHelperArgument(instr, IR::IntConstOpnd::New(currFunc->GetHasNonSimpleParams() ? TRUE : FALSE, TyUint8, currFunc)); // s2 = current function. - IR::Opnd * paramOpnd = GetFuncObjectOpnd(instr); + IR::Opnd * paramOpnd = LoadFunctionBodyOpnd(instr); this->m_lowererMD.LoadHelperArgument(instr, paramOpnd); m_lowererMD.ChangeToHelperCallMem(instr, IR::HelperOP_NewScopeObjectWithFormals); diff --git a/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.cpp b/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.cpp index 92b8c99c577..5cde27228f0 100644 --- a/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.cpp +++ b/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.cpp @@ -7002,7 +7002,7 @@ namespace Js return scriptContext->GetLibrary()->CreateActivationObject(); } - Var JavascriptOperators::OP_NewScopeObjectWithFormals(ScriptContext* scriptContext, JavascriptFunction * funcCallee, bool nonSimpleParamList) + Var JavascriptOperators::OP_NewScopeObjectWithFormals(ScriptContext* scriptContext, FunctionBody * calleeBody, bool nonSimpleParamList) { Js::ActivationObject * frameObject = (ActivationObject*)OP_NewScopeObject(scriptContext); // No fixed fields for formal parameters of the arguments object. Also, mark all fields as initialized up-front, because @@ -7010,7 +7010,7 @@ namespace Js // CONSIDER : When we delay type sharing until the second instance is created, pass an argument indicating we want the types // and handlers created here to be marked as shared up-front. This is to ensure we don't get any fixed fields and that the handler // is ready for storing values directly to slots. - DynamicType* newType = PathTypeHandlerBase::CreateNewScopeObject(scriptContext, frameObject->GetDynamicType(), funcCallee->GetFunctionBody()->GetFormalsPropIdArray(), nonSimpleParamList ? PropertyLetDefaults : PropertyNone); + DynamicType* newType = PathTypeHandlerBase::CreateNewScopeObject(scriptContext, frameObject->GetDynamicType(), calleeBody->GetFormalsPropIdArray(), nonSimpleParamList ? PropertyLetDefaults : PropertyNone); int oldSlotCapacity = frameObject->GetDynamicType()->GetTypeHandler()->GetSlotCapacity(); int newSlotCapacity = newType->GetTypeHandler()->GetSlotCapacity(); diff --git a/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.h b/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.h index ca48d9156af..62d206cc522 100644 --- a/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.h +++ b/deps/chakrashim/core/lib/Runtime/Language/JavascriptOperators.h @@ -453,7 +453,7 @@ namespace Js static void OP_InvalidateCachedScope(Var varEnv, int32 envIndex); static void OP_InitCachedFuncs(Var varScope, FrameDisplay *pDisplay, const FuncInfoArray *info, ScriptContext *scriptContext); static Var OP_NewScopeObject(ScriptContext* scriptContext); - static Var OP_NewScopeObjectWithFormals(ScriptContext* scriptContext, JavascriptFunction * funcCallee, bool nonSimpleParamList); + static Var OP_NewScopeObjectWithFormals(ScriptContext* scriptContext, FunctionBody * calleeBody, bool nonSimpleParamList); static Field(Var)* OP_NewScopeSlots(unsigned int count, ScriptContext *scriptContext, Var scope); static Field(Var)* OP_NewScopeSlotsWithoutPropIds(unsigned int count, int index, ScriptContext *scriptContext, FunctionBody *functionBody); static Field(Var)* OP_CloneScopeSlots(Field(Var) *scopeSlots, ScriptContext *scriptContext); diff --git a/deps/chakrashim/core/test/inlining/bug12528802.js b/deps/chakrashim/core/test/inlining/bug12528802.js new file mode 100644 index 00000000000..979e6c02024 --- /dev/null +++ b/deps/chakrashim/core/test/inlining/bug12528802.js @@ -0,0 +1,24 @@ +//------------------------------------------------------------------------------------------------------- +// Copyright (C) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information. +//------------------------------------------------------------------------------------------------------- + +var obj = { foo : function() {} }; + +function bar(arg) +{ + obj.foo.apply(obj, arguments); + let local; + let baz = function() { local; }; +} + +function test() +{ + bar(); +} + +test(); +test(); +test(); + +WScript.Echo("PASSED"); diff --git a/deps/chakrashim/core/test/inlining/rlexe.xml b/deps/chakrashim/core/test/inlining/rlexe.xml index 925587fd6c6..e7d69443eef 100644 --- a/deps/chakrashim/core/test/inlining/rlexe.xml +++ b/deps/chakrashim/core/test/inlining/rlexe.xml @@ -284,4 +284,9 @@ bug11265991.js + + + bug12528802.js + +