Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

17-05 ChakraCore servicing release #2959

Merged
merged 12 commits into from
May 12, 2017

Conversation

rajatd
Copy link
Contributor

@rajatd rajatd commented May 11, 2017

aneeshdk and others added 10 commits May 10, 2017 09:31
…Step method invocation issue

While invoking then and catch functions on the promise returned by
async function we were directly invoking those without checking.
Overriding those methods with tagged int can cause wrong method execution.
…icit call if BailOutOnArrayAccessHelperCall is set, as that bailout kind indicates that downstream code will assume no side-effects.
Array length mutation introduced by copy-from-prototype
reentrancy can cause heap overflow in concat fast paths.
Fix by excluding copy-from-prototype cases from fast paths.
Adjust unit tests to avoid excessively long run time.
…nt state

Array segment allocation induces OOM that leaves length > size that can be
exploited.
Move code that updates segment size to after allocation;
Replace "length <= size" Assert with AssertOrFailFast in JavascriptArray and SparseSegment;
Add length vs. size check and FailFast throughout JavascriptArray and SparseSegment where
segment length or size are being updated.
Segments were getting reversed in the ReverseHelper call. This made the head segment, which is an inlined segment, to be as a next segment. If that segment becomes part of another array (say due to splice) and the original array goes away then the inlined segment will also go away and we potentially holdind the freed memory.
     Fixed that by detecting the inlined segment and convert to normal segment in the in EntryReverse API.
Fix instances of non-blinded possibly large constants in the jit
Don't eliminate bounds checks on virtual typed arrays if we can't guarantee that the accesses will be within 4Gb
Change the vtable of virtual typed arrays to regular typed arrays upon array buffer detach to prevent writes to detached buffer in the jitted code.
…assignment expression

We don't calculate correct right paren location when a lambda contains an assignment expression where the assignment rhs is wrapped in parens. Due to the incorrect offset, we overwrite the buffer allocated in ScriptFunction::EnsureSourceString when we try to toString the lambda.
…uctor parse node

If there is a multi-byte character in the source before a class decl, the constructor function created for that class will have incorrect byte offset values. This leads us to truncate the source string buffer when we try to do toString on that class constructor function and accidentally print garbage.

Fix is to calculate the byte offsets correctly.
@suwc
Copy link

suwc commented May 11, 2017

:shipit:

@suwc
Copy link

suwc commented May 11, 2017

LGTM in terms of 37688 and 37814.

<test>
<default>
<files>bugGH2656.js</files>
<compile-flags>-args summary</compile-flags>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is -endargs needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep. this test is actually failing the CI.
/cc @boingoing

@dilijev
Copy link
Contributor

dilijev commented May 11, 2017

Re: fix for CVE-2017-0230
Fix LGTM
Tests LGTM (I confirm this also covers the case where unicode characters appear in the source before the definition of the class, since there are many test cases in the file.)
/cc @boingoing

@dilijev
Copy link
Contributor

dilijev commented May 11, 2017

Various CI problems in Jenkins and VSO.

Copy link
Contributor

@pleath pleath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My stuff looks fine.

@rajatd
Copy link
Contributor Author

rajatd commented May 11, 2017

@dotnet-bot test windows arm_release windows x64_release windows x86_release

@rajatd
Copy link
Contributor Author

rajatd commented May 11, 2017

@dotnet-bot test Windows arm_release

@rajatd
Copy link
Contributor Author

rajatd commented May 11, 2017

@dotnet-bot test Windows x64_release

@rajatd
Copy link
Contributor Author

rajatd commented May 11, 2017

@dotnet-bot test Windows x86_release

@dilijev
Copy link
Contributor

dilijev commented May 11, 2017

@rajatd There's a prefast warning there.

@dilijev
Copy link
Contributor

dilijev commented May 11, 2017

@rajatd Note: you can re-run multiple builds from a single comment. Just added a section to the Wiki to explain: https://github.com/Microsoft/ChakraCore/wiki/Jenkins-Build-Triggers#re-run-multiple-individual-builds

@akroshg
Copy link
Contributor

akroshg commented May 12, 2017

LGTM

Copy link
Contributor

@boingoing boingoing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Thanks for fixing that unit test

@chakrabot chakrabot merged commit b3aeb30 into chakra-core:release/1.4 May 12, 2017
chakrabot pushed a commit that referenced this pull request May 12, 2017
chakrabot pushed a commit that referenced this pull request May 15, 2017
suwc pushed a commit to suwc/ChakraCore that referenced this pull request May 31, 2017
This bug was introduced
chakra-core#2959 (CVE-2017-0238)
Revert the move of 'left' field update and add try..catch
chakrabot pushed a commit that referenced this pull request Jun 1, 2017
…ent's 'left' field

Merge pull request #3074 from suwc:build/suwc/bugfix

This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
chakrabot pushed a commit that referenced this pull request Jun 1, 2017
…f sparse segment's 'left' field

Merge pull request #3074 from suwc:build/suwc/bugfix

This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
chakrabot added a commit to nodejs/node-chakracore that referenced this pull request Jun 1, 2017
…suwc] Fix problems caused by late update of sparse segment's 'left' field

Merge pull request #3074 from suwc:build/suwc/bugfix

This bug was introduced chakra-core/ChakraCore#2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants