[CVE-2017-11874] [ChakraCore]: CFG bypass due to a bug in ServerFreeAllocation - Google, Inc.

MikeHolman · leirocks · commit 5a4e6559e5ee · 2017-11-14T15:10:03.000-08:00
diff --git a/lib/Backend/CodeGenAllocators.cpp b/lib/Backend/CodeGenAllocators.cpp
@@ -5,10 +5,10 @@
 #include "Backend.h"
 
 template<typename TAlloc, typename TPreReservedAlloc>
-CodeGenAllocators<TAlloc, TPreReservedAlloc>::CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle)
+CodeGenAllocators<TAlloc, TPreReservedAlloc>::CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle)
 : pageAllocator(policyManager, Js::Configuration::Global.flags, PageAllocatorType_BGJIT, 0)
 , allocator(_u("NativeCode"), &pageAllocator, Js::Throw::OutOfMemory)
-, emitBufferManager(&allocator, codePageAllocators, scriptContext, _u("JIT code buffer"), processHandle)
+, emitBufferManager(&allocator, codePageAllocators, scriptContext, threadContext, _u("JIT code buffer"), processHandle)
 #if !_M_X64_OR_ARM64 && _CONTROL_FLOW_GUARD
 , canCreatePreReservedSegment(false)
 #endif
diff --git a/lib/Backend/CodeGenAllocators.h b/lib/Backend/CodeGenAllocators.h
@@ -17,7 +17,7 @@ class CodeGenAllocators
     bool canCreatePreReservedSegment;
 #endif
 
-    CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle);
+    CodeGenAllocators(AllocationPolicyManager * policyManager, Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, HANDLE processHandle);
     ~CodeGenAllocators();
 
 #if DBG
diff --git a/lib/Backend/CodeGenWorkItem.cpp b/lib/Backend/CodeGenWorkItem.cpp
@@ -205,7 +205,7 @@ void CodeGenWorkItem::OnWorkItemProcessFail(NativeCodeGenerator* codeGen)
 #if DBG
         this->allocation->allocation->isNotExecutableBecauseOOM = true;
 #endif
-        codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address, nullptr);
+        codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address);
     }
 }
 
diff --git a/lib/Backend/EmitBuffer.cpp b/lib/Backend/EmitBuffer.cpp
@@ -10,11 +10,12 @@
 //----------------------------------------------------------------------------
 template <typename TAlloc, typename TPreReservedAlloc, typename SyncObject>
 EmitBufferManager<TAlloc, TPreReservedAlloc, SyncObject>::EmitBufferManager(ArenaAllocator * allocator, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators,
-    Js::ScriptContext * scriptContext, LPCWSTR name, HANDLE processHandle) :
+    Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, LPCWSTR name, HANDLE processHandle) :
     allocationHeap(allocator, codePageAllocators, processHandle),
     allocator(allocator),
     allocations(nullptr),
     scriptContext(scriptContext),
+    threadContext(threadContext),
     processHandle(processHandle)
 {
 #if DBG_DUMP
@@ -193,12 +194,14 @@ bool
 EmitBufferManager<TAlloc, TPreReservedAlloc, SyncObject>::FreeAllocation(void* address)
 {
     AutoRealOrFakeCriticalSection<SyncObject> autoCs(&this->criticalSection);
-
+#if _M_ARM
+    address = (void*)((uintptr_t)address & ~0x1); // clear the thumb bit
+#endif
     TEmitBufferAllocation* previous = nullptr;
     TEmitBufferAllocation* allocation = allocations;
     while(allocation != nullptr)
     {
-        if (address >= allocation->allocation->address && address < (allocation->allocation->address + allocation->bytesUsed))
+        if (address == allocation->allocation->address)
         {
             if (previous == nullptr)
             {
@@ -214,6 +217,26 @@ EmitBufferManager<TAlloc, TPreReservedAlloc, SyncObject>::FreeAllocation(void* a
                 this->scriptContext->GetThreadContext()->SubCodeSize(allocation->bytesCommitted);
             }
 
+#if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 || _M_X64)
+            if (allocation->allocation->thunkAddress)
+            {
+                if (JITManager::GetJITManager()->IsJITServer())
+                {
+                    ((ServerThreadContext*)this->threadContext)->GetJITThunkEmitter()->FreeThunk(allocation->allocation->thunkAddress);
+                }
+                else
+                {
+                    ((ThreadContext*)this->threadContext)->GetJITThunkEmitter()->FreeThunk(allocation->allocation->thunkAddress);
+                }
+            }
+            else
+#endif
+            {
+                if (!JITManager::GetJITManager()->IsJITServer() || CONFIG_FLAG(OOPCFGRegistration))
+                {
+                    threadContext->SetValidCallTargetForCFG(address, false);
+                }
+            }
             VerboseHeapTrace(_u("Freeing 0x%p, allocation: 0x%p\n"), address, allocation->allocation->address);
 
             this->allocationHeap.Free(allocation->allocation);
diff --git a/lib/Backend/EmitBuffer.h b/lib/Backend/EmitBuffer.h
@@ -34,7 +34,7 @@ class EmitBufferManager
 {
     typedef EmitBufferAllocation<TAlloc, TPreReservedAlloc> TEmitBufferAllocation;
 public:
-    EmitBufferManager(ArenaAllocator * allocator, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, Js::ScriptContext * scriptContext, LPCWSTR name, HANDLE processHandle);
+    EmitBufferManager(ArenaAllocator * allocator, CustomHeap::CodePageAllocators<TAlloc, TPreReservedAlloc> * codePageAllocators, Js::ScriptContext * scriptContext, ThreadContextInfo * threadContext, LPCWSTR name, HANDLE processHandle);
     ~EmitBufferManager();
 
     // All the following methods are guarded with the SyncObject
@@ -75,6 +75,7 @@ class EmitBufferManager
 #endif
     ArenaAllocator * allocator;
     Js::ScriptContext * scriptContext;
+    ThreadContextInfo * threadContext;
 
     TEmitBufferAllocation * NewAllocation(DECLSPEC_GUARD_OVERFLOW size_t bytes, ushort pdataCount, ushort xdataSize, bool canAllocInPreReservedHeapPageSegment, bool isAnyJittedCode);
     TEmitBufferAllocation* GetBuffer(TEmitBufferAllocation *allocation, DECLSPEC_GUARD_OVERFLOW __in size_t bytes, __deref_bcount(bytes) BYTE** ppBuffer);
diff --git a/lib/Backend/InterpreterThunkEmitter.cpp b/lib/Backend/InterpreterThunkEmitter.cpp
@@ -242,7 +242,7 @@ const BYTE InterpreterThunkEmitter::HeaderSize()
 }
 
 InterpreterThunkEmitter::InterpreterThunkEmitter(Js::ScriptContext* context, ArenaAllocator* allocator, CustomHeap::InProcCodePageAllocators * codePageAllocators, bool isAsmInterpreterThunk) :
-    emitBufferManager(allocator, codePageAllocators, /*scriptContext*/ nullptr, _u("Interpreter thunk buffer"), GetCurrentProcess()),
+    emitBufferManager(allocator, codePageAllocators, /*scriptContext*/ nullptr, nullptr, _u("Interpreter thunk buffer"), GetCurrentProcess()),
     scriptContext(context),
     allocator(allocator),
     thunkCount(0),
diff --git a/lib/Backend/JITOutput.cpp b/lib/Backend/JITOutput.cpp
@@ -250,6 +250,7 @@ JITOutput::RecordXData(BYTE * xdata)
 void
 JITOutput::FinalizeNativeCode()
 {
+    CustomHeap::Allocation * allocation = GetAllocation();
 #if ENABLE_OOP_NATIVE_CODEGEN
     if (JITManager::GetJITManager()->IsJITServer())
     {
@@ -258,7 +259,7 @@ JITOutput::FinalizeNativeCode()
 #if _M_IX86 || _M_X64
         if (!m_func->IsLoopBody() && CONFIG_FLAG(UseJITTrampoline))
         {
-            m_outputData->thunkAddress = m_func->GetOOPThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);
+            allocation->thunkAddress = m_func->GetOOPThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);
         }
 #endif
 #endif
@@ -278,18 +279,30 @@ JITOutput::FinalizeNativeCode()
 #if _M_IX86 || _M_X64
         if (!m_func->IsLoopBody() && CONFIG_FLAG(UseJITTrampoline))
         {
-            m_outputData->thunkAddress = m_func->GetInProcThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);
+            allocation->thunkAddress = m_func->GetInProcThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);
         }
 #endif
 #endif
     }
-
-    if (!m_outputData->thunkAddress && CONFIG_FLAG(OOPCFGRegistration))
+    m_outputData->thunkAddress = allocation->thunkAddress;
+    if (!allocation->thunkAddress && CONFIG_FLAG(OOPCFGRegistration))
     {
         m_func->GetThreadContextInfo()->SetValidCallTargetForCFG((PVOID)m_outputData->codeAddress);
     }
 }
 
+CustomHeap::Allocation *
+JITOutput::GetAllocation() const
+{
+#if ENABLE_OOP_NATIVE_CODEGEN
+    if (JITManager::GetJITManager()->IsJITServer())
+    {
+        return m_oopAlloc->allocation;
+    }
+#endif
+    return m_inProcAlloc->allocation;
+}
+
 JITOutputIDL *
 JITOutput::GetOutputData()
 {
diff --git a/lib/Backend/JITOutput.h b/lib/Backend/JITOutput.h
@@ -54,6 +54,7 @@ class JITOutput
 private:
     template <typename TEmitBufferAllocation, typename TCodeGenAllocators>
     void RecordNativeCode(const BYTE* sourceBuffer, BYTE* localCodeAddress, TEmitBufferAllocation allocation, TCodeGenAllocators codeGenAllocators);
+    CustomHeap::Allocation * GetAllocation() const;
     union
     {
         EmitBufferAllocation<VirtualAllocWrapper, PreReservedVirtualAllocWrapper> * m_inProcAlloc;
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -3174,24 +3174,17 @@ bool NativeCodeGenerator::TryReleaseNonHiPriWorkItem(CodeGenWorkItem* workItem)
 }
 
 void
-NativeCodeGenerator::FreeNativeCodeGenAllocation(void* codeAddress, void* thunkAddress)
+NativeCodeGenerator::FreeNativeCodeGenAllocation(void* codeAddress)
 {
     if (JITManager::GetJITManager()->IsOOPJITEnabled())
     {
         ThreadContext * context = this->scriptContext->GetThreadContext();
-        HRESULT hr = JITManager::GetJITManager()->FreeAllocation(context->GetRemoteThreadContextAddr(), (intptr_t)codeAddress, (intptr_t)thunkAddress);
+        HRESULT hr = JITManager::GetJITManager()->FreeAllocation(context->GetRemoteThreadContextAddr(), (intptr_t)codeAddress);
         JITManager::HandleServerCallResult(hr, RemoteCallType::MemFree);
     }
     else if(this->backgroundAllocators)
     {
         this->backgroundAllocators->emitBufferManager.FreeAllocation(codeAddress);
-        
-#if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 || _M_X64)
-        if (thunkAddress)
-        {
-            this->scriptContext->GetThreadContext()->GetJITThunkEmitter()->FreeThunk((uintptr_t)thunkAddress);
-        }
-#endif
     }
 }
 
@@ -3205,7 +3198,7 @@ NativeCodeGenerator::QueueFreeNativeCodeGenAllocation(void* codeAddress, void *
         return;
     }
 
-    if (!JITManager::GetJITManager()->IsOOPJITEnabled() || !CONFIG_FLAG(OOPCFGRegistration))
+    if (JITManager::GetJITManager()->IsOOPJITEnabled() && !CONFIG_FLAG(OOPCFGRegistration))
     {
         //DeRegister Entry Point for CFG
         if (thunkAddress)
@@ -3228,12 +3221,6 @@ NativeCodeGenerator::QueueFreeNativeCodeGenAllocation(void* codeAddress, void *
     // The foreground allocators may have been used
     if(this->foregroundAllocators && this->foregroundAllocators->emitBufferManager.FreeAllocation(codeAddress))
     {
-#if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 || _M_X64)
-        if (thunkAddress)
-        {
-            this->scriptContext->GetThreadContext()->GetJITThunkEmitter()->FreeThunk((uintptr_t)thunkAddress);
-        }
-#endif
         return;
     }
 
@@ -3695,6 +3682,10 @@ JITManager::HandleServerCallResult(HRESULT hr, RemoteCallType callType)
         break;
     }
 
+    if (CONFIG_FLAG(CrashOnOOPJITFailure))
+    {
+        RpcFailure_fatal_error(hr);
+    }
     // we only expect to see these hresults in case server has been closed. failfast otherwise
     if (hr != HRESULT_FROM_WIN32(RPC_S_CALL_FAILED) &&
         hr != HRESULT_FROM_WIN32(RPC_S_CALL_FAILED_DNE))
diff --git a/lib/Backend/NativeCodeGenerator.h b/lib/Backend/NativeCodeGenerator.h
@@ -101,7 +101,7 @@ void SetProfileMode(BOOL fSet);
     void UpdateQueueForDebugMode();
     bool IsBackgroundJIT() const;
     void EnterScriptStart();
-    void FreeNativeCodeGenAllocation(void* codeAddress, void* thunkAddress);
+    void FreeNativeCodeGenAllocation(void* codeAddress);
     bool TryReleaseNonHiPriWorkItem(CodeGenWorkItem* workItem);
 
     void QueueFreeNativeCodeGenAllocation(void* codeAddress, void* thunkAddress);
@@ -129,7 +129,7 @@ void SetProfileMode(BOOL fSet);
 
     InProcCodeGenAllocators *CreateAllocators(PageAllocator *const pageAllocator)
     {
-        return HeapNew(InProcCodeGenAllocators, pageAllocator->GetAllocationPolicyManager(), scriptContext, scriptContext->GetThreadContext()->GetCodePageAllocators(), GetCurrentProcess());
+        return HeapNew(InProcCodeGenAllocators, pageAllocator->GetAllocationPolicyManager(), scriptContext, scriptContext->GetThreadContext(), scriptContext->GetThreadContext()->GetCodePageAllocators(), GetCurrentProcess());
     }
 
     InProcCodeGenAllocators *EnsureForegroundAllocators(PageAllocator * pageAllocator)
@@ -276,7 +276,7 @@ void SetProfileMode(BOOL fSet);
             FreeLoopBodyJob* freeLoopBodyJob = static_cast<FreeLoopBodyJob*>(job);
 
             // Free Loop Body
-            nativeCodeGen->FreeNativeCodeGenAllocation(freeLoopBodyJob->codeAddress, freeLoopBodyJob->thunkAddress);
+            nativeCodeGen->FreeNativeCodeGenAllocation(freeLoopBodyJob->codeAddress);
 
             return true;
         }
diff --git a/lib/Backend/ServerScriptContext.cpp b/lib/Backend/ServerScriptContext.cpp
@@ -22,8 +22,8 @@ ServerScriptContext::ServerScriptContext(ScriptContextDataIDL * contextData, Ser
     threadContextHolder(threadContextInfo),
     m_isPRNGSeeded(false),
     m_sourceCodeArena(_u("JITSourceCodeArena"), threadContextInfo->GetForegroundPageAllocator(), Js::Throw::OutOfMemory, nullptr),
-    m_interpreterThunkBufferManager(&m_sourceCodeArena, threadContextInfo->GetThunkPageAllocators(), nullptr, _u("Interpreter thunk buffer"), GetThreadContext()->GetProcessHandle()),
-    m_asmJsInterpreterThunkBufferManager(&m_sourceCodeArena, threadContextInfo->GetThunkPageAllocators(), nullptr, _u("Asm.js interpreter thunk buffer"), GetThreadContext()->GetProcessHandle()),
+    m_interpreterThunkBufferManager(&m_sourceCodeArena, threadContextInfo->GetThunkPageAllocators(), nullptr, threadContextInfo, _u("Interpreter thunk buffer"), GetThreadContext()->GetProcessHandle()),
+    m_asmJsInterpreterThunkBufferManager(&m_sourceCodeArena, threadContextInfo->GetThunkPageAllocators(), nullptr, threadContextInfo, _u("Asm.js interpreter thunk buffer"), GetThreadContext()->GetProcessHandle()),
     m_domFastPathHelperMap(nullptr),
     m_moduleRecords(&HeapAllocator::Instance),
     m_globalThisAddr(0),
diff --git a/lib/Backend/ServerThreadContext.cpp b/lib/Backend/ServerThreadContext.cpp
@@ -18,10 +18,10 @@ ServerThreadContext::ServerThreadContext(ThreadContextDataIDL * data, HANDLE pro
     m_sectionAllocator(processHandle),
     m_thunkPageAllocators(nullptr, /* allocXData */ false, &m_sectionAllocator, nullptr, processHandle),
     m_codePageAllocators(nullptr, ALLOC_XDATA, &m_sectionAllocator, &m_preReservedSectionAllocator, processHandle),
-    m_codeGenAlloc(nullptr, nullptr, &m_codePageAllocators, processHandle),
 #if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 || _M_X64)
     m_jitThunkEmitter(this, &m_sectionAllocator, processHandle),
 #endif
+    m_codeGenAlloc(nullptr, nullptr, this, &m_codePageAllocators, processHandle),
     m_pageAlloc(nullptr, Js::Configuration::Global.flags, PageAllocatorType_BGJIT,
         AutoSystemInfo::Data.IsLowMemoryProcess() ?
         PageAllocator::DefaultLowMaxFreePageCount :
diff --git a/lib/Backend/ServerThreadContext.h b/lib/Backend/ServerThreadContext.h
@@ -68,10 +68,10 @@ class ServerThreadContext : public ThreadContextInfo
     SectionAllocWrapper m_sectionAllocator;
     CustomHeap::OOPCodePageAllocators m_thunkPageAllocators;
     CustomHeap::OOPCodePageAllocators  m_codePageAllocators;
+    OOPCodeGenAllocators m_codeGenAlloc;
 #if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 || _M_X64)
     OOPJITThunkEmitter m_jitThunkEmitter;
 #endif
-    OOPCodeGenAllocators m_codeGenAlloc;
     // only allocate with this from foreground calls (never from CodeGen calls)
     PageAllocator m_pageAlloc;
     HANDLE m_processHandle;
diff --git a/lib/Common/ConfigFlagsList.h b/lib/Common/ConfigFlagsList.h
@@ -685,6 +685,7 @@ PHASE(All)
 #define DEFAULT_CONFIG_PerfHintLevel (1)
 #define DEFAULT_CONFIG_OOPJITMissingOpts (true)
 #define DEFAULT_CONFIG_OOPCFGRegistration (true)
+#define DEFAULT_CONFIG_CrashOnOOPJITFailure (false)
 #define DEFAULT_CONFIG_ForceJITCFGCheck (false)
 #define DEFAULT_CONFIG_UseJITTrampoline (true)
 
@@ -1260,6 +1261,7 @@ FLAGNR(Number,  FuncObjectInlineCacheThreshold  , "Maximum number of inline cach
 FLAGNR(Boolean, NoDeferParse          , "Disable deferred parsing", false)
 FLAGNR(Boolean, NoLogo                , "No logo, which we don't display anyways", false)
 FLAGNR(Boolean, OOPJITMissingOpts     , "Use optimizations that are missing from OOP JIT", DEFAULT_CONFIG_OOPJITMissingOpts)
+FLAGNR(Boolean, CrashOnOOPJITFailure  , "Crash runtime process if JIT process crashes", DEFAULT_CONFIG_CrashOnOOPJITFailure)
 FLAGNR(Boolean, OOPCFGRegistration    , "Do CFG registration OOP (under OOP JIT)", DEFAULT_CONFIG_OOPCFGRegistration)
 FLAGNR(Boolean, ForceJITCFGCheck      , "Have JIT code always do CFG check even if range check succeeded", DEFAULT_CONFIG_ForceJITCFGCheck)
 FLAGNR(Boolean, UseJITTrampoline      , "Use trampoline for JIT entry points and emit range checks for it", DEFAULT_CONFIG_UseJITTrampoline)
diff --git a/lib/Common/Memory/CustomHeap.cpp b/lib/Common/Memory/CustomHeap.cpp
@@ -467,6 +467,7 @@ Allocation* Heap<TAlloc, TPreReservedAlloc>::AllocLargeObject(size_t bytes, usho
     allocation->largeObjectAllocation.segment = segment;
     allocation->largeObjectAllocation.isDecommitted = false;
     allocation->size = pages * AutoSystemInfo::PageSize;
+    allocation->thunkAddress = 0;
 
 #if PDATA_ENABLED
     allocation->xdata = xdata;
@@ -607,6 +608,7 @@ bool Heap<TAlloc, TPreReservedAlloc>::AllocInPage(Page* page, size_t bytes, usho
     allocation->page = page;
     allocation->size = bytes;
     allocation->address = address;
+    allocation->thunkAddress = 0;
 
 #if DBG_DUMP
     this->allocationsSinceLastCompact += bytes;
diff --git a/lib/Common/Memory/CustomHeap.h b/lib/Common/Memory/CustomHeap.h
@@ -86,6 +86,7 @@ struct Allocation
         } largeObjectAllocation;
     };
 
+    uintptr_t thunkAddress;
     __field_bcount(size) char* address;
     size_t size;
 
diff --git a/lib/JITClient/JITManager.cpp b/lib/JITClient/JITManager.cpp
@@ -547,15 +547,14 @@ JITManager::CloseScriptContext(
 HRESULT
 JITManager::FreeAllocation(
     __in PTHREADCONTEXT_HANDLE threadContextInfoAddress,
-    __in intptr_t codeAddress,
-    __in intptr_t thunkAddress)
+    __in intptr_t codeAddress)
 {
     Assert(IsOOPJITEnabled());
 
     HRESULT hr = E_FAIL;
     RpcTryExcept
     {
-        hr = ClientFreeAllocation(m_rpcBindingHandle, threadContextInfoAddress, codeAddress, thunkAddress);
+        hr = ClientFreeAllocation(m_rpcBindingHandle, threadContextInfoAddress, codeAddress);
     }
     RpcExcept(RpcExceptionFilter(RpcExceptionCode()))
     {
diff --git a/lib/JITClient/JITManager.h b/lib/JITClient/JITManager.h
@@ -83,8 +83,7 @@ class JITManager
 
     HRESULT FreeAllocation(
         __in PTHREADCONTEXT_HANDLE threadContextInfoAddress,
-        __in intptr_t codeAddress,
-        __in intptr_t thunkAddress);
+        __in intptr_t codeAddress);
 
     HRESULT SetIsPRNGSeeded(
         __in PSCRIPTCONTEXT_HANDLE scriptContextInfoAddress,
@@ -204,8 +203,7 @@ class JITManager
 
     HRESULT FreeAllocation(
         __in PTHREADCONTEXT_HANDLE threadContextInfoAddress,
-        __in intptr_t codeAddress,
-        __in intptr_t thunkAddress)
+        __in intptr_t codeAddress)
         { Assert(false); return E_FAIL; }
 
     HRESULT SetIsPRNGSeeded(
diff --git a/lib/JITIDL/ChakraJIT.idl b/lib/JITIDL/ChakraJIT.idl
@@ -78,8 +78,7 @@ interface IChakraJIT
     HRESULT FreeAllocation(
         [in] handle_t binding,
         [in] PTHREADCONTEXT_HANDLE threadContextInfoAddress,
-        [in] CHAKRA_PTR codeAddress,
-        [in] CHAKRA_PTR thunkAddress);
+        [in] CHAKRA_PTR codeAddress);
 
     HRESULT NewInterpreterThunkBlock(
         [in] handle_t binding,
diff --git a/lib/JITServer/JITServer.cpp b/lib/JITServer/JITServer.cpp

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ void CodeGenWorkItem::OnWorkItemProcessFail(NativeCodeGenerator* codeGen)`
`205`	`205`	`#if DBG`
`206`	`206`	`this->allocation->allocation->isNotExecutableBecauseOOM = true;`
`207`	`207`	`#endif`
`208`		`- codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address, nullptr);`
	`208`	`+ codeGen->FreeNativeCodeGenAllocation(this->allocation->allocation->address);`
`209`	`209`	`}`
`210`	`210`	`}`
`211`	`211`
Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ const BYTE InterpreterThunkEmitter::HeaderSize()`
`242`	`242`	`}`
`243`	`243`
`244`	`244`	`InterpreterThunkEmitter::InterpreterThunkEmitter(Js::ScriptContext* context, ArenaAllocator* allocator, CustomHeap::InProcCodePageAllocators * codePageAllocators, bool isAsmInterpreterThunk) :`
`245`		`- emitBufferManager(allocator, codePageAllocators, /scriptContext/ nullptr, _u("Interpreter thunk buffer"), GetCurrentProcess()),`
	`245`	`+ emitBufferManager(allocator, codePageAllocators, /scriptContext/ nullptr, nullptr, _u("Interpreter thunk buffer"), GetCurrentProcess()),`
`246`	`246`	`scriptContext(context),`
`247`	`247`	`allocator(allocator),`
`248`	`248`	`thunkCount(0),`
Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,7 @@ JITOutput::RecordXData(BYTE * xdata)`
`250`	`250`	`void`
`251`	`251`	`JITOutput::FinalizeNativeCode()`
`252`	`252`	`{`
	`253`	`+ CustomHeap::Allocation * allocation = GetAllocation();`
`253`	`254`	`#if ENABLE_OOP_NATIVE_CODEGEN`
`254`	`255`	`if (JITManager::GetJITManager()->IsJITServer())`
`255`	`256`	`{`
`@@ -258,7 +259,7 @@ JITOutput::FinalizeNativeCode()`
`258`	`259`	`#if _M_IX86 \|\| _M_X64`
`259`	`260`	`if (!m_func->IsLoopBody() && CONFIG_FLAG(UseJITTrampoline))`
`260`	`261`	`{`
`261`		`- m_outputData->thunkAddress = m_func->GetOOPThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);`
	`262`	`+ allocation->thunkAddress = m_func->GetOOPThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);`
`262`	`263`	`}`
`263`	`264`	`#endif`
`264`	`265`	`#endif`
`@@ -278,18 +279,30 @@ JITOutput::FinalizeNativeCode()`
`278`	`279`	`#if _M_IX86 \|\| _M_X64`
`279`	`280`	`if (!m_func->IsLoopBody() && CONFIG_FLAG(UseJITTrampoline))`
`280`	`281`	`{`
`281`		`- m_outputData->thunkAddress = m_func->GetInProcThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);`
	`282`	`+ allocation->thunkAddress = m_func->GetInProcThreadContext()->GetJITThunkEmitter()->CreateThunk(m_outputData->codeAddress);`
`282`	`283`	`}`
`283`	`284`	`#endif`
`284`	`285`	`#endif`
`285`	`286`	`}`
`286`		`-`
`287`		`- if (!m_outputData->thunkAddress && CONFIG_FLAG(OOPCFGRegistration))`
	`287`	`+ m_outputData->thunkAddress = allocation->thunkAddress;`
	`288`	`+ if (!allocation->thunkAddress && CONFIG_FLAG(OOPCFGRegistration))`
`288`	`289`	`{`
`289`	`290`	`m_func->GetThreadContextInfo()->SetValidCallTargetForCFG((PVOID)m_outputData->codeAddress);`
`290`	`291`	`}`
`291`	`292`	`}`
`292`	`293`
	`294`	`+CustomHeap::Allocation *`
	`295`	`+JITOutput::GetAllocation() const`
	`296`	`+{`
	`297`	`+#if ENABLE_OOP_NATIVE_CODEGEN`
	`298`	`+ if (JITManager::GetJITManager()->IsJITServer())`
	`299`	`+ {`
	`300`	`+ return m_oopAlloc->allocation;`
	`301`	`+ }`
	`302`	`+#endif`
	`303`	`+ return m_inProcAlloc->allocation;`
	`304`	`+}`
	`305`	`+`
`293`	`306`	`JITOutputIDL *`
`294`	`307`	`JITOutput::GetOutputData()`
`295`	`308`	`{`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ class JITOutput`
`54`	`54`	`private:`
`55`	`55`	`template <typename TEmitBufferAllocation, typename TCodeGenAllocators>`
`56`	`56`	`void RecordNativeCode(const BYTE* sourceBuffer, BYTE* localCodeAddress, TEmitBufferAllocation allocation, TCodeGenAllocators codeGenAllocators);`
	`57`	`+ CustomHeap::Allocation * GetAllocation() const;`
`57`	`58`	`union`
`58`	`59`	`{`
`59`	`60`	`EmitBufferAllocation<VirtualAllocWrapper, PreReservedVirtualAllocWrapper> * m_inProcAlloc;`
Original file line number	Diff line number	Diff line change
`@@ -3174,24 +3174,17 @@ bool NativeCodeGenerator::TryReleaseNonHiPriWorkItem(CodeGenWorkItem* workItem)`
`3174`	`3174`	`}`
`3175`	`3175`
`3176`	`3176`	`void`
`3177`		`-NativeCodeGenerator::FreeNativeCodeGenAllocation(void* codeAddress, void* thunkAddress)`
	`3177`	`+NativeCodeGenerator::FreeNativeCodeGenAllocation(void* codeAddress)`
`3178`	`3178`	`{`
`3179`	`3179`	`if (JITManager::GetJITManager()->IsOOPJITEnabled())`
`3180`	`3180`	`{`
`3181`	`3181`	`ThreadContext * context = this->scriptContext->GetThreadContext();`
`3182`		`- HRESULT hr = JITManager::GetJITManager()->FreeAllocation(context->GetRemoteThreadContextAddr(), (intptr_t)codeAddress, (intptr_t)thunkAddress);`
	`3182`	`+ HRESULT hr = JITManager::GetJITManager()->FreeAllocation(context->GetRemoteThreadContextAddr(), (intptr_t)codeAddress);`
`3183`	`3183`	`JITManager::HandleServerCallResult(hr, RemoteCallType::MemFree);`
`3184`	`3184`	`}`
`3185`	`3185`	`else if(this->backgroundAllocators)`
`3186`	`3186`	`{`
`3187`	`3187`	`this->backgroundAllocators->emitBufferManager.FreeAllocation(codeAddress);`
`3188`		`-`
`3189`		`-#if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 \|\| _M_X64)`
`3190`		`- if (thunkAddress)`
`3191`		`- {`
`3192`		`- this->scriptContext->GetThreadContext()->GetJITThunkEmitter()->FreeThunk((uintptr_t)thunkAddress);`
`3193`		`- }`
`3194`		`-#endif`
`3195`	`3188`	`}`
`3196`	`3189`	`}`
`3197`	`3190`
`@@ -3205,7 +3198,7 @@ NativeCodeGenerator::QueueFreeNativeCodeGenAllocation(void* codeAddress, void *`
`3205`	`3198`	`return;`
`3206`	`3199`	`}`
`3207`	`3200`
`3208`		`- if (!JITManager::GetJITManager()->IsOOPJITEnabled() \|\| !CONFIG_FLAG(OOPCFGRegistration))`
	`3201`	`+ if (JITManager::GetJITManager()->IsOOPJITEnabled() && !CONFIG_FLAG(OOPCFGRegistration))`
`3209`	`3202`	`{`
`3210`	`3203`	`//DeRegister Entry Point for CFG`
`3211`	`3204`	`if (thunkAddress)`
`@@ -3228,12 +3221,6 @@ NativeCodeGenerator::QueueFreeNativeCodeGenAllocation(void* codeAddress, void *`
`3228`	`3221`	`// The foreground allocators may have been used`
`3229`	`3222`	`if(this->foregroundAllocators && this->foregroundAllocators->emitBufferManager.FreeAllocation(codeAddress))`
`3230`	`3223`	`{`
`3231`		`-#if defined(_CONTROL_FLOW_GUARD) && (_M_IX86 \|\| _M_X64)`
`3232`		`- if (thunkAddress)`
`3233`		`- {`
`3234`		`- this->scriptContext->GetThreadContext()->GetJITThunkEmitter()->FreeThunk((uintptr_t)thunkAddress);`
`3235`		`- }`
`3236`		`-#endif`
`3237`	`3224`	`return;`
`3238`	`3225`	`}`
`3239`	`3226`
`@@ -3695,6 +3682,10 @@ JITManager::HandleServerCallResult(HRESULT hr, RemoteCallType callType)`
`3695`	`3682`	`break;`
`3696`	`3683`	`}`
`3697`	`3684`
	`3685`	`+ if (CONFIG_FLAG(CrashOnOOPJITFailure))`
	`3686`	`+ {`
	`3687`	`+ RpcFailure_fatal_error(hr);`
	`3688`	`+ }`
`3698`	`3689`	`// we only expect to see these hresults in case server has been closed. failfast otherwise`
`3699`	`3690`	`if (hr != HRESULT_FROM_WIN32(RPC_S_CALL_FAILED) &&`
`3700`	`3691`	`hr != HRESULT_FROM_WIN32(RPC_S_CALL_FAILED_DNE))`