[CVE-2017-0067] prevent parser from getting into inconsistent state when asm.js parse fails

MikeHolman · MikeHolman · commit 80cfdbb9c697 · 2017-03-16T15:35:52.000-07:00
diff --git a/lib/Runtime/Base/FunctionBody.cpp b/lib/Runtime/Base/FunctionBody.cpp
diff --git a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp
@@ -3633,9 +3633,9 @@ void ByteCodeGenerator::EmitScopeList(ParseNode *pnode, ParseNode *breakOnBodySc
                 {
                     exit(JSERR_AsmJsCompileError);
                 }
-                else if (!(flags & fscrDeferFncParse))
+                else
                 {
-                    // If deferral is not allowed, throw and reparse everything with asm.js disabled.
+                    // if asm.js parse error happened, reparse with asm.js disabled.
                     throw Js::AsmJsParseException();
                 }
             }
diff --git a/lib/Runtime/Library/GlobalObject.cpp b/lib/Runtime/Library/GlobalObject.cpp
@@ -944,17 +944,16 @@ namespace Js
             {
                 JavascriptError::ThrowStackOverflowError(scriptContext);
             }
-            JavascriptError::MapAndThrowError(scriptContext, hrCodeGen);
-        }
-        else
-        {
-            if (se.ei.scode == JSERR_AsmJsCompileError)
+            else if (hrCodeGen == JSERR_AsmJsCompileError)
             {
                 // if asm.js compilation succeeded, retry with asm.js disabled
                 grfscr |= fscrNoAsmJs;
-                se.Clear();
                 return DefaultEvalHelper(scriptContext, source, sourceLength, moduleID, grfscr, pszTitle, registerDocument, isIndirect, strictMode);
             }
+            JavascriptError::MapAndThrowError(scriptContext, hrCodeGen);
+        }
+        else
+        {
 
             Assert(funcBody != nullptr);
             funcBody->SetDisplayName(pszTitle);
diff --git a/test/AsmJs/nested.baseline b/test/AsmJs/nested.baseline
@@ -0,0 +1,2 @@
+closure functions are not allowed
+Asm.js compilation failed.
diff --git a/test/AsmJs/nested.js b/test/AsmJs/nested.js
@@ -0,0 +1,12 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function AsmModule() {
+    "use asm";
+    function f() { 
+        function g() { } 
+    }
+}
+AsmModule();
diff --git a/test/AsmJs/qmarkbug.baseline b/test/AsmJs/qmarkbug.baseline
@@ -1,11 +1,11 @@
 
-qmarkbug.js(9, 3)
+qmarkbug.js(6, 5)
 	Asm.js Compilation Error function : None::f
 	Conditional expressions must be of type int, double, or float
 
 Asm.js compilation failed.
 
-qmarkbug.js(25, 3)
+qmarkbug.js(6, 5)
 	Asm.js Compilation Error function : None::f
 	Conditional expressions must be of type int, double, or float
 
diff --git a/test/AsmJs/qmarkbug.js b/test/AsmJs/qmarkbug.js
@@ -3,34 +3,36 @@
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 
-var asmModule = 
-(function(stdlib, foreign, heap) { 'use asm';   var Uint8ArrayView = new stdlib.Uint8Array(heap);
-  var Int16ArrayView = new stdlib.Int16Array(heap);
-  function f(d0, i1)
-  {
-    d0 = +d0;
-    i1 = i1|0;
-    var i4 = 0;
-    i4 = ((0) ? 0 : ((Uint8ArrayView[0])));
-    return +((-7.555786372591432e+22));
-  }
-  return f; })
+eval(`
+(function(stdlib, foreign, heap) {
+    'use asm';
+    var Uint8ArrayView = new stdlib.Uint8Array(heap);
+    var Int16ArrayView = new stdlib.Int16Array(heap);
+    function f(d0, i1)
+    {
+        d0 = +d0;
+        i1 = i1|0;
+        var i4 = 0;
+        i4 = ((0) ? 0 : ((Uint8ArrayView[0])));
+        return +((-7.555786372591432e+22));
+    }
+    return f;
+})(this, {}, new ArrayBuffer(1<<24));
+`);
 
-  var asmHeap = new ArrayBuffer(1<<24);
-  var asmFun = asmModule(this, {}, asmHeap);
-  asmFun();
-  var asmModule = 
-(function(stdlib, foreign, heap) { 'use asm';   var Uint8ArrayView = new stdlib.Uint8Array(heap);
-  var Int16ArrayView = new stdlib.Int16Array(heap);
-  function f(d0, i1)
-  {
-    d0 = +d0;
-    i1 = i1|0;
-    var i4 = 0;
-    i4 = ((0) ? ((Uint8ArrayView[0])): 0 );
-    return +((-7.555786372591432e+22));
-  }
-  return f; })
-
-  var asmFun = asmModule(this, {}, asmHeap);
-  asmFun();
+eval(`
+(function(stdlib, foreign, heap) {
+    'use asm';
+    var Uint8ArrayView = new stdlib.Uint8Array(heap);
+    var Int16ArrayView = new stdlib.Int16Array(heap);
+    function f(d0, i1)
+    {
+        d0 = +d0;
+        i1 = i1|0;
+        var i4 = 0;
+        i4 = ((0) ? ((Uint8ArrayView[0])): 0 );
+        return +((-7.555786372591432e+22));
+    }
+    return f; 
+})(this, {}, new ArrayBuffer(1<<24));
+`);
diff --git a/test/AsmJs/rlexe.xml b/test/AsmJs/rlexe.xml
@@ -814,4 +814,11 @@
       <compile-flags>-testtrace:asmjs -maic:1</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>nested.js</files>
+      <baseline>nested.baseline</baseline>
+      <compile-flags>-forcedeferparse -testtrace:asmjs -simdjs</compile-flags>
+    </default>
+  </test>
 </regress-exe>
diff --git a/test/AsmJs/shadowingBug.baseline b/test/AsmJs/shadowingBug.baseline
@@ -1,18 +1,18 @@
 
-shadowingBug.js(7, 97)
+shadowingBug.js(1, 97)
 	Asm.js Compilation Error function : None::f1
 	Invalid identifier f64
 
 Asm.js compilation failed.
+0
 
-shadowingBug.js(8, 97)
+shadowingBug.js(1, 97)
 	Asm.js Compilation Error function : None::f1
 	Invalid identifier f64
 
 Asm.js compilation failed.
+NaN
 Var declaration with non-constant
 Asm.js compilation failed.
 0
-NaN
-0
 0
diff --git a/test/AsmJs/shadowingBug.js b/test/AsmJs/shadowingBug.js
@@ -4,9 +4,9 @@
 //-------------------------------------------------------------------------------------------------------
 
 var buffer = new ArrayBuffer(1<<20);
-print((function (stdlib,foreign,buffer) { "use asm"; var f64 = new stdlib.Float64Array(buffer); function f1(){ var f64 = 1.; f64[0] = 0.0;return +0.0;} return f1;})(this,{},buffer)());
-print((function (stdlib,foreign,buffer) { "use asm"; var f64 = new stdlib.Float64Array(buffer); function f1(){ var f64 = 1.; return +f64[0];} return f1;})(this,{},buffer)());
-print((function (stdlib,foreign,buffer) { "use asm"; const a = 10; function f1(){ var a =0; var b = a; return b|0;} return f1;})(this,{},buffer)());
+eval('print((function (stdlib,foreign,buffer) { "use asm"; var f64 = new stdlib.Float64Array(buffer); function f1(){ var f64 = 1.; f64[0] = 0.0;return +0.0;} return f1;})(this,{},buffer)())');
+eval('print((function (stdlib,foreign,buffer) { "use asm"; var f64 = new stdlib.Float64Array(buffer); function f1(){ var f64 = 1.; return +f64[0];} return f1;})(this,{},buffer)())');
+eval('print((function (stdlib,foreign,buffer) { "use asm"; const a = 10; function f1(){ var a =0; var b = a; return b|0;} return f1;})(this,{},buffer)())');
 
 var f64Arr = new Float64Array(buffer);
 print(f64Arr[0]);

Original file line number	Diff line number	Diff line change
`@@ -3633,9 +3633,9 @@ void ByteCodeGenerator::EmitScopeList(ParseNode pnode, ParseNode breakOnBodySc`
`3633`	`3633`	`{`
`3634`	`3634`	`exit(JSERR_AsmJsCompileError);`
`3635`	`3635`	`}`
`3636`		`- else if (!(flags & fscrDeferFncParse))`
	`3636`	`+ else`
`3637`	`3637`	`{`
`3638`		`- // If deferral is not allowed, throw and reparse everything with asm.js disabled.`
	`3638`	`+ // if asm.js parse error happened, reparse with asm.js disabled.`
`3639`	`3639`	`throw Js::AsmJsParseException();`
`3640`	`3640`	`}`
`3641`	`3641`	`}`
Original file line number	Diff line number	Diff line change
`@@ -944,17 +944,16 @@ namespace Js`
`944`	`944`	`{`
`945`	`945`	`JavascriptError::ThrowStackOverflowError(scriptContext);`
`946`	`946`	`}`
`947`		`- JavascriptError::MapAndThrowError(scriptContext, hrCodeGen);`
`948`		`- }`
`949`		`- else`
`950`		`- {`
`951`		`- if (se.ei.scode == JSERR_AsmJsCompileError)`
	`947`	`+ else if (hrCodeGen == JSERR_AsmJsCompileError)`
`952`	`948`	`{`
`953`	`949`	`// if asm.js compilation succeeded, retry with asm.js disabled`
`954`	`950`	`grfscr \|= fscrNoAsmJs;`
`955`		`- se.Clear();`
`956`	`951`	`return DefaultEvalHelper(scriptContext, source, sourceLength, moduleID, grfscr, pszTitle, registerDocument, isIndirect, strictMode);`
`957`	`952`	`}`
	`953`	`+ JavascriptError::MapAndThrowError(scriptContext, hrCodeGen);`
	`954`	`+ }`
	`955`	`+ else`
	`956`	`+ {`
`958`	`957`
`959`	`958`	`Assert(funcBody != nullptr);`
`960`	`959`	`funcBody->SetDisplayName(pszTitle);`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+closure functions are not allowed`
	`2`	`+Asm.js compilation failed.`