chakra-core · chakrabot · Aug 10, 2017 · Aug 9, 2017
diff --git a/Build/Chakra.Build.props b/Build/Chakra.Build.props
@@ -4,6 +4,7 @@
   <PropertyGroup>
     <Win32_WinNTVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win7)'">0x0601</Win32_WinNTVersion>
     <Win32_WinNTVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win8)'">0x0602</Win32_WinNTVersion>
+    <Win32_WinNTVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_WinBlue)'">0x0603</Win32_WinNTVersion>
     <Win32_WinNTVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win10)'">0x0A00</Win32_WinNTVersion>
   </PropertyGroup>
   <PropertyGroup>

diff --git a/Build/Common.Build.Default.props b/Build/Common.Build.Default.props
@@ -4,6 +4,7 @@
   <PropertyGroup>
     <NtTargetVersion_Win7 >0x601</NtTargetVersion_Win7>
     <NtTargetVersion_Win8 >0x602</NtTargetVersion_Win8>
+    <NtTargetVersion_WinBlue>0x603</NtTargetVersion_WinBlue>
     <NtTargetVersion_Win10>0xA00</NtTargetVersion_Win10>
   </PropertyGroup>
 

diff --git a/Build/Common.Build.props b/Build/Common.Build.props
@@ -29,6 +29,8 @@
       <!-- ======== sources.inc ======== -->
       <!-- generates SAL annotations for our interface -->
       <AdditionalOptions>%(AdditionalOptions) -sal_local</AdditionalOptions>
+
+      <PreprocessorDefinitions>%(PreprocessorDefinitions);WINVER=$(Win32_WinNTVersion)</PreprocessorDefinitions>
     </Midl>
     <ClCompile>
       <PreprocessorDefinitions>%(PreprocessorDefinitions);NOMINMAX;USE_EDGEMODE_JSRT</PreprocessorDefinitions>
@@ -105,6 +107,7 @@
 
       <MinimumRequiredVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win7)'" >6.1</MinimumRequiredVersion>
       <MinimumRequiredVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win8)'" >6.2</MinimumRequiredVersion>
+      <MinimumRequiredVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_WinBlue)'" >6.3</MinimumRequiredVersion>
       <MinimumRequiredVersion Condition="'$(NtTargetVersion)'=='$(NtTargetVersion_Win10)'" >10.00</MinimumRequiredVersion>
 
       <!-- Always set the checksum -->

diff --git a/lib/Backend/AsmJsJITInfo.cpp b/lib/Backend/AsmJsJITInfo.cpp
@@ -60,7 +60,7 @@ AsmJsJITInfo::GetArgTypeArray() const
 Js::AsmJsVarType::Which
 AsmJsJITInfo::GetArgType(Js::ArgSlot argNum) const
 {
-    Assert(argNum < GetArgCount());
+    AssertOrFailFast(argNum < GetArgCount());
     return GetArgTypeArray()[argNum];
 }
 

diff --git a/lib/Backend/AsmJsJITInfo.h b/lib/Backend/AsmJsJITInfo.h
@@ -28,7 +28,6 @@ class AsmJsJITInfo
     Js::ArgSlot GetArgCount() const;
     Js::ArgSlot GetArgByteSize() const;
     Js::AsmJsRetType::Which GetRetType() const;
-    Js::AsmJsVarType::Which * GetArgTypeArray() const;
     Js::AsmJsVarType::Which GetArgType(Js::ArgSlot argNum) const;
 
 #ifdef ENABLE_WASM
@@ -40,6 +39,7 @@ class AsmJsJITInfo
     bool AccessNeedsBoundCheck(uint offset) const;
 
 private:
+    Js::AsmJsVarType::Which * GetArgTypeArray() const;
     AsmJsDataIDL m_data;
 #endif
 };
diff --git a/lib/Backend/CodeGenWorkItem.h b/lib/Backend/CodeGenWorkItem.h
@@ -58,6 +58,13 @@ struct CodeGenWorkItem : public JsUtil::Job
         return functionBody->GetScriptContext();
     }
 
+    uint GetByteCodeLength() const
+    {
+        return this->functionBody->IsInDebugMode()
+            ? this->functionBody->GetOriginalByteCode()->GetLength()
+            : this->functionBody->GetByteCode()->GetLength();
+    }
+
     Js::FunctionBody* GetFunctionBody() const
     {
         return functionBody;

diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -153,6 +153,14 @@ Func::Func(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
 
     Assert(this->IsInlined() == !!runtimeInfo);
 
+    AssertOrFailFast(!HasProfileInfo() || GetReadOnlyProfileInfo()->GetLoopCount() == GetJITFunctionBody()->GetLoopCount());
+    Js::RegSlot tmpResult;
+    AssertOrFailFast(!UInt32Math::Add(GetJITFunctionBody()->GetConstCount(), GetJITFunctionBody()->GetVarCount(), &tmpResult));
+    AssertOrFailFast(GetJITFunctionBody()->IsAsmJsMode() || GetJITFunctionBody()->GetFirstTmpReg() <= GetJITFunctionBody()->GetLocalsCount());
+    AssertOrFailFast(!IsLoopBody() || m_workItem->GetLoopNumber() < GetJITFunctionBody()->GetLoopCount());
+    AssertOrFailFast(CONFIG_FLAG(Prejit) || CONFIG_ISENABLED(Js::ForceNativeFlag) || GetJITFunctionBody()->GetByteCodeLength() < (uint)CONFIG_FLAG(MaxJITFunctionBytecodeByteLength));
+    GetJITFunctionBody()->EnsureConsistentConstCount();
+
     if (this->IsTopFunc())
     {
         outputData->hasJittedStackClosure = false;

diff --git a/lib/Backend/IR.cpp b/lib/Backend/IR.cpp
@@ -84,6 +84,12 @@ Instr::HasEquivalentTypeCheckBailOut() const
     return this->HasBailOutInfo() && IR::IsEquivalentTypeCheckBailOutKind(this->GetBailOutKind());
 }
 
+bool
+Instr::HasBailOnNoProfile() const
+{
+    return this->HasBailOutInfo() && this->GetBailOutKind() == IR::BailOutOnNoProfile;
+}
+
 void
 Instr::ChangeEquivalentToMonoTypeCheckBailOut()
 {

diff --git a/lib/Backend/IR.h b/lib/Backend/IR.h
@@ -203,6 +203,7 @@ class Instr
     bool            HasAuxBailOut() const { return hasAuxBailOut; }
     bool            HasTypeCheckBailOut() const;
     bool            HasEquivalentTypeCheckBailOut() const;
+    bool            HasBailOnNoProfile() const;
     void            ClearBailOutInfo();
     bool            IsDstNotAlwaysConvertedToInt32() const;
     bool            IsDstNotAlwaysConvertedToNumber() const;

diff --git a/lib/Backend/IRBuilder.cpp b/lib/Backend/IRBuilder.cpp
@@ -400,7 +400,7 @@ IRBuilder::Build()
     Js::RegSlot tempCount = m_func->GetJITFunctionBody()->GetTempCount();
     if (tempCount > 0)
     {
-        this->tempMap = (SymID*)m_tempAlloc->AllocZero(sizeof(SymID) * tempCount);
+        this->tempMap = AnewArrayZ(m_tempAlloc, SymID, tempCount);
         this->fbvTempUsed = BVFixed::New<JitArenaAllocator>(tempCount, m_tempAlloc);
     }
     else
@@ -446,6 +446,7 @@ IRBuilder::Build()
 #endif
 
         lastOffset = m_func->m_workItem->GetLoopHeader()->endOffset;
+        AssertOrFailFast(lastOffset < m_func->GetJITFunctionBody()->GetByteCodeLength());
         // Ret is created at lastOffset + 1, so we need lastOffset + 2 entries
         offsetToInstructionCount = lastOffset + 2;
 
@@ -2721,6 +2722,7 @@ IRBuilder::BuildUnsigned1(Js::OpCode newOpcode, uint32 offset, uint32 num)
 
         case Js::OpCode::ProfiledLoopStart:
         {
+            AssertOrFailFast(num < m_func->GetJITFunctionBody()->GetLoopCount());
             // If we're in profiling SimpleJit and jitting loop bodies, we need to keep this until lowering.
             if (m_func->DoSimpleJitDynamicProfile() && m_func->GetJITFunctionBody()->DoJITLoopBody())
             {
@@ -2771,6 +2773,7 @@ IRBuilder::BuildUnsigned1(Js::OpCode newOpcode, uint32 offset, uint32 num)
 
         case Js::OpCode::ProfiledLoopEnd:
         {
+            AssertOrFailFast(num < m_func->GetJITFunctionBody()->GetLoopCount());
             // TODO: Decide whether we want the implicit loop call flags to be recorded in simplejitted loop bodies
             if (m_func->DoSimpleJitDynamicProfile() && m_func->GetJITFunctionBody()->DoJITLoopBody())
             {

diff --git a/lib/Backend/IRBuilder.h b/lib/Backend/IRBuilder.h
@@ -225,37 +225,45 @@ class IRBuilder
         AssertMsg(this->RegIsTemp(reg), "Processing non-temp reg as a temp?");
         AssertMsg(this->tempMap, "Processing non-temp reg without a temp map?");
 
-        return this->tempMap[reg - this->firstTemp];
+        Js::RegSlot tempIndex = reg - this->firstTemp;
+        AssertOrFailFast(tempIndex < m_func->GetJITFunctionBody()->GetTempCount());
+        return this->tempMap[tempIndex];
     }
 
     void                SetMappedTemp(Js::RegSlot reg, SymID tempId)
     {
         AssertMsg(this->RegIsTemp(reg), "Processing non-temp reg as a temp?");
         AssertMsg(this->tempMap, "Processing non-temp reg without a temp map?");
 
-        this->tempMap[reg - this->firstTemp] = tempId;
+        Js::RegSlot tempIndex = reg - this->firstTemp;
+        AssertOrFailFast(tempIndex < m_func->GetJITFunctionBody()->GetTempCount());
+        this->tempMap[tempIndex] = tempId;
     }
 
     BOOL                GetTempUsed(Js::RegSlot reg)
     {
         AssertMsg(this->RegIsTemp(reg), "Processing non-temp reg as a temp?");
         AssertMsg(this->fbvTempUsed, "Processing non-temp reg without a used BV?");
 
-        return this->fbvTempUsed->Test(reg - this->firstTemp);
+        Js::RegSlot tempIndex = reg - this->firstTemp;
+        AssertOrFailFast(tempIndex < m_func->GetJITFunctionBody()->GetTempCount());
+        return this->fbvTempUsed->Test(tempIndex);
     }
 
     void                SetTempUsed(Js::RegSlot reg, BOOL used)
     {
         AssertMsg(this->RegIsTemp(reg), "Processing non-temp reg as a temp?");
         AssertMsg(this->fbvTempUsed, "Processing non-temp reg without a used BV?");
 
+        Js::RegSlot tempIndex = reg - this->firstTemp;
+        AssertOrFailFast(tempIndex < m_func->GetJITFunctionBody()->GetTempCount());
         if (used)
         {
-            this->fbvTempUsed->Set(reg - this->firstTemp);
+            this->fbvTempUsed->Set(tempIndex);
         }
         else
         {
-            this->fbvTempUsed->Clear(reg - this->firstTemp);
+            this->fbvTempUsed->Clear(tempIndex);
         }
     }
 

diff --git a/lib/Backend/IRBuilderAsmJs.cpp b/lib/Backend/IRBuilderAsmJs.cpp
@@ -27,7 +27,7 @@ IRBuilderAsmJs::Build()
     m_switchBuilder.Init(m_func, m_tempAlloc, true);
 
     m_firstVarConst = 0;
-    Js::RegSlot tempCount = 0;
+    m_tempCount = 0;
     m_firstsType[0] = m_firstVarConst + AsmJsRegSlots::RegCount;
     for (int i = 0, j = 1; i < WAsmJs::LIMIT; ++i, ++j)
     {
@@ -36,7 +36,7 @@ IRBuilderAsmJs::Build()
         m_firstsType[j] = typedInfo.constCount;
         m_firstsType[j + WAsmJs::LIMIT] = typedInfo.varCount;
         m_firstsType[j + 2 * WAsmJs::LIMIT] = typedInfo.tmpCount;
-        tempCount += typedInfo.tmpCount;
+        m_tempCount += typedInfo.tmpCount;
     }
     // Fixup the firsts by looking at the previous value
     for (int i = 1; i < m_firstsTypeCount; ++i)
@@ -66,10 +66,10 @@ IRBuilderAsmJs::Build()
     // we will be using lower space for type specialized syms, so bump up where new temp syms can be created
     m_func->m_symTable->IncreaseStartingID(m_firstIRTemp - m_func->m_symTable->GetMaxSymID());
 
-    if (tempCount > 0)
+    if (m_tempCount > 0)
     {
-        m_tempMap = (SymID*)m_tempAlloc->AllocZero(sizeof(SymID) * tempCount);
-        m_fbvTempUsed = BVFixed::New<JitArenaAllocator>(tempCount, m_tempAlloc);
+        m_tempMap = AnewArrayZ(m_tempAlloc, SymID, m_tempCount);
+        m_fbvTempUsed = BVFixed::New<JitArenaAllocator>(m_tempCount, m_tempAlloc);
     }
     else
     {
@@ -359,9 +359,10 @@ IRBuilderAsmJs::BuildIntConstOpnd(Js::RegSlot regSlot)
     Js::Var * constTable = (Js::Var*)m_func->GetJITFunctionBody()->GetConstTable();
     const WAsmJs::TypedSlotInfo& info = m_func->GetJITFunctionBody()->GetAsmJsInfo()->GetTypedSlotInfo(WAsmJs::INT32);
     Assert(info.constSrcByteOffset != Js::Constants::InvalidOffset);
+    AssertOrFailFast(info.constSrcByteOffset < UInt32Math::Mul<sizeof(Js::Var)>(m_func->GetJITFunctionBody()->GetConstCount()));
     int* intConstTable = reinterpret_cast<int*>(((byte*)constTable) + info.constSrcByteOffset);
     Js::RegSlot srcReg = GetTypedRegFromRegSlot(regSlot, WAsmJs::INT32);
-    Assert(srcReg >= Js::FunctionBody::FirstRegSlot && srcReg < info.constCount);
+    AssertOrFailFast(srcReg >= Js::FunctionBody::FirstRegSlot && srcReg < info.constCount);
     const int32 value = intConstTable[srcReg];
     IR::IntConstOpnd *opnd = IR::IntConstOpnd::New(value, TyInt32, m_func);
 
@@ -536,7 +537,9 @@ IRBuilderAsmJs::GetMappedTemp(Js::RegSlot reg)
     AssertMsg(RegIsTemp(reg), "Processing non-temp reg as a temp?");
     AssertMsg(m_tempMap, "Processing non-temp reg without a temp map?");
 
-    return m_tempMap[reg - GetFirstTmp(WAsmJs::FirstType)];
+    Js::RegSlot tempIndex = reg - GetFirstTmp(WAsmJs::FirstType);
+    AssertOrFailFast(tempIndex < m_tempCount);
+    return m_tempMap[tempIndex];
 }
 
 void
@@ -545,7 +548,9 @@ IRBuilderAsmJs::SetMappedTemp(Js::RegSlot reg, SymID tempId)
     AssertMsg(RegIsTemp(reg), "Processing non-temp reg as a temp?");
     AssertMsg(m_tempMap, "Processing non-temp reg without a temp map?");
 
-    m_tempMap[reg - GetFirstTmp(WAsmJs::FirstType)] = tempId;
+    Js::RegSlot tempIndex = reg - GetFirstTmp(WAsmJs::FirstType);
+    AssertOrFailFast(tempIndex < m_tempCount);
+    m_tempMap[tempIndex] = tempId;
 }
 
 BOOL
@@ -554,7 +559,9 @@ IRBuilderAsmJs::GetTempUsed(Js::RegSlot reg)
     AssertMsg(RegIsTemp(reg), "Processing non-temp reg as a temp?");
     AssertMsg(m_fbvTempUsed, "Processing non-temp reg without a used BV?");
 
-    return m_fbvTempUsed->Test(reg - GetFirstTmp(WAsmJs::FirstType));
+    Js::RegSlot tempIndex = reg - GetFirstTmp(WAsmJs::FirstType);
+    AssertOrFailFast(tempIndex < m_tempCount);
+    return m_fbvTempUsed->Test(tempIndex);
 }
 
 void
@@ -563,13 +570,15 @@ IRBuilderAsmJs::SetTempUsed(Js::RegSlot reg, BOOL used)
     AssertMsg(RegIsTemp(reg), "Processing non-temp reg as a temp?");
     AssertMsg(m_fbvTempUsed, "Processing non-temp reg without a used BV?");
 
+    Js::RegSlot tempIndex = reg - GetFirstTmp(WAsmJs::FirstType);
+    AssertOrFailFast(tempIndex < m_tempCount);
     if (used)
     {
-        m_fbvTempUsed->Set(reg - GetFirstTmp(WAsmJs::FirstType));
+        m_fbvTempUsed->Set(tempIndex);
     }
     else
     {
-        m_fbvTempUsed->Clear(reg - GetFirstTmp(WAsmJs::FirstType));
+        m_fbvTempUsed->Clear(tempIndex);
     }
 }
 
@@ -697,6 +706,8 @@ void IRBuilderAsmJs::CreateLoadConstInstrForType(
 )
 {
     T* typedTable = (T*)(table + byteOffset);
+    AssertOrFailFast(byteOffset < UInt32Math::Mul<sizeof(Js::Var)>(m_func->GetJITFunctionBody()->GetConstCount()));
+    AssertOrFailFast(AllocSizeMath::Add((size_t)typedTable, UInt32Math::Mul<sizeof(T)>(constCount)) <= (size_t)((Js::Var*)m_func->GetJITFunctionBody()->GetConstTable() + m_func->GetJITFunctionBody()->GetConstCount()));
     // 1 for return register
     ++regAllocated;
     ++typedTable;

diff --git a/lib/Backend/IRBuilderAsmJs.h b/lib/Backend/IRBuilderAsmJs.h
@@ -172,6 +172,8 @@ class IRBuilderAsmJs
     Js::RegSlot             m_firstsType[m_firstsTypeCount];
     Js::RegSlot             m_firstVarConst;
     Js::RegSlot             m_firstIRTemp;
+    Js::RegSlot             m_tempCount;
+
     Js::OpCode *            m_simdOpcodesMap;
 
     Js::RegSlot GetFirstConst(WAsmJs::Types type) { return m_firstsType[type]; }

diff --git a/lib/Backend/JITTimeFunctionBody.cpp b/lib/Backend/JITTimeFunctionBody.cpp
@@ -870,6 +870,19 @@ JITTimeFunctionBody::GetConstantContent(Js::RegSlot location) const
     return obj;
 }
 
+void
+JITTimeFunctionBody::EnsureConsistentConstCount() const
+{
+    if (GetConstCount() == 0 || IsAsmJsMode())
+    {
+        AssertOrFailFast(m_bodyData.constTableContent == nullptr);
+    }
+    else
+    {
+        AssertOrFailFast(m_bodyData.constTableContent != nullptr && GetConstCount() == m_bodyData.constTableContent->count);
+    }
+}
+
 intptr_t
 JITTimeFunctionBody::GetInlineCache(uint index) const
 {
@@ -1059,20 +1072,22 @@ JITTimeFunctionBody::GetAuxDataAddr(uint offset) const
 void *
 JITTimeFunctionBody::ReadFromAuxData(uint offset) const
 {
+    AssertOrFailFast(offset < m_bodyData.auxDataCount);
     return (void *)(m_bodyData.auxData + offset);
 }
 
 void *
 JITTimeFunctionBody::ReadFromAuxContextData(uint offset) const
 {
+    AssertOrFailFast(offset < m_bodyData.auxContextDataCount);
     return (void *)(m_bodyData.auxContextData + offset);
 }
 
 const Js::PropertyIdArray *
 JITTimeFunctionBody::ReadPropertyIdArrayFromAuxData(uint offset) const
 {
     Js::PropertyIdArray * auxArray = (Js::PropertyIdArray *)(m_bodyData.auxData + offset);
-    Assert(offset + auxArray->GetDataSize() <= m_bodyData.auxDataCount);
+    AssertOrFailFast(AllocSizeMath::Add(offset, auxArray->GetDataSize()) <= m_bodyData.auxDataCount);
     return auxArray;
 }
 

diff --git a/lib/Backend/JITTimeFunctionBody.h b/lib/Backend/JITTimeFunctionBody.h
@@ -98,6 +98,7 @@ class JITTimeFunctionBody
     bool CanInlineRecursively(uint depth, bool tryAggressive = true) const;
     bool NeedScopeObjectForArguments(bool hasNonSimpleParams) const;
     bool GetDoScopeObjectCreation() const;
+    void EnsureConsistentConstCount() const;
 
     const byte * GetByteCodeBuffer() const;
     StatementMapIDL * GetFullStatementMap() const;

diff --git a/lib/Backend/JITTimeProfileInfo.h b/lib/Backend/JITTimeProfileInfo.h
@@ -34,6 +34,8 @@ class JITTimeProfileInfo
     Js::ImplicitCallFlags GetImplicitCallFlags() const;
     Js::LoopFlags GetLoopFlags(uint loopNum) const;
 
+    uint GetLoopCount() const;
+
     uint16 GetConstantArgInfo(Js::ProfileId callSiteId) const;
 
     bool IsModulusOpByPowerOf2(Js::ProfileId profileId) const;
@@ -116,7 +118,6 @@ class JITTimeProfileInfo
     Js::ProfileId GetProfiledSlotCount() const;
     Js::ArgSlot GetProfiledInParamsCount() const;
     uint GetProfiledFldCount() const;
-    uint GetLoopCount() const;
     BVFixed * GetLoopFlags() const;
 
     bool TestFlag(ProfileDataFlags flag) const;

diff --git a/lib/Backend/LinearScan.cpp b/lib/Backend/LinearScan.cpp
@@ -3632,7 +3632,7 @@ void LinearScan::TrackInlineeArgLifetimes(IR::Instr* instr)
             Assert(this->currentBlock->inlineeStack.Count() == 0);
         }
     }
-    else if (instr->m_opcode == Js::OpCode::InlineeEnd)
+    else if (instr->m_opcode == Js::OpCode::InlineeEnd || instr->HasBailOnNoProfile())
     {
         if (instr->m_func->m_hasInlineArgsOpt)
         {