Skip to content

Commit

Permalink
[MERGE #6464 @rajeshpeter] ChakraCore Servicing Update for 2020.06B
Browse files Browse the repository at this point in the history 
Merge pull request #6464 from rajeshpeter:servicing/2006

CVE-2020-1219]
Js::PathTypeHandlerBase::SetPrototype should protect against the case where the instance's type is changed as a side-effect of calling newPrototype->GetInternalProperty. Intl.js should not refer directly to the global Intl property, as this may have been modified by the user in such a way that Intl initialization has side-effects. Created an Intl property on the interface object whose value is the built-in Intl object and refer to that in Intl.js instead.

[CVE-2020-1073]
Non-optimized StFld that may change the object's type may be undetected in the loop prepass, resulting in bad AdjustObjType downstream. If the dead store pass detects a final type that's live across a non-optimized StFld, mark the StFld to use a helper that will return true if the object's type is changed, and bail out if the helper returns true. Also ensures there is no type transition live across InitClassMember.
  • Loading branch information
@rajeshpeter
rajeshpeter committed Jun 9, 2020
2 parents 5ed2985 + 52f4143 commit 906f833
Show file tree
Hide file tree
Showing 22 changed files with 24,360 additions and 24,087 deletions.
2 changes: 1 addition & 1 deletion Build/NuGet/.pack-version
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.11.19
1.11.20
43 changes: 43 additions & 0 deletions lib/Backend/BackwardPass.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -935,6 +935,7 @@ BackwardPass::MergeSuccBlocksInfo(BasicBlock * block)
blockSucc->couldRemoveNegZeroBailoutForDef = nullptr;
}
}
this->CombineTypeIDsWithFinalType(block, blockSucc);
}

if (blockSucc->noImplicitCallUses != nullptr)
Expand Down Expand Up @@ -4733,6 +4734,7 @@ BackwardPass::ProcessNewScObject(IR::Instr* instr)
#else
block->stackSymToFinalType->Clear(objSym->m_id);
#endif
this->ClearTypeIDWithFinalType(objSym->m_id, block);
}
}

Expand Down Expand Up @@ -5208,6 +5210,10 @@ BackwardPass::MayPropertyBeWrittenTo(Js::PropertyId propertyId)
void
BackwardPass::ProcessPropertySymOpndUse(IR::PropertySymOpnd * opnd)
{
if (opnd == this->currentInstr->GetDst() && this->HasTypeIDWithFinalType(this->currentBlock))
{
opnd->SetCantChangeType(true);
}

// If this operand doesn't participate in the type check sequence it's a pass-through.
// We will not set any bits on the operand and we will ignore them when lowering.
Expand Down Expand Up @@ -5440,6 +5446,7 @@ BackwardPass::TrackObjTypeSpecProperties(IR::PropertySymOpnd *opnd, BasicBlock *
this->currentInstr->ChangeEquivalentToMonoTypeCheckBailOut();
}
bucket->SetMonoGuardType(nullptr);
this->ClearTypeIDWithFinalType(objSym->m_id, block);
}

if (!opnd->IsTypeAvailable())
Expand Down Expand Up @@ -5641,6 +5648,7 @@ BackwardPass::TrackAddPropertyTypes(IR::PropertySymOpnd *opnd, BasicBlock *block
}

pBucket->SetInitialType(typeWithoutProperty);
this->SetTypeIDWithFinalType(propertySym->m_stackSym->m_id, block);

if (!PHASE_OFF(Js::ObjTypeSpecStorePhase, this->func))
{
Expand Down Expand Up @@ -5728,6 +5736,7 @@ BackwardPass::TrackAddPropertyTypes(IR::PropertySymOpnd *opnd, BasicBlock *block
#else
block->stackSymToFinalType->Clear(propertySym->m_stackSym->m_id);
#endif
this->ClearTypeIDWithFinalType(propertySym->m_stackSym->m_id, block);
}
}

Expand Down Expand Up @@ -5933,6 +5942,40 @@ BackwardPass::ForEachAddPropertyCacheBucket(Fn fn)
NEXT_HASHTABLE_ENTRY;
}

void
BackwardPass::SetTypeIDWithFinalType(int symID, BasicBlock *block)
{
BVSparse<JitArenaAllocator> *bv = block->EnsureTypeIDsWithFinalType(this->tempAlloc);
bv->Set(symID);
}

void
BackwardPass::ClearTypeIDWithFinalType(int symID, BasicBlock *block)
{
BVSparse<JitArenaAllocator> *bv = block->typeIDsWithFinalType;
if (bv != nullptr)
{
bv->Clear(symID);
}
}

bool
BackwardPass::HasTypeIDWithFinalType(BasicBlock *block) const
{
return block->typeIDsWithFinalType != nullptr && !block->typeIDsWithFinalType->IsEmpty();
}

void
BackwardPass::CombineTypeIDsWithFinalType(BasicBlock *block, BasicBlock *blockSucc)
{
BVSparse<JitArenaAllocator> *bvSucc = blockSucc->typeIDsWithFinalType;
if (bvSucc != nullptr && !bvSucc->IsEmpty())
{
BVSparse<JitArenaAllocator> *bv = block->EnsureTypeIDsWithFinalType(this->tempAlloc);
bv->Or(bvSucc);
}
}

bool
BackwardPass::TransitionUndoesObjectHeaderInlining(AddPropertyCacheBucket *data) const
{
Expand Down
5 changes: 5 additions & 0 deletions lib/Backend/BackwardPass.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ class BackwardPass
void InsertTypeTransitionsAtPotentialKills();
bool TransitionUndoesObjectHeaderInlining(AddPropertyCacheBucket *data) const;

void SetTypeIDWithFinalType(int symId, BasicBlock *block);
void ClearTypeIDWithFinalType(int symId, BasicBlock *block);
bool HasTypeIDWithFinalType(BasicBlock *block) const;
void CombineTypeIDsWithFinalType(BasicBlock *block, BasicBlock *blockSucc);

template<class Fn> void ForEachAddPropertyCacheBucket(Fn fn);
static ObjTypeGuardBucket MergeGuardedProperties(ObjTypeGuardBucket bucket1, ObjTypeGuardBucket bucket2);
static ObjWriteGuardBucket MergeWriteGuards(ObjWriteGuardBucket bucket1, ObjWriteGuardBucket bucket2);
Expand Down
10 changes: 10 additions & 0 deletions lib/Backend/FlowGraph.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3399,6 +3399,16 @@ BasicBlock::CreateLoopTopBailOutInfo(GlobOpt * globOpt)
return bailOutInfo;
}

BVSparse<JitArenaAllocator> *
BasicBlock::EnsureTypeIDsWithFinalType(JitArenaAllocator *alloc)
{
if (typeIDsWithFinalType == nullptr)
{
typeIDsWithFinalType = JitAnew(alloc, BVSparse<JitArenaAllocator>, alloc);
}
return typeIDsWithFinalType;
}

IR::Instr *
FlowGraph::RemoveInstr(IR::Instr *instr, GlobOpt * globOpt)
{
Expand Down
4 changes: 4 additions & 0 deletions lib/Backend/FlowGraph.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,8 @@ class BasicBlock
bool IsLandingPad();
BailOutInfo * CreateLoopTopBailOutInfo(GlobOpt * globOpt);

BVSparse<JitArenaAllocator> *EnsureTypeIDsWithFinalType(JitArenaAllocator *alloc);

// GlobOpt Stuff
public:
bool PathDepBranchFolding(GlobOpt* globOptState);
Expand Down Expand Up @@ -400,6 +402,7 @@ class BasicBlock
HashTable<AddPropertyCacheBucket> * stackSymToFinalType;
HashTable<ObjTypeGuardBucket> * stackSymToGuardedProperties; // Dead store pass only
HashTable<ObjWriteGuardBucket> * stackSymToWriteGuardsMap; // Backward pass only
BVSparse<JitArenaAllocator> * typeIDsWithFinalType;
BVSparse<JitArenaAllocator> * noImplicitCallUses;
BVSparse<JitArenaAllocator> * noImplicitCallNoMissingValuesUses;
BVSparse<JitArenaAllocator> * noImplicitCallNativeArrayUses;
Expand Down Expand Up @@ -443,6 +446,7 @@ class BasicBlock
stackSymToFinalType(nullptr),
stackSymToGuardedProperties(nullptr),
stackSymToWriteGuardsMap(nullptr),
typeIDsWithFinalType(nullptr),
noImplicitCallUses(nullptr),
noImplicitCallNoMissingValuesUses(nullptr),
noImplicitCallNativeArrayUses(nullptr),
Expand Down
1 change: 1 addition & 0 deletions lib/Backend/GlobOptFields.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo

case Js::OpCode::InitSetFld:
case Js::OpCode::InitGetFld:
case Js::OpCode::InitClassMember:
case Js::OpCode::InitClassMemberGet:
case Js::OpCode::InitClassMemberSet:
sym = instr->GetDst()->AsSymOpnd()->m_sym;
Expand Down
11 changes: 11 additions & 0 deletions lib/Backend/JnHelperMethodList.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,17 @@ HELPERCALLCHK(Op_PatchPutValueWithThisPtrNoLocalFastPathPolymorphic, ((void (*)(
HELPERCALLCHK(Op_PatchPutRootValueNoLocalFastPath, ((void (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutRootValueNoLocalFastPath<true, Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutRootValueNoLocalFastPathPolymorphic, ((void (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutRootValueNoLocalFastPath<true, Js::PolymorphicInlineCache>), AttrCanThrow)

HELPERCALLCHK(Op_PatchInitValueCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::RecyclableObject*, Js::PropertyId, Js::Var))Js::JavascriptOperators::PatchInitValueCantChangeType<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchInitValuePolymorphicCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::RecyclableObject*, Js::PropertyId, Js::Var))Js::JavascriptOperators::PatchInitValueCantChangeType<Js::PolymorphicInlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueCantChangeType<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueWithThisPtrCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueWithThisPtrCantChangeType<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValuePolymorphicCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueCantChangeType<Js::PolymorphicInlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueWithThisPtrPolymorphicCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueWithThisPtrCantChangeType<Js::PolymorphicInlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueNoLocalFastPathCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueNoLocalFastPathCantChangeType<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueWithThisPtrNoLocalFastPathCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueWithThisPtrNoLocalFastPathCantChangeType<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueNoLocalFastPathPolymorphicCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueNoLocalFastPathCantChangeType<Js::PolymorphicInlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCantChangeType, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueWithThisPtrNoLocalFastPathCantChangeType<Js::PolymorphicInlineCache>), AttrCanThrow)

HELPERCALLCHK(Op_PatchInitValueCheckLayout, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::RecyclableObject*, Js::PropertyId, Js::Var))Js::JavascriptOperators::PatchInitValueCheckLayout<Js::InlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchInitValuePolymorphicCheckLayout, ((bool (*)(Js::FunctionBody *const, Js::PolymorphicInlineCache *const, const Js::InlineCacheIndex, Js::RecyclableObject*, Js::PropertyId, Js::Var))Js::JavascriptOperators::PatchInitValueCheckLayout<Js::PolymorphicInlineCache>), AttrCanThrow)
HELPERCALLCHK(Op_PatchPutValueCheckLayout, ((bool (*)(Js::FunctionBody *const, Js::InlineCache *const, const Js::InlineCacheIndex, Js::Var, Js::PropertyId, Js::Var, Js::PropertyOperationFlags))Js::JavascriptOperators::PatchPutValueCheckLayout<Js::InlineCache>), AttrCanThrow)
Expand Down
149 changes: 112 additions & 37 deletions lib/Backend/Lower.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7112,48 +7112,14 @@ Lowerer::LowerStFld(
if (dst->AsSymOpnd()->IsPropertySymOpnd())
{
propertySymOpnd = dst->AsPropertySymOpnd();
if (stFldInstr->HasBailOutInfo() && !propertySymOpnd->IsTypeCheckSeqCandidate() && propertySymOpnd->TypeCheckRequired())
if (stFldInstr->HasBailOutInfo() && !propertySymOpnd->IsTypeCheckSeqCandidate() &&
(propertySymOpnd->CantChangeType() || propertySymOpnd->TypeCheckRequired()))
{
IR::Instr * instrBailTarget = stFldInstr->ShareBailOut();
LowerBailTarget(instrBailTarget);
doCheckLayout = true;
bailOutInfo = stFldInstr->GetBailOutInfo();
switch (helperMethod)
{
case IR::HelperOp_PatchPutValue:
helperMethod = IR::HelperOp_PatchPutValueCheckLayout;
break;
case IR::HelperOp_PatchPutValuePolymorphic:
helperMethod = IR::HelperOp_PatchPutValuePolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathCheckLayout;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphic:
helperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtr:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrPolymorphic:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphic:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchInitValue:
helperMethod = IR::HelperOp_PatchInitValueCheckLayout;
break;
case IR::HelperOp_PatchInitValuePolymorphic:
helperMethod = IR::HelperOp_PatchInitValuePolymorphicCheckLayout;
break;
default:
AssertOrFailFast(false);
break;
}
MapStFldHelper(propertySymOpnd, helperMethod, polymorphicHelperMethod);
}
}

Expand Down Expand Up @@ -7221,6 +7187,115 @@ Lowerer::LowerStFld(
return instrPrev;
}

void
Lowerer::MapStFldHelper(IR::PropertySymOpnd * propertySymOpnd, IR::JnHelperMethod &helperMethod, IR::JnHelperMethod &polymorphicHelperMethod)
{
Assert(propertySymOpnd->CantChangeType() || propertySymOpnd->TypeCheckRequired());

if (propertySymOpnd->CantChangeType())
{
switch (helperMethod)
{
case IR::HelperOp_PatchPutValue:
helperMethod = IR::HelperOp_PatchPutValueCantChangeType;
polymorphicHelperMethod = IR::HelperOp_PatchPutValuePolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValuePolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValuePolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathCantChangeType;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueWithThisPtr:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrCantChangeType;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueWithThisPtrPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathCantChangeType;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCantChangeType;
break;
case IR::HelperOp_PatchInitValue:
helperMethod = IR::HelperOp_PatchInitValueCantChangeType;
polymorphicHelperMethod = IR::HelperOp_PatchInitValuePolymorphicCantChangeType;
break;
case IR::HelperOp_PatchInitValuePolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchInitValuePolymorphicCantChangeType;
break;
case IR::HelperOp_PatchPutRootValue:
case IR::HelperOp_PatchPutRootValuePolymorphic:
case IR::HelperOp_PatchPutRootValueNoLocalFastPath:
case IR::HelperOp_PatchPutRootValueNoLocalFastPathPolymorphic:
// No helper method change is needed here, because the global object doesn't participate in final type opt, so it can't alias
// an object that does.
break;
default:
AssertOrFailFast(false);
break;
}
}
else
{
switch (helperMethod)
{
case IR::HelperOp_PatchPutValue:
helperMethod = IR::HelperOp_PatchPutValueCheckLayout;
polymorphicHelperMethod = IR::HelperOp_PatchPutValuePolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValuePolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValuePolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathCheckLayout;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtr:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrCheckLayout;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPath:
helperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathCheckLayout;
polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchPutValueWithThisPtrNoLocalFastPathPolymorphicCheckLayout;
break;
case IR::HelperOp_PatchInitValue:
helperMethod = IR::HelperOp_PatchInitValueCheckLayout;
polymorphicHelperMethod = IR::HelperOp_PatchInitValuePolymorphicCheckLayout;
break;
case IR::HelperOp_PatchInitValuePolymorphic:
helperMethod = polymorphicHelperMethod = IR::HelperOp_PatchInitValuePolymorphicCheckLayout;
break;
case IR::HelperOp_PatchPutRootValue:
case IR::HelperOp_PatchPutRootValuePolymorphic:
case IR::HelperOp_PatchPutRootValueNoLocalFastPath:
case IR::HelperOp_PatchPutRootValueNoLocalFastPathPolymorphic:
// No helper method change is needed here, because the global object doesn't participate in final type opt, so it can't alias
// an object that does.
break;
default:
AssertOrFailFast(false);
break;
}
}
}

IR::Instr* Lowerer::GenerateCompleteStFld(IR::Instr* instr, bool emitFastPath, IR::JnHelperMethod monoHelperAfterFastPath, IR::JnHelperMethod polyHelperAfterFastPath,
IR::JnHelperMethod monoHelperWithoutFastPath, IR::JnHelperMethod polyHelperWithoutFastPath, bool withPutFlags, Js::PropertyOperationFlags flags)
{
Expand Down
Loading

0 comments on commit 906f833

Please sign in to comment.