commit 54be7f5791ba0e172a2427e96988ab43687c821c
author Rajat Dua <radua@microsoft.com> Wed Feb 13 20:22:56 2019
committer Paul Leathers <pleath@microsoft.com> Fri Mar 08 00:02:02 2019
tree aa2d40f775702a88ccfe708ce3b938a71c6ce411
parent 0050a9808dc7c5043e39858c8e2e65a3eaac67b4

CVE-2019-0771

lib/Backend/FlowGraph.cpp

diff --git a/lib/Backend/FlowGraph.cpp b/lib/Backend/FlowGraph.cpp
index 5b56777..645b58e 100644
--- a/lib/Backend/FlowGraph.cpp
+++ b/lib/Backend/FlowGraph.cpp
@@ -5266,7 +5266,7 @@
             }
             if(symsRequiringCompensationToMergedValueInfoMap.Count() != 0)
             {
-                globOpt->InsertValueCompensation(pred, &symsRequiringCompensationToMergedValueInfoMap);
+                globOpt->InsertValueCompensation(pred, this, &symsRequiringCompensationToMergedValueInfoMap);
             }
         }
     } NEXT_PREDECESSOR_EDGE_EDITING;

lib/Backend/GlobOpt.cpp

diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
index 1785d98..f09edda 100644
--- a/lib/Backend/GlobOpt.cpp
+++ b/lib/Backend/GlobOpt.cpp
@@ -601,7 +601,7 @@
 
                     if (block->loop->symsRequiringCompensationToMergedValueInfoMap)
                     {
-                        InsertValueCompensation(block, block->loop->symsRequiringCompensationToMergedValueInfoMap);
+                        InsertValueCompensation(block, succ, block->loop->symsRequiringCompensationToMergedValueInfoMap);
                     }
 
                     // Now that we're done with the liveFields within this loop, trim the set to those syms
@@ -1156,9 +1156,12 @@
 
 void GlobOpt::InsertValueCompensation(
     BasicBlock *const predecessor,
+    BasicBlock *const successor,
     const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap)
 {
     Assert(predecessor);
+    Assert(successor);
+    AssertOrFailFast(predecessor != successor);
     Assert(symsRequiringCompensationToMergedValueInfoMap->Count() != 0);
 
     IR::Instr *insertBeforeInstr = predecessor->GetLastInstr();
@@ -1182,7 +1185,7 @@
     }
 
     GlobOptBlockData &predecessorBlockData = predecessor->globOptData;
-    GlobOptBlockData &successorBlockData = *CurrentBlockData();
+    GlobOptBlockData &successorBlockData = successor->globOptData;
     struct DelayChangeValueInfo
     {
         Value* predecessorValue;

lib/Backend/GlobOpt.h

diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
index 8fddd80..b6afcf6 100644
--- a/lib/Backend/GlobOpt.h
+++ b/lib/Backend/GlobOpt.h
@@ -737,7 +737,7 @@
     void                    PreLowerCanonicalize(IR::Instr *instr, Value **pSrc1Val, Value **pSrc2Val);
     void                    ProcessKills(IR::Instr *instr);
     void                    InsertCloneStrs(BasicBlock *toBlock, GlobOptBlockData *toData, GlobOptBlockData *fromData);
-    void                    InsertValueCompensation(BasicBlock *const predecessor, const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap);
+    void                    InsertValueCompensation(BasicBlock *const predecessor, BasicBlock *const successor, const SymToValueInfoMap *symsRequiringCompensationToMergedValueInfoMap);
     IR::Instr *             ToVarUses(IR::Instr *instr, IR::Opnd *opnd, bool isDst, Value *val);
     void                    ToVar(BVSparse<JitArenaAllocator> *bv, BasicBlock *block);
     IR::Instr *             ToVar(IR::Instr *instr, IR::RegOpnd *regOpnd, BasicBlock *block, Value *val, bool needsUpdate);