[MERGE #6528 @akroshg] ChakraCore Servicing update for 2020.11B

akroshg · akroshg · commit 008e43ecbab3 · 2020-11-10T12:01:00.000-08:00
Merge pull request #6528 from akroshg:servicing_2011 Fixing - [CVE-2020-17054] [CVE-2020-17048]
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.11.22
+1.11.23
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -14591,6 +14591,14 @@ GlobOpt::OptIsInvariant(
             allowNonPrimitives = true;
         }
         break;
+
+    case Js::OpCode::CheckFixedFld:
+        if (!instr->GetSrc1()->AsPropertySymOpnd()->NeedsPrimaryTypeCheck())
+        {
+            break;
+        }
+        // Fall through. If the instruction has to do a type check as well as a fixed field check, then we need to check the invariance
+        // of the type symbol.
     case Js::OpCode::CheckObjType:
         // Bug 11712101: If the operand is a field, ensure that its containing object type is invariant
         // before hoisting -- that is, don't hoist a CheckObjType over a DeleteFld on that object.
diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
@@ -559,7 +559,7 @@ class GlobOpt
     void                    TryOptimizeInstrWithFixedDataProperty(IR::Instr * * const pInstr);
     bool                    CheckIfPropOpEmitsTypeCheck(IR::Instr *instr, IR::PropertySymOpnd *opnd);
     IR::PropertySymOpnd *   CreateOpndForTypeCheckOnly(IR::PropertySymOpnd* opnd, Func* func);
-    bool                    FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block = nullptr, bool updateExistingValue = false, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr);
+    bool                    FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block = nullptr, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr);
     IR::Instr *             SetTypeCheckBailOut(IR::Opnd *opnd, IR::Instr *instr, BailOutInfo *bailOutInfo);
     void                    OptArguments(IR::Instr *Instr);
     void                    TrackInstrsForScopeObjectRemoval(IR::Instr * instr);
@@ -944,7 +944,7 @@ class GlobOpt
     bool                    ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd);
     bool                    CheckIfInstrInTypeCheckSeqEmitsTypeCheck(IR::Instr* instr, IR::PropertySymOpnd *opnd);
     template<bool makeChanges>
-    bool                    ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr, bool *isObjTypeChecked = nullptr);
+    bool                    ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut = nullptr, bool* changesTypeValueOut = nullptr, bool *isObjTypeChecked = nullptr);
     template<class Fn>
     bool                    MapObjectHeaderInlinedTypeSymsUntil(BasicBlock *block, bool isObjTypeSpecialized, SymID opndId, Fn fn);
     void                    KillObjectHeaderInlinedTypeSyms(BasicBlock *block, bool isObjTypeSpecialized, SymID symId = SymID_Invalid);
@@ -954,8 +954,8 @@ class GlobOpt
     void                    SetTypeSetOnObjectTypeValue(Value* value, Js::EquivalentTypeSet* typeSet);
     void                    UpdateObjectTypeValue(Value* value, const JITTypeHolder type, bool setType, Js::EquivalentTypeSet* typeSet, bool setTypeSet);
     void                    SetObjectTypeFromTypeSym(StackSym *typeSym, Value* value, BasicBlock* block = nullptr);
-    void                    SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block = nullptr, bool updateExistingValue = false);
-    void                    SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData, bool updateExistingValue = false);
+    void                    SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block = nullptr);
+    void                    SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData);
     void                    KillObjectType(StackSym *objectSym, BVSparse<JitArenaAllocator>* liveFields = nullptr);
     void                    KillAllObjectTypes(BVSparse<JitArenaAllocator>* liveFields = nullptr);
     void                    EndFieldLifetime(IR::SymOpnd *symOpnd);
diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -875,7 +875,7 @@ GlobOpt::CreateOpndForTypeCheckOnly(IR::PropertySymOpnd* opnd, Func* func)
 }
 
 bool
-GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut)
+GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut, bool* changesTypeValueOut)
 {
     if (!DoFieldRefOpts() || !OpCodeAttr::FastFldInstr(instr->m_opcode))
     {
@@ -888,7 +888,7 @@ GlobOpt::FinishOptPropOp(IR::Instr *instr, IR::PropertySymOpnd *opnd, BasicBlock
 
     if (isTypeCheckSeqCandidate)
     {
-        isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, updateExistingValue, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);
+        isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);
     }
 
     if (opnd == instr->GetDst() && this->objectTypeSyms)
@@ -1102,19 +1102,19 @@ GlobOpt::CompareCurrentTypesWithExpectedTypes(JsTypeValueInfo *valueInfo, IR::Pr
 bool
 GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd)
 {
-    return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock, false);
+    return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock);
 }
 
 bool GlobOpt::CheckIfInstrInTypeCheckSeqEmitsTypeCheck(IR::Instr* instr, IR::PropertySymOpnd *opnd)
 {
     bool emitsTypeCheck;
-    ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, false, &emitsTypeCheck);
+    ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, &emitsTypeCheck);
     return emitsTypeCheck;
 }
 
 template<bool makeChanges>
 bool
-GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)
+GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd, BasicBlock* block, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)
 {
     // We no longer mark types as dead in the backward pass, so we should never see an instr with a dead type here
     // during the forward pass. For the time being we've retained the logic below to deal with dead types in case
@@ -1193,7 +1193,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
             addsProperty = isStore && isSpecialized && opnd->HasInitialType();
             if (produceType)
             {
-                SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);
+                SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);
             }
         }
         else if (valueInfo->GetJsType() != nullptr)
@@ -1227,7 +1227,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
                 }
                 if (produceType)
                 {
-                    SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);
+                    SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);
                 }
                 isSpecialized = !isTypeDead || !objectMayHaveAcquiredAdditionalProperties;
                 emitsTypeCheck = isSpecialized && objectMayHaveAcquiredAdditionalProperties;
@@ -1376,11 +1376,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
             {
                 if (opnd->IsMono())
                 {
-                    SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);
+                    SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);
                 }
                 else
                 {
-                    SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);
+                    SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);
                 }
             }
             isSpecialized = !isTypeDead;
@@ -1421,11 +1421,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd
             {
                 if (opnd->IsMono())
                 {
-                    SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);
+                    SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);
                 }
                 else
                 {
-                    SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);
+                    SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);
                 }
             }
             isSpecialized = !isTypeDead;
@@ -1788,18 +1788,18 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, Value* value, BasicBlock* b
 }
 
 void
-GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block, bool updateExistingValue)
+GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, BasicBlock* block)
 {
     if (block == nullptr)
     {
         block = this->currentBlock;
     }
 
-    SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData, updateExistingValue);
+    SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData);
 }
 
 void
-GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData, bool updateExistingValue)
+GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, Js::EquivalentTypeSet * typeSet, GlobOptBlockData *blockData)
 {
     Assert(typeSym != nullptr);
 
@@ -1810,25 +1810,10 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, J
         blockData = &this->currentBlock->globOptData;
     }
 
-    if (updateExistingValue)
-    {
-        Value* value = blockData->FindValueFromMapDirect(typeSymId);
-
-        // If we're trying to update an existing value, the value better exist. We only do this when updating a generic
-        // value created during loop pre-pass for field hoisting, so we expect the value info to still be blank.
-        Assert(value != nullptr && value->GetValueInfo() != nullptr && value->GetValueInfo()->IsJsType());
-        JsTypeValueInfo* valueInfo = value->GetValueInfo()->AsJsType();
-        Assert(valueInfo->GetJsType() == nullptr && valueInfo->GetJsTypeSet() == nullptr);
-        UpdateObjectTypeValue(value, type, true, typeSet, true);
-    }
-    else
-    {
-        JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);
-        this->SetSymStoreDirect(valueInfo, typeSym);
-        Value* value = NewValue(valueInfo);
-        blockData->SetValue(value, typeSym);
-    }
-
+    JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);
+    this->SetSymStoreDirect(valueInfo, typeSym);
+    Value* value = NewValue(valueInfo);
+    blockData->SetValue(value, typeSym);
     blockData->liveFields->Set(typeSymId);
 }
 
diff --git a/lib/Backend/Lower.cpp b/lib/Backend/Lower.cpp
@@ -27152,8 +27152,11 @@ void Lowerer::LowerLdFrameDisplay(IR::Instr *instr, bool doStackFrameDisplay)
         if (instr->m_func != this->m_func && this->m_func->DoStackFrameDisplay())
         {
             StackSym * inlineeFrameDisplaySym = instr->m_func->GetLocalFrameDisplaySym();
-            Assert(inlineeFrameDisplaySym->IsAllocated());
-            InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);
+            Assert((inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated()) || this->m_func->IsLoopBody());
+            if (inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated())
+            {
+                InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);
+            }
         }
     }
 
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 22
+#define CHAKRA_CORE_PATCH_VERSION 23
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------

Original file line number	Diff line number	Diff line change
`@@ -875,7 +875,7 @@ GlobOpt::CreateOpndForTypeCheckOnly(IR::PropertySymOpnd* opnd, Func* func)`
`875`	`875`	`}`
`876`	`876`
`877`	`877`	`bool`
`878`		`-GlobOpt::FinishOptPropOp(IR::Instr instr, IR::PropertySymOpnd opnd, BasicBlock* block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut)`
	`878`	`+GlobOpt::FinishOptPropOp(IR::Instr instr, IR::PropertySymOpnd opnd, BasicBlock* block, bool* emitsTypeCheckOut, bool* changesTypeValueOut)`
`879`	`879`	`{`
`880`	`880`	`if (!DoFieldRefOpts() \|\| !OpCodeAttr::FastFldInstr(instr->m_opcode))`
`881`	`881`	`{`
`@@ -888,7 +888,7 @@ GlobOpt::FinishOptPropOp(IR::Instr instr, IR::PropertySymOpnd opnd, BasicBlock`
`888`	`888`
`889`	`889`	`if (isTypeCheckSeqCandidate)`
`890`	`890`	`{`
`891`		`- isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, updateExistingValue, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);`
	`891`	`+ isObjTypeSpecialized = ProcessPropOpInTypeCheckSeq<true>(instr, opnd, block, emitsTypeCheckOut, changesTypeValueOut, &isObjTypeChecked);`
`892`	`892`	`}`
`893`	`893`
`894`	`894`	`if (opnd == instr->GetDst() && this->objectTypeSyms)`
`@@ -1102,19 +1102,19 @@ GlobOpt::CompareCurrentTypesWithExpectedTypes(JsTypeValueInfo *valueInfo, IR::Pr`
`1102`	`1102`	`bool`
`1103`	`1103`	`GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd)`
`1104`	`1104`	`{`
`1105`		`- return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock, false);`
	`1105`	`+ return ProcessPropOpInTypeCheckSeq<true>(instr, opnd, this->currentBlock);`
`1106`	`1106`	`}`
`1107`	`1107`
`1108`	`1108`	`bool GlobOpt::CheckIfInstrInTypeCheckSeqEmitsTypeCheck(IR::Instr* instr, IR::PropertySymOpnd *opnd)`
`1109`	`1109`	`{`
`1110`	`1110`	`bool emitsTypeCheck;`
`1111`		`- ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, false, &emitsTypeCheck);`
	`1111`	`+ ProcessPropOpInTypeCheckSeq<false>(instr, opnd, this->currentBlock, &emitsTypeCheck);`
`1112`	`1112`	`return emitsTypeCheck;`
`1113`	`1113`	`}`
`1114`	`1114`
`1115`	`1115`	`template<bool makeChanges>`
`1116`	`1116`	`bool`
`1117`		`-GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd opnd, BasicBlock block, bool updateExistingValue, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)`
	`1117`	`+GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd opnd, BasicBlock block, bool* emitsTypeCheckOut, bool* changesTypeValueOut, bool *isTypeCheckedOut)`
`1118`	`1118`	`{`
`1119`	`1119`	`// We no longer mark types as dead in the backward pass, so we should never see an instr with a dead type here`
`1120`	`1120`	`// during the forward pass. For the time being we've retained the logic below to deal with dead types in case`
`@@ -1193,7 +1193,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd`
`1193`	`1193`	`addsProperty = isStore && isSpecialized && opnd->HasInitialType();`
`1194`	`1194`	`if (produceType)`
`1195`	`1195`	`{`
`1196`		`- SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);`
	`1196`	`+ SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);`
`1197`	`1197`	`}`
`1198`	`1198`	`}`
`1199`	`1199`	`else if (valueInfo->GetJsType() != nullptr)`
`@@ -1227,7 +1227,7 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd`
`1227`	`1227`	`}`
`1228`	`1228`	`if (produceType)`
`1229`	`1229`	`{`
`1230`		`- SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block, updateExistingValue);`
	`1230`	`+ SetObjectTypeFromTypeSym(typeSym, opndType, nullptr, block);`
`1231`	`1231`	`}`
`1232`	`1232`	`isSpecialized = !isTypeDead \|\| !objectMayHaveAcquiredAdditionalProperties;`
`1233`	`1233`	`emitsTypeCheck = isSpecialized && objectMayHaveAcquiredAdditionalProperties;`
`@@ -1376,11 +1376,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd`
`1376`	`1376`	`{`
`1377`	`1377`	`if (opnd->IsMono())`
`1378`	`1378`	`{`
`1379`		`- SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);`
	`1379`	`+ SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);`
`1380`	`1380`	`}`
`1381`	`1381`	`else`
`1382`	`1382`	`{`
`1383`		`- SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);`
	`1383`	`+ SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);`
`1384`	`1384`	`}`
`1385`	`1385`	`}`
`1386`	`1386`	`isSpecialized = !isTypeDead;`
`@@ -1421,11 +1421,11 @@ GlobOpt::ProcessPropOpInTypeCheckSeq(IR::Instr* instr, IR::PropertySymOpnd *opnd`
`1421`	`1421`	`{`
`1422`	`1422`	`if (opnd->IsMono())`
`1423`	`1423`	`{`
`1424`		`- SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block, updateExistingValue);`
	`1424`	`+ SetObjectTypeFromTypeSym(typeSym, opnd->GetFirstEquivalentType(), nullptr, block);`
`1425`	`1425`	`}`
`1426`	`1426`	`else`
`1427`	`1427`	`{`
`1428`		`- SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block, updateExistingValue);`
	`1428`	`+ SetObjectTypeFromTypeSym(typeSym, nullptr, opndTypeSet, block);`
`1429`	`1429`	`}`
`1430`	`1430`	`}`
`1431`	`1431`	`isSpecialized = !isTypeDead;`
`@@ -1788,18 +1788,18 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym typeSym, Value value, BasicBlock* b`
`1788`	`1788`	`}`
`1789`	`1789`
`1790`	`1790`	`void`
`1791`		`-GlobOpt::SetObjectTypeFromTypeSym(StackSym typeSym, const JITTypeHolder type, Js::EquivalentTypeSet typeSet, BasicBlock* block, bool updateExistingValue)`
	`1791`	`+GlobOpt::SetObjectTypeFromTypeSym(StackSym typeSym, const JITTypeHolder type, Js::EquivalentTypeSet typeSet, BasicBlock* block)`
`1792`	`1792`	`{`
`1793`	`1793`	`if (block == nullptr)`
`1794`	`1794`	`{`
`1795`	`1795`	`block = this->currentBlock;`
`1796`	`1796`	`}`
`1797`	`1797`
`1798`		`- SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData, updateExistingValue);`
	`1798`	`+ SetObjectTypeFromTypeSym(typeSym, type, typeSet, &block->globOptData);`
`1799`	`1799`	`}`
`1800`	`1800`
`1801`	`1801`	`void`
`1802`		`-GlobOpt::SetObjectTypeFromTypeSym(StackSym typeSym, const JITTypeHolder type, Js::EquivalentTypeSet typeSet, GlobOptBlockData *blockData, bool updateExistingValue)`
	`1802`	`+GlobOpt::SetObjectTypeFromTypeSym(StackSym typeSym, const JITTypeHolder type, Js::EquivalentTypeSet typeSet, GlobOptBlockData *blockData)`
`1803`	`1803`	`{`
`1804`	`1804`	`Assert(typeSym != nullptr);`
`1805`	`1805`
`@@ -1810,25 +1810,10 @@ GlobOpt::SetObjectTypeFromTypeSym(StackSym *typeSym, const JITTypeHolder type, J`
`1810`	`1810`	`blockData = &this->currentBlock->globOptData;`
`1811`	`1811`	`}`
`1812`	`1812`
`1813`		`- if (updateExistingValue)`
`1814`		`- {`
`1815`		`- Value* value = blockData->FindValueFromMapDirect(typeSymId);`
`1816`		`-`
`1817`		`- // If we're trying to update an existing value, the value better exist. We only do this when updating a generic`
`1818`		`- // value created during loop pre-pass for field hoisting, so we expect the value info to still be blank.`
`1819`		`- Assert(value != nullptr && value->GetValueInfo() != nullptr && value->GetValueInfo()->IsJsType());`
`1820`		`- JsTypeValueInfo* valueInfo = value->GetValueInfo()->AsJsType();`
`1821`		`- Assert(valueInfo->GetJsType() == nullptr && valueInfo->GetJsTypeSet() == nullptr);`
`1822`		`- UpdateObjectTypeValue(value, type, true, typeSet, true);`
`1823`		`- }`
`1824`		`- else`
`1825`		`- {`
`1826`		`- JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);`
`1827`		`- this->SetSymStoreDirect(valueInfo, typeSym);`
`1828`		`- Value* value = NewValue(valueInfo);`
`1829`		`- blockData->SetValue(value, typeSym);`
`1830`		`- }`
`1831`		`-`
	`1813`	`+ JsTypeValueInfo* valueInfo = JsTypeValueInfo::New(this->alloc, type, typeSet);`
	`1814`	`+ this->SetSymStoreDirect(valueInfo, typeSym);`
	`1815`	`+ Value* value = NewValue(valueInfo);`
	`1816`	`+ blockData->SetValue(value, typeSym);`
`1832`	`1817`	`blockData->liveFields->Set(typeSymId);`
`1833`	`1818`	`}`
`1834`	`1819`
Original file line number	Diff line number	Diff line change
`@@ -27152,8 +27152,11 @@ void Lowerer::LowerLdFrameDisplay(IR::Instr *instr, bool doStackFrameDisplay)`
`27152`	`27152`	`if (instr->m_func != this->m_func && this->m_func->DoStackFrameDisplay())`
`27153`	`27153`	`{`
`27154`	`27154`	`StackSym * inlineeFrameDisplaySym = instr->m_func->GetLocalFrameDisplaySym();`
`27155`		`- Assert(inlineeFrameDisplaySym->IsAllocated());`
`27156`		`- InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);`
	`27155`	`+ Assert((inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated()) \|\| this->m_func->IsLoopBody());`
	`27156`	`+ if (inlineeFrameDisplaySym && inlineeFrameDisplaySym->IsAllocated())`
	`27157`	`+ {`
	`27158`	`+ InsertMove(IR::SymOpnd::New(inlineeFrameDisplaySym, TyMachReg, m_func), dstOpnd, instr);`
	`27159`	`+ }`
`27157`	`27160`	`}`
`27158`	`27161`	`}`
`27159`	`27162`