macOS iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded

macOS iOS JavaScriptCore - Loop-Invariant Code Motion LICM Leaves Object Property Access Unguarded While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release...

macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded

While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: function v2trigger // Force JIT compilation. for let v7 = 0; v7 1000000; v7++ if...

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check / While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release...

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check

/ While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc on macOS: / // Run with --thresholdForFTLOptimizeAfterWarmUp=1000 // First array probably required to avoi...

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Exploit

WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check / While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release...