Chrome V8 Math.expm1 Incorrect Type Information Vulnerability
Chrome: V8: incorrect type information on Math.expm1 The typer sets the type of Math.expm1 to be UnionPlainNumber, NaN. This is missing the -0 case: Math.expm1-0 returns -0. Tracked in: https://bugs.chromium.org/p/chromium/issues/detail?id=880207 Here's a quick example that showcases the issue:...