4 matches found
WebKit JIT ByteCodeParser::handleIntrinsicCall Type Confusion
WebKit: JIT: Type confusion bugs in ByteCodeParser::handleIntrinsicCall CVE-2018-4382 case ArrayPushIntrinsic: ... if staticcastargumentCountIncludingThis = MINSPARSEARRAYINDEX return false; ArrayMode arrayMode = getArrayModemcurrentInstructionOPCODELENGTHopcall - 2.u.arrayProfile, Array::Write;...
WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion
/ case ArrayPushIntrinsic: ... if staticcastargumentCountIncludingThis = MINSPARSEARRAYINDEX return false; ArrayMode arrayMode = getArrayModemcurrentInstructionOPCODELENGTHopcall - 2.u.arrayProfile, Array::Write; ... This code always assumes that the current instruction is an opcall instruction...
WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal(CVE-2017-7061)
Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type == ForInContext::IndexedForInContextType property = staticcastcontext.index; break;...
WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (1)
Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type == ForInContext::IndexedForInContextType property = staticcastcontext.index; break;...