Subscribe via feed.

Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion

Posted by deepcore on January 18, 2019 – 9:36 am

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.