WebKit JSC JIT Use-After-Free
Posted by deepcore on January 17, 2019 – 9:24 am
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.
Post a reply
You must be logged in to post a comment.