Created attachment 458335 [details] the minimal poc The following PoC outputs differently before/after JIT compilation. function opt() { var b = false; var c = -b; try { throw ""; } catch(e) { } return c; } let before = opt(); print(1/before); //-Infinity for(var i=0;i<10000;i++){ opt(); } let afterJIT = opt(); print(1/afterJIT); //Infinity
<rdar://problem/92654142>
Ah, this is caused by 230823. Backward propagation is running before catch live variable preservation.
Probably, we should insert catch-live-variable-insertion before backwards propagation.
Pull request: https://github.com/WebKit/WebKit/pull/9496
*** Bug 251411 has been marked as a duplicate of this bug. ***
Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main> Reviewed commits have been landed. Closing PR #9496 and removing active labels.
According to acknowledgement, there seems a mistake here? WebKit Bugzilla: 239758 CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)
Hm, I wonder if they're supposed to be credited on some *other* CVE instead. We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"?
"zhunki", please.
Did you confirm who to aknowledge?
Looks like I missed this. I'll notify Apple Product Security after the holidays.
(In reply to Michael Catanzaro from comment #11) > Looks like I missed this. I'll notify Apple Product Security after the > holidays. Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716. They did respond to a similar request in another CVE, so my guess is they've lost track of this one.