256551 – (CVE-2023-41074) [JSC] Refine Object.create modeling in DFG after mayBePrototype bit is mored to Structure

Bug 256551 (CVE-2023-41074) - [JSC] Refine Object.create modeling in DFG after mayBePrototype bit is mored to Structure

Summary: [JSC] Refine Object.create modeling in DFG after mayBePrototype bit is mored ...

Status:	RESOLVED FIXED

Alias:	CVE-2023-41074

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-05-09 14:35 PDT by Yusuke Suzuki
Modified:	2023-09-30 04:02 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2023-05-09 14:35:17 PDT

...

Comment 1 Yusuke Suzuki 2023-05-09 14:35:19 PDT

<rdar://problem/109045428>

Comment 2 Yusuke Suzuki 2023-05-09 14:37:18 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13658

Comment 3 EWS 2023-05-09 18:50:42 PDT

Committed 263889@main (d60bafb0be1b): <https://commits.webkit.org/263889@main>

Reviewed commits have been landed. Closing PR #13658 and removing active labels.