diff --git a/0day-RCAs/2021/CVE-2021-4102.md b/0day-RCAs/2021/CVE-2021-4102.md index 9ea14fc..e9012ce 100644 --- a/0day-RCAs/2021/CVE-2021-4102.md +++ b/0day-RCAs/2021/CVE-2021-4102.md @@ -166,7 +166,7 @@ for (var i = 0; i < 2; i++) { } ``` -Passing `b` to `Math.abs` causes `LoadEliminationPhase` to pass the `CheckHeapObject` node as input to both the `NumberAbs` and the **global** `StoreField` above. `Math.abs` will be reduced to `NumberAbs` and then `JSNativeContextSpecialization` will be reduced to a [CheckSmi](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/compiler/js-native-context-specialization.cc;l=3022;drc=be8f6de811592171739ea8ea326255df6065ce1d) node as input to [StoreField](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/compiler/js-native-context-specialization.cc;l=3105;drc=be8f6de811592171739ea8ea326255df6065ce1d) because the field that's being stored to has the field representation `TaggedSmi`. +Passing `b` to `Math.abs` causes `LoadEliminationPhase` to pass the `CheckHeapObject` node as input to both the `NumberAbs` and the **global** `StoreField` above. `Math.abs` will be reduced to `NumberAbs` and then `JSSetNamedProperty` will be reduced to a [CheckSmi](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/compiler/js-native-context-specialization.cc;l=3022;drc=be8f6de811592171739ea8ea326255df6065ce1d) node as input to [StoreField](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/compiler/js-native-context-specialization.cc;l=3105;drc=be8f6de811592171739ea8ea326255df6065ce1d) because the field that's being stored to has the field representation `TaggedSmi`. Putting all of this together this results in this graph after `LoadEliminationPhase`: