There's not a lot of comments here, so I'll give a tl;dr:
They found a "use after free" bug in JavaScriptCore due to some asnyc GC and used it to get RCE in Safari at Pwn2Own. By making a large array of arrays, and then reversing them, they interfered with the "mark" part of "mark and sweep", resulting in some of the arrays not being marked and therefore being swept (freed) and used for other things. Pretty picture showing what's going on: http://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analy...
some more details:
- this was found with a fuzzing tool
- they make a large array of arrays (~20k)
- they map over the array of arrays and reverse the arrays inside it
- they print out the contents of all the arrays and find that some of the objects they are printing are not arrays, but are an entirely different javascript object: promises (this is a symptom of the bug)
- they use a very nice debugging tool[0] that let's them step backwards in time, this proves invaluable as they can start with the symptoms of the bug and then go backwards to see what has caused them
- they discover that the memory of the arrays is being marked as "not used", getting freed by GC, and then used by (unrelated) promises. this is a "use after free" bug and they're very serious (this one is used to get RCE at pwn2own)
- this happens because the GC is marking this as used in an async manner, so when they make their large array of arrays, not all of the memory allocated for it is actually marked as "in use". as the GC is iterating over everything and marking it as "in use", JavaScript continues executing, and in this case, starts reversing the arrays.
They found a "use after free" bug in JavaScriptCore due to some asnyc GC and used it to get RCE in Safari at Pwn2Own. By making a large array of arrays, and then reversing them, they interfered with the "mark" part of "mark and sweep", resulting in some of the arrays not being marked and therefore being swept (freed) and used for other things. Pretty picture showing what's going on: http://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analy...
some more details:
- this was found with a fuzzing tool
- they make a large array of arrays (~20k)
- they map over the array of arrays and reverse the arrays inside it
- they print out the contents of all the arrays and find that some of the objects they are printing are not arrays, but are an entirely different javascript object: promises (this is a symptom of the bug)
- they use a very nice debugging tool[0] that let's them step backwards in time, this proves invaluable as they can start with the symptoms of the bug and then go backwards to see what has caused them
- they discover that the memory of the arrays is being marked as "not used", getting freed by GC, and then used by (unrelated) promises. this is a "use after free" bug and they're very serious (this one is used to get RCE at pwn2own) - this happens because the GC is marking this as used in an async manner, so when they make their large array of arrays, not all of the memory allocated for it is actually marked as "in use". as the GC is iterating over everything and marking it as "in use", JavaScript continues executing, and in this case, starts reversing the arrays.
[0]: https://rr-project.org