Key Information Summary Vulnerability Description Bug ID: 526449 Title: FinishSharingTitle should skip fixed slots for slow array Status: Closed (VERIFIED FIXED) Product: Core Component: JavaScript Engine Type: defect Priority: Not set Severity: Normal Vulnerability Details Cause: - The function for slow arrays incorrectly handles the slot, treating it as a slot containing a GC object. This leads to a crash when reinterpreting the array length as a JSString. - The browser cannot trigger this bug because it does not allow cross-thread sharing, even when using thread workers. However, some extensions that use shared objects can trigger this bug. Fix Information Affected Versions: Requires fixes for 1.9.2+, 4+fixed, alpha1+, and 1.9.1 Attachments: Multiple patch versions (v1, v3 for 192, fix for 191) Patch Description: - v1: Marks the slow array class with , leveraging changes from to fix this bug and eliminate the slow array tracking hack. - v3 for 192: Minor backport required for the 1.9.2 version. - fix for 191: Fixes the issue in 191 by skipping the required slots. Other Team Collaboration: Multiple contributors participated in fixing and testing, including Igor Bukanov, Brendan Eich, etc. Testing: Involves testing across different branches and versions (1.9.0, 1.9.1, 1.9.2, etc.).