Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion
Posted by deepcore on January 18, 2019 – 9:36 am
Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
Post a reply
You must be logged in to post a comment.