Microsoft Edge Chakra JIT Inline::InlineCallApplyTarget_Shared does not return the return instruction.
70cace84bd9e2fa3381d1d38bcfd0743b83971ff7366be4881f9e6a185240aa3
Microsoft Edge Chakra JIT GlobOpt::OptTagChecks must consider IsLoopPrePass properly.
c96d94c8ca1ba7e89b1679856d3c4dc0c0774a75988d7d6d433e82e6c26d83a1
Microsoft Edge Chakra JIT BailOutOnTaggedValue bailouts can be generated for constant values.
07f0bd4f708fff233ac927cdb624650e28f9e7aced8b7cd40fa1755a2c57d631
Microsoft Edge Chakra suffers from a JIT issue where bailouts must be generated for OP_Memset.
813f916e60e3c818e09d0aa0e00886f53566a473ca6fc2113ff8368a345fb8a3
Microsoft Edge Chakra suffers from a Jit related incorrect integer overflow check in Lowerer::LowerBoundCheck.
e4b35e91b6f40a067301e0b8e804b7a217babf9712c7528d497a6c100e94631c
Microsoft Edge Chakra suffers from a JIT related type confusion vulnerability with switch statements.
ca3df13fbd157d87f293cdb6967b460b973c034f3fae68595d56e4b1786c606f
Microsoft Edge suffers from a memory corruption vulnerability in Object.setPrototypeOf.
ce996aa3102a5844deb5a4ab534f854386a6e434cf3673fd468e8d74d57de3d2
Microsoft Edge Chakra accesses uninitialized pointers in StackScriptFunction::BoxState::Box.
c3dd2ea0e712669479d2aa22890d91c996500f2404810f48866a0657a23d0993
The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace" calls the replace function without updating the flag. Therefore it fails to detect if a user function was called.
6c4259839de11f0d96f33fa01fc2246725c92d13a8e640c34e3ea19ed893ffcd
Microsoft Edge Chakra JIT compiler creates incorrect GenerateBailOut calling patterns.
c3a94eb581652bd3601d89fe9f3bccfc65bf2f5b30dccc9db74b9516daac3bfc
A proof of concept has been released that bypasses the fix for the original finding regarding an incorrect optimization in BytecodeGenerator::emitGetByVal in WebKit JSC.
424b380e7d3c1cbc0226f7a72afefbd2fcb4158f18e5251ba138a6ab2b914b5b
Microsoft Edge Chakra JavascriptFunction::ReparseAsmJsModule suffers from a parsing issue.
04786d716e5bbc515fcb82e70cc835c336e1f9a711c6bd4916ec298d728b059c
Microsoft Edge Chakra Parser::ParseCatch fail to handle eval properly.
ab4355edeff5bc32a4c78094cc0d6544b969b096f7f75973839307d64d3834c7
Microsoft Edge Chakra makes wrong scopes in deferred parsing.
46c5852cffb12bf17caf6302d304337fc43055946fa9a608bd1dce0284336d11
Microsoft Edge Charka incorrectly parses object patterns.
861d591b479ea3ed6c0ad8fd09bf8f8400adee9fdab27742f1cf3812afe1c4dc
WebKit JSC suffers from an incorrect optimization in BytecodeGenerator::emitGetByVal.
9220b5c0f6c932addd44fe7106dc05e5e8eeaef81b30f43920c0a1f5cdb633c7
Yet another finding that the fix for an incorrect jit optimization with TypedArray setter in Microsoft Edge Chakra may not be sufficient.
dd744360fbce38a89344c69c4be3fb6e4f8093fc7dd49123ac3567a30791d8b7
Microsoft Edge Chakra suffers from an integer overflow vulnerability in EmitNew.
217713876803ee8fb301be8b412d4b727c8939e79817fecbccb1e394b028e57b
Microsoft Edge Chakra suffers from an uninitialized arguments vulnerability in Parser::ParseFncFormals with the "PNodeFlags::fpnArguments_overriddenInParam" flag.
ca6f74d7bb73cacfbaad6ce8151f2d0f5e6e4bc61b8d7c2982869c76df38af88
Microsoft Edge Chakra suffers from an uninitialized arguments vulnerability.
bc72550bd11b91862b70eeef07245ad2a51ef2e44e79e6ed2a13456c8113eb6c
Microsoft Edge Charka does not handle CallInfo properly in JavascriptFunction::EntryCall.
e95109ebc399b86e728a3585ff62325148e6c790cdf3d57b95b295811bcb7ed7
Microsoft Edge Chakra suffers from a type confusion vulnerability in JavascriptArray::ConcatArgs.
218f35cd65e75f8deb9766cd3f68774825fdd90974052767fde0b2b79b18b617
This is a follow-up finding that the fix for an incorrect jit optimization with TypedArray setter in Microsoft Edge Chakra may not be sufficient.
f1455b5d16426b1fed7f2d0951c0b89d7dd75973cbee4a79240dd19472ffc899
Microsoft Edge Chakra has an issue where EmitAssignment uses the "this" register without initializing.
31e0d764931a2b83c8b59dc12ca6bb5a7d420ed10202786ef5bb60c564333388
Microsoft Edge Chakra suffers from an incorrect usage of TryUndeleteProperty.
4c976473480db8694122c88cc93c331174a29c45970f7f7a010917b8046b6a96