Home / os / winmobile

Microsoft Edge Chakra JIT Bounce Check Elimination Bug

Posted on 18 May 2018

Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instead of the control flow. This may lead to incorrectly remove the bound checks.

 

TOP