Microsoft Edge Chakra JIT Bounce Check Elimination Bug
Posted on 18 May 2018
Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instead of the control flow. This may lead to incorrectly remove the bound checks.