[CVE-2019-1139] Chakra JIT Type Confusion

array.slice converts the native array to var array which was not captured during the optimization.
Due to that the native array type is forced to var array which leads to the type confusion.
Fixed this by killing the object type for the slice (as well as concat)

Author: akroshg

lib/Backend/GlobOpt.cpp

@@ -13470,6 +13470,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
                     case IR::HelperArray_Splice:
                     case IR::HelperArray_Unshift:
                     case IR::HelperArray_Concat:
+                    case IR::HelperArray_Slice:
                         kills.SetKillsArrayHeadSegments();
                         kills.SetKillsArrayHeadSegmentLengths();
                         break;

lib/Backend/GlobOptFields.cpp

@@ -518,6 +518,18 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
                 }
                 break;
 
+            case IR::JnHelperMethod::HelperArray_Slice:
+            case IR::JnHelperMethod::HelperArray_Concat:
+                if (inGlobOpt && this->objectTypeSyms)
+                {
+                    if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)
+                    {
+                        this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);
+                    }
+                    this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);
+                }
+                break;
+
             case IR::JnHelperMethod::HelperRegExp_Exec:
             case IR::JnHelperMethod::HelperRegExp_ExecResultNotUsed:
             case IR::JnHelperMethod::HelperRegExp_ExecResultUsed: