- Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
- Use range assumptions to create unchecked integer underflow.
- Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
- Use double & object array overlap to create addrOf & fakeObj primitives.
- Create overlapping fake array using StructureID leak to obtain arbitrary R/W.
The trick here is to convert a checkedAdd node to a normal Add node due to the incorrect range, and cause an unchecked integer underflow. When there is no underflow check, you can cause DFGIntegerRangeOptimization to make incorrect assumptions about bounds, and subsquently remove bounds checks (More details in the comments of the exploit).