chakra-core/ChakraCore

Assertion failure in JavascriptArray::FindHelper()

Open

#6,541 opened on Dec 16, 2020

View on GitHub
 (5 comments) (0 reactions) (0 assignees)JavaScript (9,000 stars) (1,374 forks)batch import
Bughelp wanted

Description

Hello, executing following code in ch 1.22.24(debug), an assertion will be thrown.

var buffer = new Int8Array(8);
var func = function (elem) {
    return elem;
};

i = 9007199254740992;
Object.defineProperty(buffer, 'length', { value: i });
Array.prototype.find.call(buffer, func);

output:

ASSERTION 2480: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.24\lib\runtime\library\javascriptarray.cpp, line 8558) length <= UINT_MAX
 Failure: (length <= 0xffffffff)
FATAL ERROR: ch.exe failed due to exception code c0000420

9007199254740992 is larger than Math::MAX_SAFE_INTEGER, so ch modified the length to Math::MAX_SAFE_INTEGER(9007199254740991 or 0x1F FFFF FFFF FFFF). Although length is modified larger than buffer's size, there is an index checking in BaseTypedDirectGetItem(__in uint32 index), which gets the real size of buffer, so the bug will not cause OOB access.

ISec Lab. 2020.12.16

Contributor guide

Tech stack
cppjavascript
Domain
backendapi
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C++JavaScript engine internalsdebugging skills
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Examine the assertion at JavascriptArray::FindHelper() around line 8558 in javascriptarray.cpp. The issue occurs when the length property of an Int8Array is modified to a value larger than UINT MAX. Investigate how the length is modified and why the assertion expects length <= UINT MAX. Consider whether the assertion should be updated to handle large lengths or if the length modification should be prevented earlier. The provided test case and analysis indicate that the bug does not cause OOB access due to existing index checking, so the fix may involve adjusting the assertion or adding a check before calling FindHelper. Look for any maintainer comments in the issue for guidance.