ASSERTION fails in Array.prototype.copyWithin · chakra-core/ChakraCore#6458

(8 comments) (1 reaction) (0 assignees)JavaScript (9,000 stars) (1,374 forks)batch import

Buggood first issue

説明

Hello, I run following code in ch 1.11.19(debug)，and it will crash by an assertion.

let b = [1.1, 2.2, 3.3];
b[4294967294] = 3;
Array.prototype.copyWithin.call(b, 0, 1);

Crash output:

ASSERTION 7690: (/.../ChakraCore-1.11.19/lib/Runtime/Library/JavascriptArray.cpp, line 9309) direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength)
 Failure: (direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength))
Illegal instruction

When reading the source code, I find that the if-condition and the asserts in else-branch are not mutually complemental. https://github.com/microsoft/ChakraCore/blob/c848d4d8d50c0dfb4a23540a9ee6cd023fa029c1/lib/Runtime/Library/JavascriptArray.cpp#L9286 The asserts in else-branch should be : Assert((fromVal + count) <= MaxArrayLength && (toVal + count) <= MaxArrayLength )

ISec Lab 2020.6.8

コントリビューターガイド

技術スタック: cppjavascript
領域: backend
Issue 種別: bug
難度: 3
推定時間: 1-3 hours
活動状況: stale
明確さ: clear
前提条件: basic JavaScriptbasic C++
初心者向け度: 70
調査方針: The issue is about an assertion failure in lib/Runtime/Library/JavascriptArray.cpp at line 9309. The contributor should examine the if condition around line 9286 and the else branch to understand the logic. The suggested fix is to change the assertion in the else branch to use <= instead of <. After implementing the fix, run the existing test suite to ensure no regressions, and consider adding a new test case for this specific scenario.