Assertion failure in JavascriptArray::FindHelper() · chakra-core/ChakraCore#6541

(5 comments) (0 reactions) (0 assignees)JavaScript (9,000 stars) (1,374 forks)batch import

Bughelp wanted

説明

Hello, executing following code in ch 1.22.24(debug), an assertion will be thrown.

var buffer = new Int8Array(8);
var func = function (elem) {
    return elem;
};

i = 9007199254740992;
Object.defineProperty(buffer, 'length', { value: i });
Array.prototype.find.call(buffer, func);

output:

ASSERTION 2480: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.24\lib\runtime\library\javascriptarray.cpp, line 8558) length <= UINT_MAX
 Failure: (length <= 0xffffffff)
FATAL ERROR: ch.exe failed due to exception code c0000420

9007199254740992 is larger than Math::MAX_SAFE_INTEGER, so ch modified the length to Math::MAX_SAFE_INTEGER(9007199254740991 or 0x1F FFFF FFFF FFFF). Although length is modified larger than buffer's size, there is an index checking in BaseTypedDirectGetItem(__in uint32 index), which gets the real size of buffer, so the bug will not cause OOB access.

ISec Lab. 2020.12.16

コントリビューターガイド

技術スタック: cppjavascript
領域: backendapi
Issue 種別: bug
難度: 3
推定時間: 1-2 days
活動状況: stale
明確さ: clear
前提条件: C++JavaScript engine internalsdebugging skills
初心者向け度: 25
調査方針: Examine the assertion at JavascriptArray::FindHelper() around line 8558 in javascriptarray.cpp. The issue occurs when the length property of an Int8Array is modified to a value larger than UINT MAX. Investigate how the length is modified and why the assertion expects length <= UINT MAX. Consider whether the assertion should be updated to handle large lengths or if the length modification should be prevented earlier. The provided test case and analysis indicate that the bug does not cause OOB access due to existing index checking, so the fix may involve adjusting the assertion or adding a check before calling FindHelper. Look for any maintainer comments in the issue for guidance.