Assertion failure in JavascriptArray::FindHelper() · chakra-core/ChakraCore#6541

(5 留言) (0 反應) (0 負責人)JavaScript (9,000 star) (1,374 fork)batch import

Bughelp wanted

描述

Hello, executing following code in ch 1.22.24(debug), an assertion will be thrown.

var buffer = new Int8Array(8);
var func = function (elem) {
    return elem;
};

i = 9007199254740992;
Object.defineProperty(buffer, 'length', { value: i });
Array.prototype.find.call(buffer, func);

output:

ASSERTION 2480: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.24\lib\runtime\library\javascriptarray.cpp, line 8558) length <= UINT_MAX
 Failure: (length <= 0xffffffff)
FATAL ERROR: ch.exe failed due to exception code c0000420

9007199254740992 is larger than Math::MAX_SAFE_INTEGER, so ch modified the length to Math::MAX_SAFE_INTEGER(9007199254740991 or 0x1F FFFF FFFF FFFF). Although length is modified larger than buffer's size, there is an index checking in BaseTypedDirectGetItem(__in uint32 index), which gets the real size of buffer, so the bug will not cause OOB access.

ISec Lab. 2020.12.16

貢獻者指南

技術棧: cppjavascript
領域: backendapi
議題類型: bug
難度: 3
預計時間: 1-2 days
活動狀態: stale
清晰度: clear
前置要求: C++JavaScript engine internalsdebugging skills
新手友善度: 25
研究方向: Examine the assertion at JavascriptArray::FindHelper() around line 8558 in javascriptarray.cpp. The issue occurs when the length property of an Int8Array is modified to a value larger than UINT MAX. Investigate how the length is modified and why the assertion expects length <= UINT MAX. Consider whether the assertion should be updated to handle large lengths or if the length modification should be prevented earlier. The provided test case and analysis indicate that the bug does not cause OOB access due to existing index checking, so the fix may involve adjusting the assertion or adding a check before calling FindHelper. Look for any maintainer comments in the issue for guidance.