ASSERTION fails in Array.prototype.copyWithin · chakra-core/ChakraCore#6458

(8 评论) (1 反应) (0 负责人)JavaScript (9,000 star) (1,374 fork)batch import

Buggood first issue

描述

Hello, I run following code in ch 1.11.19(debug)，and it will crash by an assertion.

let b = [1.1, 2.2, 3.3];
b[4294967294] = 3;
Array.prototype.copyWithin.call(b, 0, 1);

Crash output:

ASSERTION 7690: (/.../ChakraCore-1.11.19/lib/Runtime/Library/JavascriptArray.cpp, line 9309) direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength)
 Failure: (direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength))
Illegal instruction

When reading the source code, I find that the if-condition and the asserts in else-branch are not mutually complemental. https://github.com/microsoft/ChakraCore/blob/c848d4d8d50c0dfb4a23540a9ee6cd023fa029c1/lib/Runtime/Library/JavascriptArray.cpp#L9286 The asserts in else-branch should be : Assert((fromVal + count) <= MaxArrayLength && (toVal + count) <= MaxArrayLength )

ISec Lab 2020.6.8

贡献者指南

技术栈: cppjavascript
领域: backend
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: clear
前置要求: basic JavaScriptbasic C++
新手友好度: 70
研究方向: The issue is about an assertion failure in lib/Runtime/Library/JavascriptArray.cpp at line 9309. The contributor should examine the if condition around line 9286 and the else branch to understand the logic. The suggested fix is to change the assertion in the else branch to use <= instead of <. After implementing the fix, run the existing test suite to ensure no regressions, and consider adding a new test case for this specific scenario.