ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard

Published 20 hours ago verified publisher icon chakra-core

Assertion failure in JavascriptArray.cpp

Open zhunki opened this issue 3 years ago • 7 comments

the following poc cause a assertion failure in "debug" build on ubuntu.

function opt(){
	const v2 = [-1000000000.0];
	v2.length = 4294967295;
	const v3 = v2.copyWithin();
	return v3;
}


for(let i=0;i<0x200;i++){
	opt(false);
}

zhunki avatar Dec 24 '21 11:12 zhunki

I can see this failing, but want to check out something before I leave this and move to verifying other reports, this would only fail if the length is exactly equal to MaxArrayLength, I feel we might be off-by-one, there is the condition:

        if ((direction == -1 && (fromVal >= MaxArrayLength || toVal >= MaxArrayLength))
            || (((fromVal + count) > MaxArrayLength) || ((toVal + count) > MaxArrayLength)))
        {

https://github.com/chakra-core/ChakraCore/blob/master/lib/Runtime/Library/JavascriptArray.cpp#L9452-L9454

Which doesn't catch MaxArrayLength when direction is 1, but its else branch would trip an assert on just that.

ppenzin avatar Jan 31 '22 08:01 ppenzin

Hey @zhunki can I be assigned this work in order to resolve this issue ?

Arunav1 avatar Jan 16 '24 13:01 Arunav1