ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Assertion failure in PathTypeHandler.cpp

Open zhunki opened this issue 3 years ago • 1 comments

the following poc cause a assertion failure in "debug" build on ubuntu.

function v0(v1,v2) {
}
function v3(v4,v5) {
}
const v8 = [65537,v3,-2609076265,-2609076265];
const v9 = v0.bind();
v9.__proto__ = v8;
const v10 = delete v9.length;
v9[-1956872956] >>>= 65537;
with (v9) {
    length = v10;
}

zhunki avatar Dec 24 '21 11:12 zhunki

Slight simplification and error message:

$ cat ../6771.js 
function v0(v1,v2) {
}
const v8 = [65537,-2609076265,-2609076265];
const v9 = v0.bind();
v9.__proto__ = v8;
delete v9.length;
v9[-1956872956] >>>= 65537;
with (v9) {
    length = 10;
}
$ ch 6771.js 
ASSERTION 312593: (../lib/Runtime/Types/PathTypeHandler.cpp, line 3920) Re-add of deleted property NYI in PathTypeHandler
 Failure: (0)
Illegal instruction (core dumped)

ppenzin avatar Jan 31 '22 15:01 ppenzin