DCHECK failure in HAS_SMI_TAG(ptr) in smi.h |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5134236073590784 Fuzzer: lokihardt_jshitter Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: HAS_SMI_TAG(ptr) in smi.h V8_Dcheck void v8::internal::AddToDictionaryTemplate<v8::internal::NameDictionary, v8::int Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=57251:57252 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5134236073590784 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 11
,
Dec 11
,
Dec 11
Ooohh, exciting! No security impact though, I think.
The newly introduced IsSmi() check in Smi::cast is flushing out an existing bug: in AddToDictionaryTemplate() in literal-objects.cc, we have the following code structure in the case entry != kNotFound, value_kind == kData:
if (existing_value->IsAccessorPair()) {
...
} else {
int existing_value_index = Smi::ToInt(existing_value);
...
}
However, in the "else" branch, existing_value is an AccessorInfo.
I'm not sure what the right fix is, i.e. how AccessorInfos should be handled there. It *might* be as easy as s/Smi::ToInt/GetExistingValueIndex/ like elsewhere in that function, but I don't know whether that leads to the correct behavior. FWIW, in non-SLOW_DCHECK builds, Chrome currently refuses to overwrite "length", whereas Firefox allows it.
For convenience, here's the repro:
class Foo extends Function {
static ['length']() { return 42; }
};
Assigning to Igor who wrote all that code, so hopefully has some context.
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 11Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)