918fe04351
PR-URL: https://github.com/nodejs/node/pull/58070 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
29 lines
1.0 KiB
JavaScript
29 lines
1.0 KiB
JavaScript
// Copyright 2024 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --expose-gc --sandbox-testing
|
|
|
|
const kJSArrayType = Sandbox.getInstanceTypeIdFor("JS_ARRAY_TYPE");
|
|
const kJSArrayLengthOffset = Sandbox.getFieldOffset(kJSArrayType, "length");
|
|
const kMaxRegularHeapObjectSize = 131072;
|
|
|
|
const memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));
|
|
|
|
// Allocate an array and promote it to the old generation.
|
|
const array = Array();
|
|
gc();
|
|
// Allocate a value in the young generation.
|
|
const value = new Number();
|
|
|
|
// Corrupt the length to still look like a regular heap object.
|
|
memory.setUint32(
|
|
Sandbox.getAddressOf(array) + kJSArrayLengthOffset,
|
|
kMaxRegularHeapObjectSize,
|
|
true);
|
|
|
|
// OOB write to the JS array also triggering the write barrier for an old->new
|
|
// write with an offset that's too large for the remembered set. This should not
|
|
// crash with OOB in malloc'ed memory.
|
|
array[array.length - 1] = value;
|