Feature problem: Cyclic __proto__ value

googleprojectzero / fuzzilli

A JavaScript Engine Fuzzer

Apache License 2.0

1.87k stars 303 forks source link

Feature problem: Cyclic proto value #452

Open Yi2255 opened 5 days ago

Yi2255 commented 5 days ago

Problem

Code generators that use setPrototype may result in a cyclic assignment of __proto__ value.

Example

const o10 = { __proto__: 64, }; const o11 = { __proto__: o10, }; o10.__proto__ = o11; //TypeError: Cyclic __proto__ value

The problem is more likely to be reproduced with the following generators weighting.

cyclic assignment.txt

saelo commented 3 days ago

Right, this can happen. I'm not sure how big of an issue this is, but what we could do is create a dedicated SetPrototype IL operation and always use guards for it so that we emit a try-catch in JavaScript.

Yi2255 commented 1 day ago

I understand your point. Thank you for sharing this idea!

googleprojectzero / fuzzilli

Feature problem: Cyclic __proto__ value #452

Problem

Example

The problem is more likely to be reproduced with the following generators weighting.

Feature problem: Cyclic proto value #452