[deserializer] Reduce DCHECK noise for fuzzing

Skip over DCHECK in fuzzing that is always checked later by getting the value from a Maybe object. Bug: chromium:1359230, chromium:1360735 Change-Id: I9512e27fdeb1d6919e24bd631ae2caece7aed466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874934 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#83075}

[deserializer] Reduce DCHECK noise for fuzzing
Skip over DCHECK in fuzzing that is always checked later by getting the value from a Maybe object. Bug: chromium:1359230, chromium:1360735 Change-Id: I9512e27fdeb1d6919e24bd631ae2caece7aed466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874934 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#83075}
9459c27b · Camillo · V8 LUCI CQ · c0f420ef · 9459c27b · 9459c27b
Commit 9459c27b authored Sep 08, 2022 by Camillo Committed by V8 LUCI CQ Sep 08, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 3 deletions

value-serializer.cc src/objects/value-serializer.cc +9 -3

regress-1359230.js test/mjsunit/regress/regress-1359230.js +30 -0

No files found.
--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
@@ -1215,6 +1215,7 @@ ValueDeserializer::ValueDeserializer(Isolate* isolate, const uint8_t* data,
          ReadOnlyRoots(isolate_).empty_fixed_array())) {}

 ValueDeserializer::~ValueDeserializer() {
+  DCHECK_LE(position_, end_);
  GlobalHandles::Destroy(id_map_.location());

  Handle<Object> transfer_map_handle;
@@ -1280,7 +1281,11 @@ Maybe<T> ValueDeserializer::ReadVarint() {
  // DCHECK code to make sure the manually unrolled loop yields the exact
  // same end state and result.
  auto previous_position = position_;
-  T expected_value = ReadVarintLoop<T>().ToChecked();
+  Maybe<T> maybe_expected_value = ReadVarintLoop<T>();
+  if (FLAG_fuzzing && maybe_expected_value.IsNothing()) {
+    return maybe_expected_value;
+  }
+  T expected_value = maybe_expected_value.ToChecked();
  auto expected_position = position_;
  position_ = previous_position;
 #endif  // DEBUG
@@ -1657,8 +1662,9 @@ bool ValueDeserializer::ReadExpectedString(Handle<String> expected) {
    return {};
  }
  // Length is also checked in ReadRawBytes.
-  DCHECK_LE(byte_length,
-            static_cast<uint32_t>(std::numeric_limits<int32_t>::max()));
+  DCHECK_IMPLIES(!FLAG_fuzzing,
+                 byte_length <= static_cast<uint32_t>(
+                                    std::numeric_limits<int32_t>::max()));
  if (!ReadRawBytes(byte_length).To(&bytes)) {
    position_ = original_position;
    return false;

--- a/test/mjsunit/regress/regress-1359230.js
+++ b/test/mjsunit/regress/regress-1359230.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --fuzzing
+
+
+let v0 = -1.7976931348623157e+308;
+const v4 = d8.serializer.serialize(v0);
+const v5 = new Uint8Array(v4);
+v5[2] = 73;
+try {
+  d8.serializer.deserialize(v4);
+} catch(e) { }
+
+
+const str = /\dei7/sgiuy;
+const obj = {"a":str, "length":9007199254740991};
+const increment = 2061353130;
+let n = increment * 21;
+for (let i = 0; i < 52; i++) {
+  n += increment;
+  try {
+    const v9 =  d8.serializer.serialize(obj);
+    const v10 = new Uint8Array(v9);
+    v10[6] = n;
+    const v11 =  d8.serializer.deserialize(v9);
+  } catch(v12) {
+  }
+}