Commit 9459c27b authored by Camillo's avatar Camillo Committed by V8 LUCI CQ

[deserializer] Reduce DCHECK noise for fuzzing

Skip over DCHECK in fuzzing that is always checked later by getting the
value from a Maybe object.

Bug: chromium:1359230, chromium:1360735
Change-Id: I9512e27fdeb1d6919e24bd631ae2caece7aed466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874934
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: 's avatarSamuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83075}
parent c0f420ef
......@@ -1215,6 +1215,7 @@ ValueDeserializer::ValueDeserializer(Isolate* isolate, const uint8_t* data,
ReadOnlyRoots(isolate_).empty_fixed_array())) {}
ValueDeserializer::~ValueDeserializer() {
DCHECK_LE(position_, end_);
GlobalHandles::Destroy(id_map_.location());
Handle<Object> transfer_map_handle;
......@@ -1280,7 +1281,11 @@ Maybe<T> ValueDeserializer::ReadVarint() {
// DCHECK code to make sure the manually unrolled loop yields the exact
// same end state and result.
auto previous_position = position_;
T expected_value = ReadVarintLoop<T>().ToChecked();
Maybe<T> maybe_expected_value = ReadVarintLoop<T>();
if (FLAG_fuzzing && maybe_expected_value.IsNothing()) {
return maybe_expected_value;
}
T expected_value = maybe_expected_value.ToChecked();
auto expected_position = position_;
position_ = previous_position;
#endif // DEBUG
......@@ -1657,8 +1662,9 @@ bool ValueDeserializer::ReadExpectedString(Handle<String> expected) {
return {};
}
// Length is also checked in ReadRawBytes.
DCHECK_LE(byte_length,
static_cast<uint32_t>(std::numeric_limits<int32_t>::max()));
DCHECK_IMPLIES(!FLAG_fuzzing,
byte_length <= static_cast<uint32_t>(
std::numeric_limits<int32_t>::max()));
if (!ReadRawBytes(byte_length).To(&bytes)) {
position_ = original_position;
return false;
......
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --fuzzing
let v0 = -1.7976931348623157e+308;
const v4 = d8.serializer.serialize(v0);
const v5 = new Uint8Array(v4);
v5[2] = 73;
try {
d8.serializer.deserialize(v4);
} catch(e) { }
const str = /\dei7/sgiuy;
const obj = {"a":str, "length":9007199254740991};
const increment = 2061353130;
let n = increment * 21;
for (let i = 0; i < 52; i++) {
n += increment;
try {
const v9 = d8.serializer.serialize(obj);
const v10 = new Uint8Array(v9);
v10[6] = n;
const v11 = d8.serializer.deserialize(v9);
} catch(v12) {
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment