bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

Browse Source
This commit is contained in:
Jack Ren
2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
PwnCollege/V8Exploitation/Level7/README.md Normal file
View File

@@ -0,0 +1,18 @@
# Level 7
## Problem
Patch deleted all `Deoptimize` calling for `CheckMaps` in Machine Lowering phase of TurboShaft, which means TurboFan generated JITed code won't bail out if object's map is wrong.
## Key Knowledge
- What does Machine Lowering phase in TurboShaft do?
> [MachineLoweringReducer, formerly known as EffectControlLinearizer, lowers simplified operations to machine operations.](https://source.chromium.org/chromium/v8/v8.git/+/5a2307d0f2c5b650c6858e2b9b57b335a59946ff:src/compiler/turboshaft/machine-lowering-reducer-inl.h;l=43)
- [V8 Turbolizer](https://github.com/v8/v8/tree/main/tools/turbolizer) for debugging
- Turbolizer is a HTML-based tool that visualizes optimized code along the various phases of Turbofan's optimization pipeline, allowing easy navigation between source code, Turbofan IR graphs, scheduled IR nodes and generated assembly code.
- [Online V8 Turbolizer](https://v8.github.io/tools/head/turbolizer/index.html)
- [V8 Native Syntax List](https://source.chromium.org/chromium/v8/v8.git/+/5a2307d0f2c5b650c6858e2b9b57b335a59946ff:src/runtime/runtime.h;l=494)
- How to ensure a function is not inline or optimized compiled?
- Native Syntax: `%NeverOptimizeFunction(func);`
- No Native Syntax: Reduce the function's execution time.
- Having patience and perseverance, persistently trying after failure!