Add type check to PrototypeOverwriteGenerator

whendrik-cmd · whendrik-cmd · commit 56470ce13ee1 · 2025-09-01T06:25:46.000-07:00
This patch adds a check in case an object and the object its prototype is being set to are the same thing (i.e. obj.__proto__ = obj;) This currently allows for an invalid program with the error: TypeError: Cyclic __proto__ value Bug: 40272934 Change-Id: Ib115f6f754d1cc70564bc91a5fd433033e9d5bdf Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8557236 Reviewed-by: Matthias Liedtke <mliedtke@google.com>
diff --git a/Sources/Fuzzilli/CodeGen/CodeGenerators.swift b/Sources/Fuzzilli/CodeGen/CodeGenerators.swift
@@ -1658,7 +1658,8 @@ public let CodeGenerators: [CodeGenerator] = [
     },
 
     CodeGenerator("PrototypeOverwriteGenerator", inputs: .preferred(.object(), .object())) { b, obj, proto in
-        let needGuard = b.type(of: obj).MayBe(.nullish)
+        // Check for obj == proto to reduce the chance of cyclic prototype chains.
+        let needGuard = b.type(of: obj).MayBe(.nullish) || obj == proto
         b.setProperty("__proto__", of: obj, to: proto, guard: needGuard)
     },
 
