This bug results in a `UndefinedValue` being passed to a C++ internal helper method that assumes it receives `ObjectValue`. Due to our spectre mitigations, the `JS::Value::toObject` call will convert undefined into a nullptr (32-bit) or outside-address-space (64-bit) pointer that will derefence to a reliable crash. The regression was added to Fx92 and I would like to call this sec-low; mark 92 as wontfix; and land patch today-ish. The fix is a slight design change, so I'd rather ride trains than uplift if spectre mitigations are already protecting us. Andrew, is this reasonable?
Bug 1727364 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This bug results in a `UndefinedValue` being passed to a C++ internal helper method that assumes it receives `ObjectValue`. Due to our spectre mitigations, the `JS::Value::toObject` call will convert undefined into a nullptr (32-bit) or outside-address-space (64-bit) pointer that will derefence to a reliable crash. The regression was added to Fx92 and I would like to call this sec-low; mark 92 as wontfix; and land patch today-ish. The fix is a slight design change, so I'd rather ride trains than uplift if spectre mitigations are already protecting us. I will defer landing test case either way. Andrew, is this reasonable?