Closed
Bug 762984
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::Shape::getObjectClass] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 762936
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.93 KB,
application/x-gzip
|
Details |
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: ==11532== Invalid read of size 4 ==11532== at 0x804D693: js::Shape::getObjectClass() const (jsscope.h:605) ==11532== by 0x804D61F: js::Shape::isNative() const (jsscope.h:551) ==11532== by 0x804E924: js::ObjectImpl::isNative() const (ObjectImpl-inl.h:174) ==11532== by 0x8470317: IsPropertyInlineable(JSObject*, js::ion::IonCacheSetProperty&) (IonCaches.cpp:513) ==11532== by 0x847063F: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:601) ==11532== by 0x9CD0615: ??? ==11532== Address 0xdadadada is not stack'd, malloc'd or (recently) free'd
Comment 2•12 years ago
|
||
Most likely a duplicate of Bug 762936 -- both involve keeping around a JSObject that has a GC'd shape_.
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•11 years ago
|
||
Will add the test in bug 763440, which should cover this.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•