Closed Bug 762984 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::Shape::getObjectClass] with use-after-free

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 762936

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Testcase for shell
1.93 KB, application/x-gzip
Details
Attached file Testcase for shell 
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
Crash trace:

==11532== Invalid read of size 4
==11532==    at 0x804D693: js::Shape::getObjectClass() const (jsscope.h:605)
==11532==    by 0x804D61F: js::Shape::isNative() const (jsscope.h:551)
==11532==    by 0x804E924: js::ObjectImpl::isNative() const (ObjectImpl-inl.h:174)
==11532==    by 0x8470317: IsPropertyInlineable(JSObject*, js::ion::IonCacheSetProperty&) (IonCaches.cpp:513)
==11532==    by 0x847063F: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:601)
==11532==    by 0x9CD0615: ???
==11532==  Address 0xdadadada is not stack'd, malloc'd or (recently) free'd
Most likely a duplicate of Bug 762936 -- both involve keeping around a JSObject that has a GC'd shape_.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Will add the test in bug 763440, which should cover this.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: