Closed
Bug 1719456
Opened 3 years ago
Closed 3 years ago
JS fuzz-tests lack a call to LeaveRealm
Categories
(Core :: Fuzzing, defect)
Tracking
()
RESOLVED
FIXED
91 Branch
| Tracking | Status | |
|---|---|---|
| firefox91 | --- | fixed |
People
(Reporter: decoder, Assigned: decoder)
Details
(Keywords: sec-want, Whiteboard: [adv-main91-])
Attachments
(1 file)
Currently when fuzz-tests exits (e.g. when libFuzzer is started with an iteration limit like for coverage runs) a use-after-free occurs due to a missing JS::LeaveRealm call in jsfuzz_uninit.
This is a blocker for fuzzing coverage of JS libFuzzer targets.
|
Assignee | |
Comment 1•3 years ago
|
||
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/abbf6bfd5518
Call JS::LeaveRealm in jsfuzz_uninit for proper shutdown. r=jandem
|
||
Comment 3•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
|
||
Updated•3 years ago
|
Whiteboard: [adv-main90-]
|
|
||
Updated•3 years ago
|
Whiteboard: [adv-main90-] → [adv-main91-]
You need to log in
before you can comment on or make changes to this bug.
Description
•