Closed
Bug 1743234
Opened 2 years ago
Closed 2 years ago
Null check from BoxValue_AnyRef must consider the whole pointer
Categories
(Core :: JavaScript: WebAssembly, defect, P3)
Tracking
()
RESOLVED
FIXED
96 Branch
| Tracking | Status | |
|---|---|---|
| firefox96 | --- | fixed |
People
(Reporter: lth, Assigned: lth)
Details
Attachments
(1 file)
If the boxing succeeds but the box is allocated on a 4GB address boundary on a 64-bit system, we will erroneously jump to the throw label because the null check considers only the low 32 bits of the return value. No error will have been reported, so we may end up reporting OOM (uncertain). This is way obscure and was found by inspection in the aftermath of another problem, see eg bug 1742053 comment 26.
|
Assignee | |
Comment 1•2 years ago
|
||
The return value of the boxing is a pointer, not a 32-bit value, and
we must check the whole pointer for null.
|
|
Assignee | |
Updated•2 years ago
|
Severity: -- → S4
Priority: -- → P3
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/54664793b10f Null pointer test must check the whole pointer. r=rhunt
|
||
Comment 3•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox96:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•