segment fault in spidermonkey InlineCache
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox135 | --- | fixed |
People
(Reporter: neseesun, Assigned: iain)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(3 files)
version:
commit e219ba8a080b4c35d8243c4040095ee2bd8dabf4 (HEAD -> bookmarks/central, origin/bookmarks/central, refs/cinnabar/refs/heads/bookmarks/central)
Author: Goloman Adrian <agoloman@mozilla.com>
Date: Wed Dec 11 21:17:56 2024 +0200
Backed out changeset 62d0239c5141 (bug 1936381) for causing build bustages @updater.cpp. CLOSED TREE
build with:
../configure --enable-debug --enable-optimize --disable-tests
run with:
./js poc.js
will see the segment fault(oob write) in sipdermonkey InlineCache module.
Updated•2 months ago
|
Comment 2•2 months ago
|
||
Looks like a problem with the disblic
testing function.
Assignee | ||
Comment 3•2 months ago
|
||
If we GC while dumping IC chains, then we can discard stubs with weak edges to dead shapes and end up trying to dump freed stubs.
This is not security-sensitive, because it only affects a testing function.
This was reported along with another issue in bug 1937176, but we'll fix the other issue there, and this bug here.
Assignee | ||
Comment 4•2 months ago
|
||
JSSprinter provides all the same functionality as DisasmBuffer. In addition to simplifying the code, by reusing the same JSSprinter for the entirety of a decompilation, we can avoid finishing the string (potentially triggering a GC) until we're done walking the IC chains.
Updated•2 months ago
|
Updated•2 months ago
|
Updated•2 months ago
|
Comment 6•2 months ago
|
||
bugherder |
Description
•