IonMonkey: Crash [@ js::Shape::getObjectClass] with use-after-free

RESOLVED DUPLICATE of bug 762936

Status

()

Core
JavaScript Engine
--
major
RESOLVED DUPLICATE of bug 762936
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, sec-critical, testcase})

Other Branch
x86
Linux
crash, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 631455 [details]
Testcase for shell

The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

6 years ago
Crash trace:

==11532== Invalid read of size 4
==11532==    at 0x804D693: js::Shape::getObjectClass() const (jsscope.h:605)
==11532==    by 0x804D61F: js::Shape::isNative() const (jsscope.h:551)
==11532==    by 0x804E924: js::ObjectImpl::isNative() const (ObjectImpl-inl.h:174)
==11532==    by 0x8470317: IsPropertyInlineable(JSObject*, js::ion::IonCacheSetProperty&) (IonCaches.cpp:513)
==11532==    by 0x847063F: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:601)
==11532==    by 0x9CD0615: ???
==11532==  Address 0xdadadada is not stack'd, malloc'd or (recently) free'd
Most likely a duplicate of Bug 762936 -- both involve keeping around a JSObject that has a GC'd shape_.
Keywords: sec-critical

Updated

6 years ago
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 762936
(Reporter)

Comment 4

5 years ago
Will add the test in bug 763440, which should cover this.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.