Misaligned access to various integer types in JS assembler

NEW
Unassigned

Status

()

Core
JavaScript Engine
5 years ago
4 years ago

People

(Reporter: Yeuk Hon Wong, Unassigned)

Tracking

Trunk
x86_64
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [-fsanitize=alignment], URL)

(Reporter)

Description

5 years ago
We are encountering this bug after building the JS shell as described in this MDN page: https://developer.mozilla.org/en-US/docs/Building_SpiderMonkey_with_UBSan

We were able to execute the shell after changing 0x42 to 0x40 in js/src/vm/Interpreter.h 

At first we were able to do

> var k = 1
> k
1
> quit()

Often time, when we restart the shell and do a quit as first command, we get the following runtime error:

https://gist.github.com/yeukhon/5828922


Consequently, relaunch the shell and do var k = 1 will abort as well. You can find the error messages in the same gist above.

Comment 1

5 years ago
(Changing 0x42 to 0x40 is a workaround for bug 885631.)
Hardware: x86 → x86_64
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.