Closed Bug 885633 Opened 11 years ago Closed 2 months ago

Misaligned access to various integer types in JS assembler

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: yeukhon, Unassigned)

References

()

Details

(Whiteboard: [-fsanitize=alignment])

We are encountering this bug after building the JS shell as described in this MDN page: https://developer.mozilla.org/en-US/docs/Building_SpiderMonkey_with_UBSan

We were able to execute the shell after changing 0x42 to 0x40 in js/src/vm/Interpreter.h 

At first we were able to do

> var k = 1
> k
1
> quit()

Often time, when we restart the shell and do a quit as first command, we get the following runtime error:

https://gist.github.com/yeukhon/5828922


Consequently, relaunch the shell and do var k = 1 will abort as well. You can find the error messages in the same gist above.
(Changing 0x42 to 0x40 is a workaround for bug 885631.)
Hardware: x86 → x86_64
Assignee: general → nobody
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.