5 matches found
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation
Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit...
Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR
/ Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between...
SpiderMonkey IonMonkey Type Confusion
Spidermonkey: IonMonkey's type inference is incorrect for constructors entered via OSR Related CVE Numbers: CVE-2019-9791. A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that...
Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR
Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR / A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between...
Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR
/ A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between arbitrary objects. Prerequisites: 1. Spidermonkey can represent "plain" objects either as...