SpiderMonkey IonMonkey Type Confusion
Posted on 28 March 2019
A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
