Closed
Bug 1236875
Opened 8 years ago
Closed 8 years ago
Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor] with ES6 Modules
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.28 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
function Function(source) {
m = parseModule(source)
m.declarationInstantiation()
}
Function(`{ function assertWarning() {} }`);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab7b4c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:503
#0 0x0000000000ab7b4c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:503
#1 0x000000000094fd09 in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., desc=...) at js/src/jsobj.cpp:2564
#2 0x0000000000a7f4e8 in js::SetPropertyByDefining (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., result=...) at js/src/vm/NativeObject.cpp:2086
#3 0x0000000000a7f9c1 in SetNonexistentProperty (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., receiver=receiver@entry=..., qualified=<optimized out>, result=...) at js/src/vm/NativeObject.cpp:2180
#4 0x0000000000a96e6d in js::NativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2351
#5 0x0000000000abfeac in js::ModuleEnvironmentObject::setProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:495
#6 0x0000000000944dc6 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiver=receiver@entry=..., result=...) at js/src/jsobj.cpp:1046
#7 0x00000000008631da in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1487
#8 SetProperty (v=..., name=0x7ffff7e7bbf8, obj=..., cx=0x7ffff6907800) at js/src/jsobj.h:917
#9 js::ModuleObject::instantiateFunctionDeclarations (cx=cx@entry=0x7ffff6907800, self=..., self@entry=...) at js/src/builtin/ModuleObject.cpp:788
#10 0x0000000000af189f in intrinsic_InstantiateModuleFunctionDeclarations (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffb128) at js/src/vm/SelfHosting.cpp:1324
#11 0x0000000000a9b242 in js::CallJSNative (cx=0x7ffff6907800, native=0xaf1820 <intrinsic_InstantiateModuleFunctionDeclarations(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000a938c7 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#13 0x0000000000a94569 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffb5e8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512
#14 0x00000000006038be in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffb678, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb5d8, res=...) at js/src/jit/BaselineIC.cpp:6184
#15 0x00007ffff7ff195f in ?? ()
[...]
#47 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff6907800 140737330051072
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffa930 140737488333104
rsp 0x7fffffffa930 140737488333104
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffa6f0 140737488332528
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff6907800 140737330051072
r13 0x7fffffffaed0 140737488334544
r14 0x7fffffffaa10 140737488333328
r15 0x7fffffffaa70 140737488333424
rip 0xab7b4c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>
=> 0xab7b4c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>: movl $0x1f7,0x0
0xab7b57 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+39>: callq 0x4a4a90 <abort()>
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 1•8 years ago
|
||
This is a hangover from the time when a module parsed as a series of statements under an implicitly generated block node so |stmt| would never be nullptr inside a module. And it wasn't even correct then either.
Attachment #8704179 -
Flags: review?(efaustbmo)
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151218124430" and the hash "dd319db81bb855825d851b344fd2da070f1a7e74". The "bad" changeset has the timestamp "20151218131930" and the hash "c7a3d4a1a2f817865caeb0004f918d77c728f91e". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd319db81bb855825d851b344fd2da070f1a7e74&tochange=c7a3d4a1a2f817865caeb0004f918d77c728f91e
Jon, which bug will be the real regressor here? Is that window correct? (See comment 2)
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 4•8 years ago
|
||
It seems it wasn't as I originally thought. The problem was in bug 1193583, but it wasn't until but 1071646 that this method was used in a way that triggered this issue.
Flags: needinfo?(jcoppeard)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8704179 [details] [diff] [review] bug1236875-block-scoped-function Review of attachment 8704179 [details] [diff] [review]: ----------------------------------------------------------------- APPROVED.
Attachment #8704179 -
Flags: review?(efaustbmo) → review+
|
||
Comment 7•8 years ago
|
||
There's very few things that make me happier than fixing bugs by removing code. Go you!
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/933aec41699a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•