1208890 - Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor]

Status: RESOLVED DUPLICATE of bug 1209107

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Adapted from randomly chosen test: js/src/jit-test/tests/modules/module-declaration-instantiation.js
x = parseModule("");
x.declarationInstantiation();
x.environment.s = function() {};

crashes js debug and opt shell on m-c changeset 94c804ef40d8 with --fuzzing-safe --no-threads --no-ion --no-baseline at js::ModuleEnvironmentObject::getOwnPropertyDescriptor

Configure options: (debug)

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 94c804ef40d8

Configure options: (opt)

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build" -r 94c804ef40d8

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e110a99894b4
user:        Jon Coppeard
date:        Wed Sep 23 15:47:40 2015 +0100
summary:     Bug 930414 - Implement ModuleDeclarationInstantiation method r=shu

Jon, is bug 930414 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: opt shell stack

(lldb) bt 5
* thread #1: tid = 0x5f219e, 0x00000001001eb6c1 js-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::getOwnPropertyDescriptor(cx=0x0000000101a53400, obj=JS::HandleObject @ rsi, id=JS::HandleId @ rdx, desc=MutableHandle<JSPropertyDescriptor> @ rcx) + 1 at ScopeObject.cpp:488, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001eb6c1 js-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::getOwnPropertyDescriptor(cx=0x0000000101a53400, obj=JS::HandleObject @ rsi, id=JS::HandleId @ rdx, desc=MutableHandle<JSPropertyDescriptor> @ rcx) + 1 at ScopeObject.cpp:488
    frame #1: 0x00000001005024ee js-64-dm-nsprBuild-darwin-94c804ef40d8`js::GetOwnPropertyDescriptor(cx=0x0000000101a53400, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 62 at jsobj.cpp:2546
    frame #2: 0x00000001001c47a1 js-64-dm-nsprBuild-darwin-94c804ef40d8`js::SetPropertyByDefining(cx=0x0000000101a53400, obj=<unavailable>, id=<unavailable>, v=JS::HandleValue @ rbp, receiverValue=<unavailable>, result=0x00007fff5fbfeef0) + 289 at NativeObject.cpp:2066
    frame #3: 0x00000001001c5e1e js-64-dm-nsprBuild-darwin-94c804ef40d8`SetNonexistentProperty(cx=0x0000000101a53400, obj=<unavailable>, id=<unavailable>, v=JS::HandleValue @ r14, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 478 at NativeObject.cpp:2160
    frame #4: 0x00000001001c54c2 js-64-dm-nsprBuild-darwin-94c804ef40d8`js::NativeSetProperty(cx=0x0000000101a53400, obj=<unavailable>, id=JS::HandleId @ r14, value=<unavailable>, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 1154 at NativeObject.cpp:2333
(lldb) dis -p
js-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::getOwnPropertyDescriptor:
->  0x1001eb6c1 <+1>:  movl   $0x1e8, 0x0
    0x1001eb6cc <+12>: callq  0x1006b9a74               ; symbol stub for: abort
    0x1001eb6d1 <+17>: nopw   %cs:(%rax,%rax)

js-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::deleteProperty:
    0x1001eb6e0 <+0>:  movq   %rcx, %rdi
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug shell stack

(lldb) bt 5
* thread #1: tid = 0x5f2779, 0x000000010034423a js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::getOwnPropertyDescriptor(cx=<unavailable>, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 58 at ScopeObject.cpp:488, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010034423a js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`js::ModuleEnvironmentObject::getOwnPropertyDescriptor(cx=<unavailable>, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 58 at ScopeObject.cpp:488
    frame #1: 0x0000000100850564 js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`js::GetOwnPropertyDescriptor(cx=0x000000010294c400, obj=<unavailable>, id=<unavailable>, desc=<unavailable>) + 68 at jsobj.cpp:2546
    frame #2: 0x00000001002f301b js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`js::SetPropertyByDefining(cx=0x000000010294c400, obj=<unavailable>, id=<unavailable>, v=JS::HandleValue @ 0x00007fff5fbfe4c8, receiverValue=<unavailable>, result=0x00007fff5fbfed70) + 251 at NativeObject.cpp:2066
    frame #3: 0x00000001002f4cff js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`SetNonexistentProperty(cx=0x000000010294c400, obj=<unavailable>, id=<unavailable>, v=JS::HandleValue @ r14, receiver=<unavailable>, qualified=<unavailable>, result=<unavailable>) + 559 at NativeObject.cpp:2160
    frame #4: 0x00000001002f3fef js-dbg-64-dm-nsprBuild-darwin-94c804ef40d8`js::NativeSetProperty(cx=0x000000010294c400, obj=<unavailable>, id=JS::HandleId @ 0x00007fff5fbfe650, value=<unavailable>, receiver=JS::HandleValue @ 0x00007fff5fbfe640, qualified=Qualified, result=<unavailable>) + 415 at NativeObject.cpp:2316
(lldb)

Comment 3

[Jon Coppeard (:jonco)]

This is because we currently expose the module environement object for testing purposes.  The fix is to hide this behind a testing function in a way that doesn't allow us to assign to it like this.