Closed Bug 1209008 Opened 9 years ago Closed 9 years ago

Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1209107
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): x = true; function testInitialEnvironment(source, expected) { let m = parseModule(source); let scope = m.initialEnvironment; assertEq(x.a, scope); } testInitialEnvironment('export let x = 1;', ['x']); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000720b1c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:488 #0 0x0000000000720b1c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:488 #1 0x0000000000b4d7bf in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=id@entry=..., desc=...) at js/src/jsobj.cpp:2546 #2 0x0000000000573c65 in js::ObjectToSource (cx=cx@entry=0x7ffff6907000, obj=obj@entry=...) at js/src/builtin/Object.cpp:195 #3 0x0000000000bd3e86 in js::ValueToSource (cx=cx@entry=0x7ffff6907000, v=..., v@entry=...) at js/src/jsstr.cpp:4357 #4 0x0000000000b1a36c in JS_ValueToSource (cx=cx@entry=0x7ffff6907000, value=value@entry=...) at js/src/jsapi.cpp:469 #5 0x000000000047e5eb in ToSource (cx=cx@entry=0x7ffff6907000, vp=..., vp@entry=..., bytes=bytes@entry=0x7fffffffcbd0) at js/src/shell/js.cpp:1602 #6 0x000000000047ec08 in AssertEq (cx=0x7ffff6907000, argc=2, vp=0x7ffff47fc148) at js/src/shell/js.cpp:1633 #7 0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x47eac0 <AssertEq(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #8 0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768 #9 0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072 #10 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709 #11 0x00000000007009d4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983 #12 0x0000000000700d29 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018 #13 0x0000000000b650db in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4379 #14 0x0000000000b651fb in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4410 #15 0x00000000004288cb in RunFile (compileOnly=false, file=0x7ffff699ac00, filename=0x7fffffffe047 "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:462 #16 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe047 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:580 #17 0x0000000000477324 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff6907000) at js/src/shell/js.cpp:5863 #18 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff6907000) at js/src/shell/js.cpp:6161 #19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6517 rax 0x0 0 rbx 0x7ffff6907000 140737330049024 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc4c0 140737488340160 rsp 0x7fffffffc4c0 140737488340160 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc280 140737488339584 r11 0x7ffff6c27960 140737333328224 r12 0x0 0 r13 0x7ffff6907000 140737330049024 r14 0x7fffffffca00 140737488341504 r15 0x7fffffffc700 140737488340736 rip 0x720b1c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28> => 0x720b1c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>: movl $0x1e8,0x0 0x720b27 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+39>: callq 0x4974e0 <abort()> This issue seems different from bug 1208890 (different stack and test).
needinfo'ing jonco, as it involves modules
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0773712473c9 user: Jon Coppeard date: Mon Aug 24 15:58:36 2015 +0100 summary: Bug 930414 - Hook up module environements, alising everything at top level for now r=shu This iteration took 240.574 seconds to run.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.