Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor] with ES6 Modules

RESOLVED FIXED in Firefox 46

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla46
x86_64
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

function Function(source) {
    m = parseModule(source)
    m.declarationInstantiation()
}
Function(`{ function assertWarning() {} }`);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab7b4c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:503
#0  0x0000000000ab7b4c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:503
#1  0x000000000094fd09 in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., desc=...) at js/src/jsobj.cpp:2564
#2  0x0000000000a7f4e8 in js::SetPropertyByDefining (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., result=...) at js/src/vm/NativeObject.cpp:2086
#3  0x0000000000a7f9c1 in SetNonexistentProperty (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., receiver=receiver@entry=..., qualified=<optimized out>, result=...) at js/src/vm/NativeObject.cpp:2180
#4  0x0000000000a96e6d in js::NativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2351
#5  0x0000000000abfeac in js::ModuleEnvironmentObject::setProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:495
#6  0x0000000000944dc6 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiver=receiver@entry=..., result=...) at js/src/jsobj.cpp:1046
#7  0x00000000008631da in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1487
#8  SetProperty (v=..., name=0x7ffff7e7bbf8, obj=..., cx=0x7ffff6907800) at js/src/jsobj.h:917
#9  js::ModuleObject::instantiateFunctionDeclarations (cx=cx@entry=0x7ffff6907800, self=..., self@entry=...) at js/src/builtin/ModuleObject.cpp:788
#10 0x0000000000af189f in intrinsic_InstantiateModuleFunctionDeclarations (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffb128) at js/src/vm/SelfHosting.cpp:1324
#11 0x0000000000a9b242 in js::CallJSNative (cx=0x7ffff6907800, native=0xaf1820 <intrinsic_InstantiateModuleFunctionDeclarations(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000a938c7 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#13 0x0000000000a94569 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffb5e8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512
#14 0x00000000006038be in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffb678, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb5d8, res=...) at js/src/jit/BaselineIC.cpp:6184
#15 0x00007ffff7ff195f in ?? ()
[...]
#47 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6907800	140737330051072
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa930	140737488333104
rsp	0x7fffffffa930	140737488333104
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa6f0	140737488332528
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff6907800	140737330051072
r13	0x7fffffffaed0	140737488334544
r14	0x7fffffffaa10	140737488333328
r15	0x7fffffffaa70	140737488333424
rip	0xab7b4c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>
=> 0xab7b4c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>:	movl   $0x1f7,0x0
   0xab7b57 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+39>:	callq  0x4a4a90 <abort()>
(Assignee)

Updated

2 years ago
Assignee: nobody → jcoppeard
(Assignee)

Comment 1

2 years ago
Created attachment 8704179 [details] [diff] [review]
bug1236875-block-scoped-function

This is a hangover from the time when a module parsed as a series of statements under an implicitly generated block node so |stmt| would never be nullptr inside a module.  And it wasn't even correct then either.
Attachment #8704179 - Flags: review?(efaustbmo)

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 2

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151218124430" and the hash "dd319db81bb855825d851b344fd2da070f1a7e74".
The "bad" changeset has the timestamp "20151218131930" and the hash "c7a3d4a1a2f817865caeb0004f918d77c728f91e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd319db81bb855825d851b344fd2da070f1a7e74&tochange=c7a3d4a1a2f817865caeb0004f918d77c728f91e
Jon, which bug will be the real regressor here? Is that window correct? (See comment 2)
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 4

2 years ago
It seems it wasn't as I originally thought.  The problem was in bug 1193583, but it wasn't until but 1071646 that this method was used in a way that triggered this issue.
Flags: needinfo?(jcoppeard)

Comment 5

2 years ago
Comment on attachment 8704179 [details] [diff] [review]
bug1236875-block-scoped-function

Review of attachment 8704179 [details] [diff] [review]:
-----------------------------------------------------------------

APPROVED.
Attachment #8704179 - Flags: review?(efaustbmo) → review+
There's very few things that make me happier than fixing bugs by removing code. Go you!

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/933aec41699a
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox46: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.