Closed Bug 1245518 Opened 8 years ago Closed 8 years ago

Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor] with ES6 Modules and Debugger

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla47

Tracking Flags:

Tracking

Status

firefox47

---

fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

bug1245518-module-env-crash 8 years ago Jon Coppeard (:jonco) 9.70 KB, patch	shu : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

8 years ago

The following testcase crashes on mozilla-central revision 5f9ba76eb3b1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager):

evalInFrame = function(global) {
  dbgGlobal = newGlobal();
  dbg = new dbgGlobal.Debugger();
  return function(upCount, code) {
    dbg.addDebuggee(global);
    frame = dbg.getNewestFrame().older;
    frame.eval(code);
  }
}(this);
m = parseModule(`
  function g() this.hours = 0;
  evalInFrame.call(0, 0, "g()")
`);
m.declarationInstantiation();
m.evaluation();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=0x7ffff6907800, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:626
#0  js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=0x7ffff6907800, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:626
#1  0x0000000000753ab4 in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., desc=desc@entry=...) at js/src/jsobj.cpp:2567
#2  0x0000000000861e1f in js::SetPropertyByDefining (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., result=...) at js/src/vm/NativeObject.cpp:2091
#3  0x0000000000862198 in SetNonexistentProperty (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=v@entry=..., receiver=receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2185
#4  0x0000000000877934 in js::NativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2337
#5  0x00000000008a8711 in js::ModuleEnvironmentObject::setProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:618
#6  0x00000000007516a5 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiver=receiver@entry=..., result=...) at js/src/jsobj.cpp:1046
#7  0x00000000008c70e4 in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1487
#8  (anonymous namespace)::DebugScopeProxy::set (this=<optimized out>, cx=0x7ffff6907800, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:2197
#9  0x00000000007a60f5 in js::Proxy::set (cx=0x7ffff6907800, proxy=..., id=..., v=..., receiver_=..., result=...) at js/src/proxy/Proxy.cpp:324
#10 0x00000000007516a5 in JSObject::nonNativeSetProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1046
#11 0x00000000005232bd in js::jit::DoSetPropFallback (cx=0x7ffff6907800, frame=0x7fffffff9388, stub_=0x7ffff69a6058, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:4706
#12 0x00007ffff7ff0ea4 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax	0x8a3150	9056592
rbx	0x7ffff6907800	140737330051072
rcx	0x7fffffff8bb8	140737488325560
rdx	0x7fffffff9150	140737488326992
rsi	0x7fffffff8b50	140737488325456
rdi	0x7ffff6907800	140737330051072
rbp	0x7ffff6907800	140737330051072
rsp	0x7fffffff8a70	140737488325232
r8	0x7fffffff9150	140737488326992
r9	0x7fffffff9250	140737488327248
r10	0x12	18
r11	0x9033f230	2419323440
r12	0x7fffffff8b50	140737488325456
r13	0x7fffffff8bb8	140737488325560
r14	0x7fffffff8b40	140737488325440
r15	0x7fffffff8ba0	140737488325536
rip	0x8a3154 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+4>
=> 0x8a3154 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+4>:	movl   $0x272,0x0
   0x8a315f <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+15>:	callq  0x449fa0 <abort()>

Fuzzing Team

Updated

•

8 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Fuzzing Team

Comment 1

•

8 years ago

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150923073515" and the hash "f4233421a0091c7ff9da20e917e026bf60f93c8f".
The "bad" changeset has the timestamp "20150923075616" and the hash "db4c17553be905e5d4e3106718f61f7421b91994".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f4233421a0091c7ff9da20e917e026bf60f93c8f&tochange=db4c17553be905e5d4e3106718f61f7421b91994

Jon Coppeard (:jonco)

Assignee

Updated

•

8 years ago

Assignee: nobody → jcoppeard

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 2

•

8 years ago

Going to assume that this is related to bug 930414 as per comment 1.

Blocks: 930414

Jon Coppeard (:jonco)

Assignee

Comment 3

•

8 years ago

Attached patch bug1245518-module-env-crash — Details — Splinter Review

I guess I do need to implement that hook after all.

I split out NativeGetOwnPropertyDescriptor() from GetOwnPropertyDescriptor() along the same lines as e.g. DefineProperty() which checks for one of these hooks before calling NativeDefineProperty().

Attachment #8715726 - Flags: review?(shu)

Shu-yu Guo [:shu]

Comment 4

•

8 years ago

Comment on attachment 8715726 [details] [diff] [review]
bug1245518-module-env-crash

Review of attachment 8715726 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/NativeObject.cpp
@@ +1719,5 @@
> +    desc.object().set(obj);
> +    desc.assertComplete();
> +    return true;
> +}
> +

Add another newline here. Convention of this file.

::: js/src/vm/NativeObject.h
@@ -1394,5 @@
>  
>  extern bool
>  NativeDeleteProperty(JSContext* cx, HandleNativeObject obj, HandleId id, ObjectOpResult& result);
>  
> -

Nit: extra newline is intentional, don't remove

Attachment #8715726 - Flags: review?(shu) → review+

Pulsebot

Comment 5

•

8 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/c633b6d3613b

Phil Ringnalda (:philor)

Comment 6

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/c633b6d3613b

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox47: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla47

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor] with ES6 Modules and Debugger

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Assigned: jonco)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type