1246589 - Assertion failure: this->is<T>(), at js/src/jsobj.h:546 with ES6 Modules (getModuleEnvironmentValue)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision a0d0344ed47a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

c = parseModule("");
getModuleEnvironmentValue(c, "");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046aa5c in JSObject::as<js::ModuleEnvironmentObject> (this=<optimized out>) at js/src/jsobj.h:546
#0  0x000000000046aa5c in JSObject::as<js::ModuleEnvironmentObject> (this=<optimized out>) at js/src/jsobj.h:546
#1  0x0000000000b003bf in as<js::ModuleEnvironmentObject> (this=<optimized out>) at js/src/vm/ScopeObject.h:1393
#2  js::ModuleEnvironmentObject::getProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ScopeObject.cpp:667
#3  0x0000000000a9ce67 in GeneralizedGetProperty (vp=..., nameLookup=NotNameLookup, receiver=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.cpp:1962
#4  NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6907800, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2026
#5  0x0000000000a9d300 in js::NativeGetProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2036
#6  0x0000000000b0044b in js::ModuleEnvironmentObject::getProperty (cx=0x7ffff6907800, obj=..., receiver=..., id=..., vp=...) at js/src/vm/ScopeObject.cpp:676
#7  0x00000000006f561a in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1474
#8  js::GetProperty (cx=0x7ffff6907800, obj=..., receiver=..., id=..., vp=...) at js/src/jsobj.h:830
#9  0x0000000000a2d7f4 in GetModuleEnvironmentValue (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:3176
#10 0x0000000000aa1e02 in js::CallJSNative (cx=0x7ffff6907800, native=0xa2d600 <GetModuleEnvironmentValue(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7056
rax	0x0	0
rbx	0x7ffff7e6d1c0	140737352487360
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc720	140737488340768
rsp	0x7fffffffc720	140737488340768
r8	0x7ffff7fe07c0	140737354008512
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc4e0	140737488340192
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffca90	140737488341648
r13	0x7ffff6907800	140737330051072
r14	0x7ffff3191090	140737271894160
r15	0x7fffffffc890	140737488341136
rip	0x46aa5c <JSObject::as<js::ModuleEnvironmentObject>()+28>
=> 0x46aa5c <JSObject::as<js::ModuleEnvironmentObject>()+28>:	movl   $0x222,0x0
   0x46aa67 <JSObject::as<js::ModuleEnvironmentObject>()+39>:	callq  0x4a4690 <abort()>


This is probably a shell-only bug in the "getModuleEnvironmentValue" function.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160203164427" and the hash "73107e62f038e173f8df92c8331609df6fa14f8f".
The "bad" changeset has the timestamp "20160203171727" and the hash "e0c8fb70a09566b8985d6414ccd06f51dcfd8d4c".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=73107e62f038e173f8df92c8331609df6fa14f8f&tochange=e0c8fb70a09566b8985d6414ccd06f51dcfd8d4c

Comment 2

[Jan de Mooij [:jandem]]

Regression range suggests bug 1221144 regressed this, so NI from Jason as well.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1246589-static-module-scope

Currently ModuleEnvironmentObject and StaticModuleScope share the same Class.  This causes a problem because the class has object hooks that assert they are only called on a ModuleEnvironmentObject.

I don't think there's any reason these need to share the same class.  Here's a patch to give StaticModuleScope its own class, just like StaticFunctionScope.

The reason this ends up getting called at all is because the testing function GetModuleEnvironmentValue() calls GetProperty() on the environment object for an unknown property and the static scope object is the prototype.  This is kind of iffy.  Probably it should only attempt to get the own property of the environment object, but in practice there are not going to be any properties set on the prototype so I don't think it matters too much.

Comment 4

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision e355cacefc88).

Comment 5

[Jason Orendorff [:jorendorff]]

Comment on attachment 8717497 [details] [diff] [review]
bug1246589-static-module-scope

Review of attachment 8717497 [details] [diff] [review]:
-----------------------------------------------------------------

Ah. Yeah, sorry about this. I could totally have done this as part of that bug. File under "Overconservatism, hazards of".

Comment 6

[Jason Orendorff [:jorendorff]]

Most of the patches in bug 1221144 bounced, and I don't think they can be salvaged. So this is moot.