Closed Bug 1247934 Opened 4 years ago Closed 4 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:546 with ES6 Modules import/export

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox47 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 576a6dcde5b6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --unboxed-arrays):

let moduleRepo = {};
setModuleResolveHook(function(module, specifier) {
        return moduleRepo[specifier];
});
setJitCompilerOption("ion.warmup.trigger", 50);
s = "";
for (i = 0; i < 1024; i++) s += "export let e" + i + "\n";
moduleRepo['a'] = parseModule(s);
parseModule("import * as ns from 'a'").declarationInstantiation();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046b236 in JSObject::as<js::ArrayObject> (this=<optimized out>) at js/src/jsobj.h:546
#0  0x000000000046b236 in JSObject::as<js::ArrayObject> (this=<optimized out>) at js/src/jsobj.h:546
#1  0x0000000000b0df9f in as<js::ArrayObject> (this=<optimized out>) at js/src/debug64/dist/include/js/RootingAPI.h:683
#2  intrinsic_NewModuleNamespace (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:1637
#3  0x0000000000aadd82 in js::CallJSNative (cx=0x7ffff6907800, native=0xb0de20 <intrinsic_NewModuleNamespace(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#40 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6907800	140737330051072
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff9dd0	140737488330192
rsp	0x7fffffff9dd0	140737488330192
r8	0x7ffff7fe07c0	140737354008512
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffff9b90	140737488329616
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff6907818	140737330051096
r13	0x7fffffff9e00	140737488330240
r14	0x7ffff517c2f0	140737305363184
r15	0x7ffff6907800	140737330051072
rip	0x46b236 <JSObject::as<js::ArrayObject>()+28>
=> 0x46b236 <JSObject::as<js::ArrayObject>()+28>:	movl   $0x222,0x0
   0x46b241 <JSObject::as<js::ArrayObject>()+39>:	callq  0x4a4f50 <abort()>
This assertion happens because exports array we receive from the self-hosted parts of the implementation can be an unboxed array.

The patch removes the use of ArrayObject for this object and uses more generic functions to access its contents.
Assignee: nobody → jcoppeard
Attachment #8718847 - Flags: review?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment on attachment 8718847 [details] [diff] [review]
bug1247934-unboxed-exports-array

Review of attachment 8718847 [details] [diff] [review]:
-----------------------------------------------------------------

Good find. Kind of hard to foresee.
Attachment #8718847 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/d320678c4fab
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.