Closed
Bug 1287410
Opened 8 years ago
Closed 8 years ago
Crash [@ js::NativeObject::lookup] with ES6 Modules
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: decoder, Assigned: jonco)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
12.14 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
11.41 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): let moduleRepo = {}; setModuleResolveHook(function(module, specifier) { if (specifier in moduleRepo) return moduleRepo[specifier]; throw "Module '" + specifier + "' not found"; }); let a = moduleRepo['a'] = parseModule("export var a = 1; export var b = 2;"); let b = moduleRepo['b'] = parseModule("export var b = 3; export var c = 4;"); let c = moduleRepo['c'] = parseModule("export * from 'a'; export * from 'b';"); c.declarationInstantiation(); eval(` let a = moduleRepo['a'] = parseModule("export var a = 1; export var b = 2;"); let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;"); d.declarationInstantiation(); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000abcd8b in js::NativeObject::lookup (this=0x0, cx=cx@entry=0x7ffff6965000, id=...) at js/src/vm/NativeObject.cpp:233 #0 0x0000000000abcd8b in js::NativeObject::lookup (this=0x0, cx=cx@entry=0x7ffff6965000, id=...) at js/src/vm/NativeObject.cpp:233 #1 0x0000000000c320f7 in js::IndirectBindingMap::putNew (this=0x7ffff69ae440, cx=cx@entry=0x7ffff6965000, name=..., name@entry=..., environment=..., environment@entry=..., localName=..., localName@entry=...) at js/src/builtin/ModuleObject.cpp:239 #2 0x0000000000b02057 in js::ModuleEnvironmentObject::createImportBinding (this=0x7ffff7e78400, cx=cx@entry=0x7ffff6965000, importName=..., importName@entry=..., module=..., module@entry=..., localName=..., localName@entry=...) at js/src/vm/ScopeObject.cpp:532 #3 0x0000000000b0d7e4 in intrinsic_CreateImportBinding (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7fffffffb478) at js/src/vm/SelfHosting.cpp:2148 #4 0x0000000000aa7424 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xb0d660 <intrinsic_CreateImportBinding(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232 [...] #47 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff69ae440 140737330734144 rcx 0x7fffffffaef0 140737488334576 rdx 0x7ffff7e00940 140737352042816 rsi 0x7ffff6965000 140737330434048 rdi 0x0 0 rbp 0x7fffffffadc0 140737488334272 rsp 0x7fffffffada0 140737488334240 r8 0x7fffffffaed0 140737488334544 r9 0x7fffffffafb0 140737488334768 r10 0x7ffff6956000 140737330372608 r11 0xfff9000000000000 -1970324836974592 r12 0x7ffff6965000 140737330434048 r13 0x7fffffffaec0 140737488334528 r14 0x7fffffffaef0 140737488334576 r15 0x7fffffffaeb0 140737488334512 rip 0xabcd8b <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+11> => 0xabcd8b <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+11>: mov (%rdi),%rax 0xabcd8e <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+14>: mov (%rax),%rax
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150923073515" and the hash "f4233421a0091c7ff9da20e917e026bf60f93c8f". The "bad" changeset has the timestamp "20150923075616" and the hash "db4c17553be905e5d4e3106718f61f7421b91994". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f4233421a0091c7ff9da20e917e026bf60f93c8f&tochange=db4c17553be905e5d4e3106718f61f7421b91994
Assignee | ||
Comment 2•8 years ago
|
||
Another way in which a buggy module loader can mess things up.
Assignee: nobody → jcoppeard
Assignee | ||
Comment 3•8 years ago
|
||
The problem here is that HostResolveImportedModule (which is supplied by the embedding) is always supposed to return the same module for a given pair of arguments. Failure to do this is a bug in the module loader, but this is something we should be handle. This patch replaces the module's evaluated property with a state property which covers not just whether the module has been evaluated but the other possible states it can be in too. It also replaces the setting of the environment value to null if instantiation failed. The next patch will add more checks using this state.
Attachment #8772483 -
Flags: review?(shu)
Assignee | ||
Comment 4•8 years ago
|
||
Update state property appropriately and use it to check that the module returned by HostResolveImportedModule is in the correct state.
Attachment #8772485 -
Flags: review?(shu)
Comment 5•8 years ago
|
||
Comment on attachment 8772483 [details] [diff] [review] bug1287410-add-module-state Review of attachment 8772483 [details] [diff] [review]: ----------------------------------------------------------------- Let me see if I understand. Are finer grain states needed for instantiation due to the error checking in the next patch? That is, is it because the correctness condition differ among steps in ModuleDeclarationInstantiation? The loader sure is complicated. ::: js/src/builtin/SelfHostingDefines.h @@ +103,5 @@ > > +#define MODULE_STATE_FAILED 0 > +#define MODULE_STATE_PARSED 1 > +#define MODULE_STATE_INSTANTIATED 2 > +#define MODULE_STATE_EVALUATED 3 Since these are checked with <, please add a static assert somewhere that they're ordered as expected.
Attachment #8772483 -
Flags: review?(shu) → review+
Updated•8 years ago
|
Attachment #8772485 -
Flags: review?(shu) → review+
Assignee | ||
Comment 6•8 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #5) Yes, adding fine grained states makes it possible to check that the loader is behaving correctly and obeying its invariants.
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c197d68a2cf1 Add more fine-grained module state r=shu https://hg.mozilla.org/integration/mozilla-inbound/rev/1537eb623f79 Check state of module returned by HostResolveImportedModule r=shu
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c197d68a2cf1 https://hg.mozilla.org/mozilla-central/rev/1537eb623f79
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Comment 9•8 years ago
|
||
Can/should we uplift this to 50 (seems it's also affected)?
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Andrew Overholt [:overholt] from comment #9) > Can/should we uplift this to 50 (seems it's also affected)? Modules aren't being used for much at the moment, so probably no point uplifting this.
Flags: needinfo?(jcoppeard)
Comment 11•8 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #10) > (In reply to Andrew Overholt [:overholt] from comment #9) > > Can/should we uplift this to 50 (seems it's also affected)? > > Modules aren't being used for much at the moment, so probably no point > uplifting this. OK, thanks.
Comment 12•8 years ago
|
||
Crash volume for signature 'js::NativeObject::lookup': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 0 crashes from 2016-08-01. - beta (version 49): 50 crashes from 2016-08-02. - release (version 48): 52 crashes from 2016-07-25. - esr (version 45): 8 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 0 0 0 - beta 9 13 9 - release 15 18 7 - esr 1 2 0 Affected platform: Windows Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #1034 #484 - release #1148 - esr #1706
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → affected
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•