Closed Bug 1414809 Opened 4 years ago Closed 4 years ago

Self-hosted JavaScript assertion info: "js/src/builtin/Module.js:395: Required module should be in the stack iff it is currently being instantiated"

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

let moduleRepo = {};
setModuleResolveHook(function(module, specifier) {
        return moduleRepo[specifier];
});
var lfLogBuffer = `
let c = moduleRepo['c'] = parseModule("export * from 'a'; export * from 'b';");
try {
    c.declarationInstantiation();
} catch (exc) {}
let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;");
    d.declarationInstantiation();
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    oomTest(function() {
        eval(lfVarx);
    });
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000c2dac0 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:409
#0  0x0000000000c2dac0 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:409
#1  0x000000000055e631 in js::CallJSNative (cx=0x7ffff6948000, native=0xc2da00 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#2  0x0000000000552dbf in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6948000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#3  0x000000000055319d in InternalCall (cx=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:521
#4  0x00000000005532ca in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:527
#5  0x000000000063a283 in js::jit::DoCallFallback (cx=0x7ffff6948000, frame=0x7fffffffa058, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9fe8, res=...) at js/src/jit/BaselineIC.cpp:2539
#6  0x00000f986d0734cb in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff98a0	140737488328864
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff98e0	140737488328928
rsp	0x7fffffff9880	140737488328832
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff465ab60	140737293691744
r13	0xc2da00	12769792
r14	0x7fffffffa000	140737488330752
r15	0x1	1
rip	0xc2dac0 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+192>
=> 0xc2dac0 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+192>:	movl   $0x0,0x0
   0xc2dacb <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+203>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2e4748827cda
user:        Jon Coppeard
date:        Wed Aug 09 18:05:15 2017 +0100
summary:     Bug 1374239 - Store and re-throw module instantiation and evaluation errors r=shu

This iteration took 1.187 seconds to run.
Jon, is bug 1374239 a likely regressor?
Blocks: 1374239
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 91cecf141b8b).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7a1ca2738093
user:        Jon Coppeard
date:        Wed Dec 06 14:54:58 2017 +0000
summary:     Bug 1420420 - Update module implementation to match latest spec regarding handling of instantiation errors r=anba r=baku r=jgraham

This iteration took 281.836 seconds to run.
Handling of instantiation errors has been updated in bug 1420420 and this no longer reproduces.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → WORKSFORME
Since the bug fixing this is known, resolving -> FIXED
Resolution: WORKSFORME → FIXED
Assignee: nobody → jcoppeard
Depends on: 1420420
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.