1466487 - Crash [@ ??] or Assertion failure: func, at builtin/ModuleObject.cpp:1658 with evalInWorker and ES6 Modules

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ad1249c83efb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker(`
    let m = parseModule("import.meta;");
    m.declarationInstantiation();
    m.evaluation();
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff48ff700 (LWP 7266)]
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x00000000005ab3e1 in js::GetOrCreateModuleMetaObject (cx=0x7ffff491a000, moduleArg=...) at js/src/builtin/ModuleObject.cpp:1659
#2  0x000000000055e44e in Interpret (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:4256
#3  0x000000000056634a in js::RunScript (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:421
#4  0x00000000005683d6 in js::ExecuteKernel (result=0x7ffff5f9d1f0, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff491a000) at js/src/vm/Interpreter.cpp:704
#5  js::Execute (cx=cx@entry=0x7ffff491a000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7ffff5f9d1f0) at js/src/vm/Interpreter.cpp:737
#6  0x00000000005a610d in js::ModuleObject::execute (cx=0x7ffff491a000, self=..., self@entry=..., rval=...) at js/src/builtin/ModuleObject.cpp:1127
#7  0x0000000000a09358 in intrinsic_ExecuteModule (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:2217
#8  0x00000000005666d1 in js::CallJSNative (args=..., native=0xa09310 <intrinsic_ExecuteModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff491a000) at js/src/vm/JSContext-inl.h:274
[...]
#16 0x0000000000460ead in WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3631
[...]
#20 0x00007ffff6c383dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x7ffff4905000	140737296486400
rbx	0x7ffff48fe040	140737296457792
rcx	0x7ffff4600500	140737293321472
rdx	0x7ffff48fde00	140737296457216
rsi	0x7ffff48fe040	140737296457792
rdi	0x7ffff491a000	140737296572416
rbp	0x7ffff491a000	140737296572416
rsp	0x7ffff48fdde8	140737296457192
r8	0x1e6f340	31912768
r9	0x7ffff4503100	140737292284160
r10	0x7ffff48fe420	140737296458784
r11	0xfffb000000000000	-1407374883553280
r12	0x7ffff48fe460	140737296458848
r13	0x1e6ac60	31894624
r14	0x7ffff491a748	140737296574280
r15	0x7ffff491a000	140737296572416
rip	0x0	0
=> 0x0:


Null-jump, not marking s-s.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/277bd9cf9edc
user:        Jon Coppeard
date:        Wed May 23 08:47:28 2018 +0100
summary:     Bug 1427610 - Implement import.meta in the JS frontent r=jorendorff

This iteration took 243.713 seconds to run.

Comment 2

[Jon Coppeard (:jonco)]

This is a shell-only issue.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1466487-import-meta-hook

Patch to check for the metadata hook being set rather than asserting it.

Comment 4

[André Bargull [:anba]]

Comment on attachment 8983367 [details] [diff] [review]
bug1466487-import-meta-hook

Review of attachment 8983367 [details] [diff] [review]:
-----------------------------------------------------------------

Looks reasonable.

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/450557c0669f
Throw if module metadata hook is not set in the shell r=anba

Comment 6

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/450557c0669f