Closed Bug 1604747 Opened 5 years ago Closed 5 years ago

Crash [@ mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRModuleObject<(js::XDRMode)0>(...)] with ES6 modules

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- unaffected
firefox73 --- fixed

People

(Reporter: decoder, Assigned: caroline)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Bug 1604747 - Error if attempt at encoding and instantiated module. r=iain
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20191217-83fc8cf83221 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

let og = parseModule("1");
let bc = codeModule(og);
let m54 = decodeModule(bc);
m54.declarationInstantiation();
bc = codeModule(m54);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555599d181 in mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRModuleObject<(js::XDRMode)0>(js::XDRState<(js::XDRMode)0>*, JS::MutableHandle<js::ModuleObject*>) ()
#1  0x0000555555e6d2a2 in js::XDRState<(js::XDRMode)0>::codeModuleObject(JS::MutableHandle<js::ModuleObject*>) ()
#2  0x0000555555796028 in CodeModule(JSContext*, unsigned int, JS::Value*) ()
#3  0x00005555558eb6e2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4  0x00005555558eaee8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x00005555558dfd35 in Interpret(JSContext*, js::RunState&) ()
#6  0x00005555558d5711 in js::RunScript(JSContext*, js::RunState&) ()
#7  0x00005555558edd75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) ()
#8  0x00005555558ee3cd in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) ()
#9  0x0000555555af5757 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) ()
#10 0x0000555555af58f0 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#11 0x00005555557cb275 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#12 0x00005555557ca67a in Process(JSContext*, char const*, bool, FileKind) ()
#13 0x00005555557756bb in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#14 0x000055555576ec31 in main ()
rax	0x0	0
rbx	0x7fffffffb9b0	140737488337328
rcx	0x7fffffffb7f0	140737488336880
rdx	0x10	16
rsi	0x7fffffffb7d8	140737488336856
rdi	0x200c24c7b2e0	35236528763616
rbp	0x7fffffffb910	140737488337168
rsp	0x7fffffffb6c0	140737488336576
r8	0x7fffffffb7c0	140737488336832
r9	0x7fffffffc070	140737488339056
r10	0xfff80000ffffff00	-2251795518718208
r11	0xfffaffffffffffff	-1407374883553281
r12	0x7fffffffb960	140737488337248
r13	0x7fffffffb7e0	140737488336864
r14	0x7ffff5e27000	140737318645760
r15	0x0	0
rip	0x55555599d181 <mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRModuleObject<(js::XDRMode)0>(js::XDRState<(js::XDRMode)0>*, JS::MutableHandle<js::ModuleObject*>)+1825>
=> 0x55555599d181 <_ZN2js15XDRModuleObjectILNS_7XDRModeE0EEEN7mozilla6ResultINS2_2OkEN2JS15TranscodeResultEEEPNS_8XDRStateIXT_EEENS5_13MutableHandleIPNS_12ModuleObjectEEE+1825>:	mov    0x8(%r15),%eax
   0x55555599d185 <_ZN2js15XDRModuleObjectILNS_7XDRModeE0EEEN7mozilla6ResultINS2_2OkEN2JS15TranscodeResultEEEPNS_8XDRStateIXT_EEENS5_13MutableHandleIPNS_12ModuleObjectEEE+1829>:	mov    %eax,-0x1e4(%rbp)

I assume this is shell-only.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b622095c76ab
user: caroline
date: Tue Dec 10 01:46:29 2019 +0000
summary: Bug 1588861 - Part 4: Add test harness for xdr modules. r=iain

Caroline, is bug 1588861 a likely regressor?

Flags: needinfo?(ccullen)
Regressed by: 1588861
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Has Regression Range: --- → yes

I'm pretty sure that's the regressor, i'll look into whats causing it!

Flags: needinfo?(ccullen)
Priority: -- → P1
Assignee: nobody → ccullen
Priority: P1 → --
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d4359a64d30f Error if attempt at encoding and instantiated module. r=iain
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/d4359a64d30f

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox73: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: