Assertion failure: module->hadEvaluationError(), at builtin/ModuleObject.cpp:2076
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox83 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | verified |
People
(Reporter: decoder, Assigned: yulia)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20201204-c22c3f6c8ead (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
r = parseModule(`
for await (var x of this) {}
`);
r.declarationInstantiation();
r.evaluation();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555556c41a83 in js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>) ()
#0 0x0000555556c41a83 in js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>) ()
#1 0x0000555556c41825 in js::AsyncModuleExecutionRejectedHandler(JSContext*, unsigned int, JS::Value*) ()
#2 0x0000555556b94772 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3 0x0000555556b9402a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4 0x0000555556b953b4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#5 0x0000555556b955f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#6 0x0000555556c1ace2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#7 0x0000555556ddabe3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000555556b94772 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#16 0x0000555556a04783 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#17 0x00005555569fda64 in main ()
rax 0x5555557bef53 93824994766675
rbx 0x7fffffffbb40 140737488337728
rcx 0x555557fcb690 93825036760720
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbb10 140737488337680
rsp 0x7fffffffbaa0 140737488337568
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0xfff9000000000000 -1970324836974592
r13 0xffff800000000000 -140737488355328
r14 0xfff8800000000000 -2111062325329920
r15 0xfff9000000000000 -1970324836974592
rip 0x555556c41a83 <js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>)+259>
=> 0x555556c41a83 <_ZN2js28AsyncModuleExecutionRejectedEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEENS3_INS2_5ValueEEE+259>: movl $0x81c,0x0
0x555556c41a8e <_ZN2js28AsyncModuleExecutionRejectedEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEENS3_INS2_5ValueEEE+270>: callq 0x555556a8cd72 <abort>
Could be related to the recent toplevel await work, since await is required in the test.
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201205093858-7ce95b6cde26.
The bug appears to have been introduced in the following build range:
Start: 85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7 (20201204071028)
End: 7d9c82add62dbc4c7ab63f169c2be1a51c611f81 (20201204090051)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7&tochange=7d9c82add62dbc4c7ab63f169c2be1a51c611f81
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1f41c26a2a7 When top-level await is disabled, also disable top-level for-await loops r=jorendorff
Comment 5•3 years ago
|
||
bugherder |
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201208213457-840349cabe2f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•