Closed Bug 1680878 Opened 3 years ago Closed 3 years ago

Assertion failure: module->hadEvaluationError(), at builtin/ModuleObject.cpp:2076

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox83 --- unaffected
firefox84 --- unaffected
firefox85 --- verified

People

(Reporter: decoder, Assigned: yulia)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
98 bytes, text/plain
Details
Bug 1680878 - When top-level await is disabled, also disable top-level for-await loops
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201204-c22c3f6c8ead (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

r = parseModule(`
  for await (var x of this) {}
`);
r.declarationInstantiation();
r.evaluation();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556c41a83 in js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>) ()
#0  0x0000555556c41a83 in js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>) ()
#1  0x0000555556c41825 in js::AsyncModuleExecutionRejectedHandler(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555556b94772 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3  0x0000555556b9402a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4  0x0000555556b953b4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#5  0x0000555556b955f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#6  0x0000555556c1ace2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#7  0x0000555556ddabe3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#8  0x0000555556b94772 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#16 0x0000555556a04783 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#17 0x00005555569fda64 in main ()
rax	0x5555557bef53	93824994766675
rbx	0x7fffffffbb40	140737488337728
rcx	0x555557fcb690	93825036760720
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbb10	140737488337680
rsp	0x7fffffffbaa0	140737488337568
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0xfff9000000000000	-1970324836974592
r13	0xffff800000000000	-140737488355328
r14	0xfff8800000000000	-2111062325329920
r15	0xfff9000000000000	-1970324836974592
rip	0x555556c41a83 <js::AsyncModuleExecutionRejected(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>)+259>
=> 0x555556c41a83 <_ZN2js28AsyncModuleExecutionRejectedEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEENS3_INS2_5ValueEEE+259>:	movl   $0x81c,0x0
   0x555556c41a8e <_ZN2js28AsyncModuleExecutionRejectedEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEENS3_INS2_5ValueEEE+270>:	callq  0x555556a8cd72 <abort>

Could be related to the recent toplevel await work, since await is required in the test.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20201205093858-7ce95b6cde26.

The bug appears to have been introduced in the following build range:




Start: 85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7 (20201204071028)

End: 7d9c82add62dbc4c7ab63f169c2be1a51c611f81 (20201204090051)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7&tochange=7d9c82add62dbc4c7ab63f169c2be1a51c611f81




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
  
Assignee: nobody → ystartsev
Priority: -- → P1

        Attachment #9191603 -
        Attachment description: Bug 1680878 - Disable top-level await from running by default on loops → Bug 1680878 - When top-level await is disabled, also disable top-level for-await loops

    
    

    
  
Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f1f41c26a2a7
When top-level await is disabled, also disable top-level for-await loops r=jorendorff

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f1f41c26a2a7


Status: NEW → RESOLVED
Closed: 3 years ago

          status-firefox85:
          fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20201208213457-840349cabe2f.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox85:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: