Self-hosted JavaScript assertion info: [Latin 1]"./../../checkouts/gecko/js/src/builtin/Module.js:104: ModuleResolveExport"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: arai)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])
Attachments
(3 files)
|
111 bytes,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20210704-2db6a4941022 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
c99 = registerModule('c', parseModule("export * from 'a'; export * from 'b';"));
c99.__proto__.resolveExport();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055555700d36f in intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*) ()
#1 0x0000555556bf25d1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#2 0x0000555556bf1d06 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#3 0x0000555556bf3141 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#4 0x0000555556be709d in Interpret(JSContext*, js::RunState&) ()
#5 0x0000555556bdea51 in js::RunScript(JSContext*, js::RunState&) ()
#6 0x0000555556bf4876 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#7 0x0000555556bf4da4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#8 0x0000555556dd603f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#9 0x0000555556dd623a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#10 0x0000555556abf6d5 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#11 0x0000555556abed60 in Process(JSContext*, char const*, bool, FileKind) ()
#12 0x0000555556a6620b in Shell(JSContext*, js::cli::OptionParser*) ()
#13 0x0000555556a5d902 in main ()
rax 0x55555578fe67 93824994573927
rbx 0xfffb000000000000 -1407374883553280
rcx 0x5555580e27d8 93825037903832
rdx 0x0 0
rsi 0x7ffff6abd770 140737331844976
rdi 0x7ffff6abc540 140737331840320
rbp 0x7fffffffbec0 140737488338624
rsp 0x7fffffffbe80 140737488338560
r8 0x7ffff6abd770 140737331844976
r9 0x7ffff7fe3840 140737354020928
r10 0x0 0
r11 0x0 0
r12 0x7ffff4d4e400 140737300980736
r13 0x7fffffffc190 140737488339344
r14 0x7fffffffbe80 140737488338560
r15 0x1658fc849540 24571449480512
rip 0x55555700d36f <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+303>
=> 0x55555700d36f <_ZL25intrinsic_AssertionFailedP9JSContextjPN2JS5ValueE+303>: movl $0x1d3,0x0
0x55555700d37a <_ZL25intrinsic_AssertionFailedP9JSContextjPN2JS5ValueE+314>: callq 0x555556ae965a <abort>
| Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
arai, do you think you could look into this bug. If you are the wrong person, let me know and I can find someone appropriate to work on it.
Comment 3•4 years ago
|
||
This is probably because the fuzzer is calling resolveExport in a way it didn't expect. The module object returned by parseModule is not exposed so this isn't a problem in the browser.
| Assignee | ||
Comment 4•4 years ago
•
|
||
So, we should either:
- a) Check
arguments in allthisvalueModuleObjectmethods - b) Hide raw
ModuleObjectfrom shell and return a wrapper with methods that checksargumentsthisvalue
(a) is simpler, but that can affect internal non-test usage.
(b) is a bit complicated, but it won't affect non-test usage.
Comment 5•4 years ago
|
||
Bugmon Analysis
Unable to reproduce bug using build mozilla-central 20210704213917-2db6a4941022. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
| Assignee | ||
Updated•4 years ago
|
| Assignee | ||
Comment 6•4 years ago
|
||
| Assignee | ||
Comment 7•4 years ago
|
||
The above patch implements wrappers for Module-related objects.
all accessors, and some methods are implemented.
some other methods that's not used in testcases aren't implemented, given the complexity around in/out parameters doesn't seem to worth adding wrapper methods.
| Assignee | ||
Comment 8•4 years ago
|
||
Updated•4 years ago
|
Comment 10•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/f63c08d7f7ee
https://hg.mozilla.org/mozilla-central/rev/2004b8e9ee61
Comment 11•4 years ago
|
||
The patch landed in nightly and beta is affected.
:arai, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
| Assignee | ||
Comment 12•4 years ago
|
||
Comment on attachment 9230652 [details]
Bug 1719459 - Part 1: Move module testing function to JS shell. r?jonco!
Beta/Release Uplift Approval Request
- User impact if declined: reduces fuzzing efficiency
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is JS shell-only change that is used by automation and fuzzing
- String changes made/needed:
| Assignee | ||
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Comment on attachment 9230652 [details]
Bug 1719459 - Part 1: Move module testing function to JS shell. r?jonco!
Low risk in early betas, approved for 91 beta 3, thanks.
Updated•4 years ago
|
Comment 14•4 years ago
|
||
| bugherder uplift | ||
Updated•4 years ago
|
Comment 15•4 years ago
|
||
:arai, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Description
•