Closed Bug 1719459 Opened 4 years ago Closed 4 years ago

Self-hosted JavaScript assertion info: [Latin 1]"./../../checkouts/gecko/js/src/builtin/Module.js:104: ModuleResolveExport"

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
92 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox90 --- wontfix
firefox91 --- fixed
firefox92 --- fixed

People

(Reporter: decoder, Assigned: arai)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20210704-2db6a4941022 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

c99 = registerModule('c', parseModule("export * from 'a'; export * from 'b';"));
c99.__proto__.resolveExport();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555700d36f in intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*) ()
#1  0x0000555556bf25d1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#2  0x0000555556bf1d06 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#3  0x0000555556bf3141 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#4  0x0000555556be709d in Interpret(JSContext*, js::RunState&) ()
#5  0x0000555556bdea51 in js::RunScript(JSContext*, js::RunState&) ()
#6  0x0000555556bf4876 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#7  0x0000555556bf4da4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#8  0x0000555556dd603f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#9  0x0000555556dd623a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#10 0x0000555556abf6d5 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#11 0x0000555556abed60 in Process(JSContext*, char const*, bool, FileKind) ()
#12 0x0000555556a6620b in Shell(JSContext*, js::cli::OptionParser*) ()
#13 0x0000555556a5d902 in main ()
rax	0x55555578fe67	93824994573927
rbx	0xfffb000000000000	-1407374883553280
rcx	0x5555580e27d8	93825037903832
rdx	0x0	0
rsi	0x7ffff6abd770	140737331844976
rdi	0x7ffff6abc540	140737331840320
rbp	0x7fffffffbec0	140737488338624
rsp	0x7fffffffbe80	140737488338560
r8	0x7ffff6abd770	140737331844976
r9	0x7ffff7fe3840	140737354020928
r10	0x0	0
r11	0x0	0
r12	0x7ffff4d4e400	140737300980736
r13	0x7fffffffc190	140737488339344
r14	0x7fffffffbe80	140737488338560
r15	0x1658fc849540	24571449480512
rip	0x55555700d36f <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+303>
=> 0x55555700d36f <_ZL25intrinsic_AssertionFailedP9JSContextjPN2JS5ValueE+303>:	movl   $0x1d3,0x0
   0x55555700d37a <_ZL25intrinsic_AssertionFailedP9JSContextjPN2JS5ValueE+314>:	callq  0x555556ae965a <abort>
Attached file Testcase

arai, do you think you could look into this bug. If you are the wrong person, let me know and I can find someone appropriate to work on it.

Flags: needinfo?(arai.unmht)

This is probably because the fuzzer is calling resolveExport in a way it didn't expect. The module object returned by parseModule is not exposed so this isn't a problem in the browser.

So, we should either:

  • a) Check this value arguments in all ModuleObject methods
  • b) Hide raw ModuleObject from shell and return a wrapper with methods that checks this value arguments

(a) is simpler, but that can affect internal non-test usage.
(b) is a bit complicated, but it won't affect non-test usage.

Bugmon Analysis
Unable to reproduce bug using build mozilla-central 20210704213917-2db6a4941022. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)

The above patch implements wrappers for Module-related objects.

all accessors, and some methods are implemented.
some other methods that's not used in testcases aren't implemented, given the complexity around in/out parameters doesn't seem to worth adding wrapper methods.

Attachment #9230564 - Attachment description: WIP: Bug 1719459 - Add shell ModuleObject wrapper to avoid unexpected operation. r?jonco! → Bug 1719459 - Part 2: Add shell ModuleObject wrapper to avoid unexpected operation. r?jonco!
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/f63c08d7f7ee Part 1: Move module testing function to JS shell. r=jonco https://hg.mozilla.org/integration/autoland/rev/2004b8e9ee61 Part 2: Add shell ModuleObject wrapper to avoid unexpected operation. r=jonco
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

The patch landed in nightly and beta is affected.
:arai, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(arai.unmht)

Comment on attachment 9230652 [details]
Bug 1719459 - Part 1: Move module testing function to JS shell. r?jonco!

Beta/Release Uplift Approval Request

  • User impact if declined: reduces fuzzing efficiency
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is JS shell-only change that is used by automation and fuzzing
  • String changes made/needed:
Flags: needinfo?(arai.unmht)
Attachment #9230652 - Flags: approval-mozilla-beta?
Attachment #9230564 - Flags: approval-mozilla-beta?

Comment on attachment 9230652 [details]
Bug 1719459 - Part 1: Move module testing function to JS shell. r?jonco!

Low risk in early betas, approved for 91 beta 3, thanks.

Attachment #9230652 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9230564 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite+

:arai, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(arai.unmht)

Bug in the bot.

Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: