Crash at js::ModuleObject::getCycleRoot
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
People
(Reporter: WeirdAl, Assigned: jonco)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
Possible duplicate of bug 1754892, based on https://crash-stats.mozilla.org/report/index/feab810d-b832-483b-8f72-507020220412
I have a ClassReviver module which attempts to recreate objects from stringified JSON. I've written it so that in reviving, if a subclass of a base class misses some property, the reviver throws in calling defineClass().
Well, the subclass did miss a property. The defineClass() method threw... and MOZ_RELEASE_ASSERT(cycleRoot.isObject()); failed. ddd says cycleRoot = $JS::UndefinedValue().
|
Reporter | |
Comment 1•3 years ago
|
||
Steps to reproduce:
(In a completely empty directory)
- tar -xjf bug1764239.tar.bz2
- npm install --only=prod
- node playground.mjs
- In Firefox, load http://localhost:3030/fixtures/book-grid-editable.html
Expected result:
JavaScript error: http://localhost:3030/objects/ClassReviver.mjs, line 45: Error: Class doesn't have a static fromJSON() method?
Actual result:
Assertion failure: cycleRoot.isObject(), at /home/ajvincent/compiled/central/mozilla-central/js/src/builtin/ModuleObject.cpp:1128
|
|
Reporter | |
Comment 2•3 years ago
|
||
Fixing the errors makes the crash go away.
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 3•3 years ago
•
|
||
Jon, Yulia, who might be the best person to look at this issue?
Also, knowing that this assertion is present in release builds, I wonder whether this crash should be considered as a security issue.
|
|
Reporter | |
Comment 4•3 years ago
•
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #3)
Also, knowing that this assertion is present in release builds, I wonder whether this crash should be considered as a security issue.
The only reason I marked it as such is that the bug this might be a duplicate of is also classified.
I'll give this the same rating as the other bug, then.
|
Assignee | |
Comment 6•3 years ago
|
||
I can reproduce this but I haven't managed to track it down yet. It's pretty strange that the cycle root is not set here.
|
|
Reporter | |
Comment 7•3 years ago
|
||
Is there anything I can do to assist? I tried posting an absolute-minimum testcase, but that failed to reproduce the bug.
|
|
Assignee | |
Comment 8•3 years ago
|
||
I can reproduce this failure with the following testcase:
let module1 = registerModule('module1', parseModule(
`import {} from "module2";
import {} from "module4";`));
let module2 = registerModule('module2', parseModule(
`await import("module3");`));
let module3 = registerModule('module3', parseModule(
``));
let module4 = registerModule('module4', parseModule(
`throw 1;`));
moduleLink(module1);
moduleEvaluate(module1);
drainJobQueue();
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 9•3 years ago
|
||
Like the changes in bug 1777972 concerning CycleRoot, this is not in the spec
but seems necessary due to the fact that this field isn't set when synchronous
module execution fails.
|
|
Assignee | |
Comment 10•3 years ago
|
||
This is a release assert failure and is not a security vulnerability.
|
||
Comment 11•3 years ago
|
||
|
||
Comment 12•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•