Closed Bug 1209008 Opened 9 years ago Closed 9 years ago

Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1209107
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

x = true;
function testInitialEnvironment(source, expected) {
    let m = parseModule(source);
    let scope = m.initialEnvironment;
        assertEq(x.a, scope);
}
testInitialEnvironment('export let x = 1;', ['x']);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000720b1c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:488
#0  0x0000000000720b1c in js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=<optimized out>, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:488
#1  0x0000000000b4d7bf in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=id@entry=..., desc=...) at js/src/jsobj.cpp:2546
#2  0x0000000000573c65 in js::ObjectToSource (cx=cx@entry=0x7ffff6907000, obj=obj@entry=...) at js/src/builtin/Object.cpp:195
#3  0x0000000000bd3e86 in js::ValueToSource (cx=cx@entry=0x7ffff6907000, v=..., v@entry=...) at js/src/jsstr.cpp:4357
#4  0x0000000000b1a36c in JS_ValueToSource (cx=cx@entry=0x7ffff6907000, value=value@entry=...) at js/src/jsapi.cpp:469
#5  0x000000000047e5eb in ToSource (cx=cx@entry=0x7ffff6907000, vp=..., vp@entry=..., bytes=bytes@entry=0x7fffffffcbd0) at js/src/shell/js.cpp:1602
#6  0x000000000047ec08 in AssertEq (cx=0x7ffff6907000, argc=2, vp=0x7ffff47fc148) at js/src/shell/js.cpp:1633
#7  0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x47eac0 <AssertEq(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#9  0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072
#10 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709
#11 0x00000000007009d4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983
#12 0x0000000000700d29 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018
#13 0x0000000000b650db in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4379
#14 0x0000000000b651fb in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4410
#15 0x00000000004288cb in RunFile (compileOnly=false, file=0x7ffff699ac00, filename=0x7fffffffe047 "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:462
#16 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe047 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:580
#17 0x0000000000477324 in ProcessArgs (op=0x7fffffffdae0, cx=0x7ffff6907000) at js/src/shell/js.cpp:5863
#18 Shell (envp=<optimized out>, op=0x7fffffffdae0, cx=0x7ffff6907000) at js/src/shell/js.cpp:6161
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6517
rax	0x0	0
rbx	0x7ffff6907000	140737330049024
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc4c0	140737488340160
rsp	0x7fffffffc4c0	140737488340160
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc280	140737488339584
r11	0x7ffff6c27960	140737333328224
r12	0x0	0
r13	0x7ffff6907000	140737330049024
r14	0x7fffffffca00	140737488341504
r15	0x7fffffffc700	140737488340736
rip	0x720b1c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>
=> 0x720b1c <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+28>:	movl   $0x1e8,0x0
   0x720b27 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)+39>:	callq  0x4974e0 <abort()>


This issue seems different from bug 1208890 (different stack and test).
needinfo'ing jonco, as it involves modules
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0773712473c9
user:        Jon Coppeard
date:        Mon Aug 24 15:58:36 2015 +0100
summary:     Bug 930414 - Hook up module environements, alising everything at top level for now r=shu

This iteration took 240.574 seconds to run.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.