Christian Holler (:decoder) Reporter
	Description • 9 years ago

The following testcase crashes on mozilla-central revision 9169f652fe5e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

let moduleRepo = new Map();
setModuleResolveHook(function(module, specifier) {
        return moduleRepo[specifier];
});
let a = moduleRepo['a'] = parseModule("export var a = 1; export var b = 2;");
let b = moduleRepo['b'] = parseModule("export var b = 3; export var c = 4;");
let c = moduleRepo['c'] = parseModule("export * from 'a'; export * from 'b';");
let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;");
assertEq(d.evaluation(), 1);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000045bdbe in js::IsCacheableNonGlobalScope (obj=<optimized out>) at js/src/vm/Stack-inl.h:40
#0  0x000000000045bdbe in js::IsCacheableNonGlobalScope (obj=<optimized out>) at js/src/vm/Stack-inl.h:40
#1  0x0000000000910fc6 in IsCacheableNonGlobalScope (obj=<optimized out>) at js/src/jit/IonCaches.cpp:4677
#2  IsCacheableScopeChain (scopeChain=<optimized out>, obj=0x7ffff7e60060) at js/src/jit/IonCaches.cpp:4666
#3  0x00000000009a3ebc in IsCacheableNameReadSlot (output=..., pc=0x7ffff69fee29 ";", shape=..., holder=..., obj=..., scopeChain=...) at js/src/jit/IonCaches.cpp:4706
#4  js::jit::NameIC::update (cx=0x7ffff6907400, outerScript=..., cacheIndex=<optimized out>, scopeChain=..., vp=...) at js/src/jit/IonCaches.cpp:4786
#5  0x00007ffff7feaccb in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1ae1e60	28188256
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb670	140737488336496
rsp	0x7fffffffb670	140737488336496
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb430	140737488335920
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff7e60060	140737352433760
r13	0x1b02c60	28322912
r14	0x1ae16e0	28186336
r15	0x1b02b20	28322592
rip	0x45bdbe <js::IsCacheableNonGlobalScope(JSObject*)+28>
=> 0x45bdbe <js::IsCacheableNonGlobalScope(JSObject*)+28>:	movl   $0x28,0x0
   0x45bdc9 <js::IsCacheableNonGlobalScope(JSObject*)+39>:	callq  0x4991a0 <abort()>

	Fuzzing Team
	Comment 1 • 9 years ago

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150923073515" and the hash "f4233421a0091c7ff9da20e917e026bf60f93c8f".
The "bad" changeset has the timestamp "20150923075616" and the hash "db4c17553be905e5d4e3106718f61f7421b91994".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f4233421a0091c7ff9da20e917e026bf60f93c8f&tochange=db4c17553be905e5d4e3106718f61f7421b91994

	Jon Coppeard (:jonco) (PTO until 14th September) Assignee
	Comment 2 • 9 years ago

The assert is failing because ModuleEnvironmentObject is a type of CallObject but it has a lookupProperty op.  Fix this by not counting module scopes as cacheable.

Eventually we will optimise access to module scopes so this may change again in the future.

	Jan de Mooij [:jandem]
	Comment 3 • 9 years ago

Comment on attachment 8668484 [details] [diff] [review]
bug1210391-module-scope

Review of attachment 8668484 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.

	Pulsebot
	Comment 4 • 9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/adf5d43959d8

	Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)
	Comment 5 • 9 years ago

https://hg.mozilla.org/mozilla-central/rev/adf5d43959d8