Closed
Bug 1245518
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ModuleEnvironmentObject::getOwnPropertyDescriptor] with ES6 Modules and Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
(deleted),
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 5f9ba76eb3b1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager):
evalInFrame = function(global) {
dbgGlobal = newGlobal();
dbg = new dbgGlobal.Debugger();
return function(upCount, code) {
dbg.addDebuggee(global);
frame = dbg.getNewestFrame().older;
frame.eval(code);
}
}(this);
m = parseModule(`
function g() this.hours = 0;
evalInFrame.call(0, 0, "g()")
`);
m.declarationInstantiation();
m.evaluation();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=0x7ffff6907800, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:626
#0 js::ModuleEnvironmentObject::getOwnPropertyDescriptor (cx=0x7ffff6907800, obj=..., id=..., desc=...) at js/src/vm/ScopeObject.cpp:626
#1 0x0000000000753ab4 in js::GetOwnPropertyDescriptor (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., desc=desc@entry=...) at js/src/jsobj.cpp:2567
#2 0x0000000000861e1f in js::SetPropertyByDefining (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=..., v@entry=..., receiverValue=..., receiverValue@entry=..., result=...) at js/src/vm/NativeObject.cpp:2091
#3 0x0000000000862198 in SetNonexistentProperty (cx=cx@entry=0x7ffff6907800, id=id@entry=..., v=v@entry=..., receiver=receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2185
#4 0x0000000000877934 in js::NativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2337
#5 0x00000000008a8711 in js::ModuleEnvironmentObject::setProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:618
#6 0x00000000007516a5 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=id@entry=..., v=..., v@entry=..., receiver=receiver@entry=..., result=...) at js/src/jsobj.cpp:1046
#7 0x00000000008c70e4 in SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1487
#8 (anonymous namespace)::DebugScopeProxy::set (this=<optimized out>, cx=0x7ffff6907800, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:2197
#9 0x00000000007a60f5 in js::Proxy::set (cx=0x7ffff6907800, proxy=..., id=..., v=..., receiver_=..., result=...) at js/src/proxy/Proxy.cpp:324
#10 0x00000000007516a5 in JSObject::nonNativeSetProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1046
#11 0x00000000005232bd in js::jit::DoSetPropFallback (cx=0x7ffff6907800, frame=0x7fffffff9388, stub_=0x7ffff69a6058, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:4706
#12 0x00007ffff7ff0ea4 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax 0x8a3150 9056592
rbx 0x7ffff6907800 140737330051072
rcx 0x7fffffff8bb8 140737488325560
rdx 0x7fffffff9150 140737488326992
rsi 0x7fffffff8b50 140737488325456
rdi 0x7ffff6907800 140737330051072
rbp 0x7ffff6907800 140737330051072
rsp 0x7fffffff8a70 140737488325232
r8 0x7fffffff9150 140737488326992
r9 0x7fffffff9250 140737488327248
r10 0x12 18
r11 0x9033f230 2419323440
r12 0x7fffffff8b50 140737488325456
r13 0x7fffffff8bb8 140737488325560
r14 0x7fffffff8b40 140737488325440
r15 0x7fffffff8ba0 140737488325536
rip 0x8a3154 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+4>
=> 0x8a3154 <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+4>: movl $0x272,0x0
0x8a315f <js::ModuleEnvironmentObject::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>)+15>: callq 0x449fa0 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150923073515" and the hash "f4233421a0091c7ff9da20e917e026bf60f93c8f".
The "bad" changeset has the timestamp "20150923075616" and the hash "db4c17553be905e5d4e3106718f61f7421b91994".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f4233421a0091c7ff9da20e917e026bf60f93c8f&tochange=db4c17553be905e5d4e3106718f61f7421b91994
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jcoppeard
Going to assume that this is related to bug 930414 as per comment 1.
Blocks: 930414
|
|
Assignee | |
Comment 3•9 years ago
|
||
I guess I do need to implement that hook after all.
I split out NativeGetOwnPropertyDescriptor() from GetOwnPropertyDescriptor() along the same lines as e.g. DefineProperty() which checks for one of these hooks before calling NativeDefineProperty().
Attachment #8715726 -
Flags: review?(shu)
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8715726 [details] [diff] [review]
bug1245518-module-env-crash
Review of attachment 8715726 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/vm/NativeObject.cpp
@@ +1719,5 @@
> + desc.object().set(obj);
> + desc.assertComplete();
> + return true;
> +}
> +
Add another newline here. Convention of this file.
::: js/src/vm/NativeObject.h
@@ -1394,5 @@
>
> extern bool
> NativeDeleteProperty(JSContext* cx, HandleNativeObject obj, HandleId id, ObjectOpResult& result);
>
> -
Nit: extra newline is intentional, don't remove
Attachment #8715726 -
Flags: review?(shu) → review+
|
||
Comment 6•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•