The following testcase crashes on mozilla-central revision c9a70b64f2fa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe): let moduleRepo = {}; setModuleResolveHook(function(module, specifier) { return moduleRepo[specifier]; }); try { let b = moduleRepo['b'] = parseModule("export var b = 3; export var c = 4;"); let c = moduleRepo['c'] = parseModule("export * from 'a'; export * from 'b';"); c.declarationInstantiation(); } catch (exc) {} let a = moduleRepo['a'] = parseModule("export var a = 1; export var b = 2;"); let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;"); d.declarationInstantiation(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000b06dfb in js::NativeObject::lookup (this=0x0, cx=cx@entry=0x7ffff6965000, id=...) at js/src/vm/NativeObject.cpp:233 #0 0x0000000000b06dfb in js::NativeObject::lookup (this=0x0, cx=cx@entry=0x7ffff6965000, id=...) at js/src/vm/NativeObject.cpp:233 #1 0x0000000000a31fb7 in js::IndirectBindingMap::putNew (this=0x7ffff69a61a0, cx=cx@entry=0x7ffff6965000, name=..., name@entry=..., environment=..., environment@entry=..., localName=..., localName@entry=...) at js/src/builtin/ModuleObject.cpp:239 #2 0x0000000000b45037 in js::ModuleEnvironmentObject::createImportBinding (this=0x7ffff7e733a0, cx=cx@entry=0x7ffff6965000, importName=..., importName@entry=..., module=..., module@entry=..., localName=..., localName@entry=...) at js/src/vm/ScopeObject.cpp:532 #3 0x0000000000b4f464 in intrinsic_CreateImportBinding (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7ffff32ed178) at js/src/vm/SelfHosting.cpp:2155 #4 0x0000000000af01d4 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xb4f2e0 <intrinsic_CreateImportBinding(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232 [...] #21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7437 rax 0x0 0 rbx 0x7ffff69a61a0 140737330700704 rcx 0x7fffffffc340 140737488339776 rdx 0x7ffff7e00940 140737352042816 rsi 0x7ffff6965000 140737330434048 rdi 0x0 0 rbp 0x7fffffffc210 140737488339472 rsp 0x7fffffffc1f0 140737488339440 r8 0x7fffffffc320 140737488339744 r9 0x7fffffffc400 140737488339968 r10 0x7ffff7e94b79 140737352649593 r11 0x7fffffffbe80 140737488338560 r12 0x7ffff6965000 140737330434048 r13 0x7fffffffc310 140737488339728 r14 0x7fffffffc340 140737488339776 r15 0x7fffffffc300 140737488339712 rip 0xb06dfb <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+11> => 0xb06dfb <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+11>: mov (%rdi),%rax 0xb06dfe <js::NativeObject::lookup(js::ExclusiveContext*, jsid)+14>: mov (%rax),%rax

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150923073515" and the hash "f4233421a0091c7ff9da20e917e026bf60f93c8f". The "bad" changeset has the timestamp "20150923075616" and the hash "db4c17553be905e5d4e3106718f61f7421b91994". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f4233421a0091c7ff9da20e917e026bf60f93c8f&tochange=db4c17553be905e5d4e3106718f61f7421b91994

Jon, is bug 930414 a likely regressor?

The module loader is expected to throw away module records if there is an error during instantiation, so this testcase is an invalid use of the API. However we should make our implementation robust against such misuse.

Patch to prevent a buggy module loader trying to instantiate a module again after an error.

Comment on attachment 8770185 [details] [diff] [review] bug1284486-instantiation-error Review of attachment 8770185 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/modules/bug-1284486.js @@ +9,5 @@ > + c.declarationInstantiation(); > +} catch (exc) {} > +let a = moduleRepo['a'] = parseModule("export var a = 1; export var b = 2;"); > +let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;"); > +d.declarationInstantiation(); I know this is a fuzz test and I'm fine with checking those in, but I'd like some comments on what the error during instantiation is that ultimately causes the re-instantiate error.

(In reply to Shu-yu Guo [:shu] from comment #5) Sure, I'll add some comments.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/034f54c5ac43 Disallow returying ModuleDeclarationInstantiation after error r=shu

This is still reproducible in low volume on Fx50, based on the last ~3 months of crash data. SIGNATURE | js::NativeObject::lookup ---------------------------------------- CRASH STATS | http://tinyurl.com/zefrktw ---------------------------------------- OVERVIEW | 0 crashes on nightly 52 | 1 crashes on nightly 51 | 1 crashes on aurora 51 | 0 crashes on nightly 50 | 5 crashes on aurora 50 | 39 crashes on beta 50 ---------------------------------------- LAST CRASH | 2016-10-01 (on 50.0b2)

(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #9) ES6 modules aren't exposed to the web so these crashes are not due to this bug.