Closed Bug 1462326 Opened 7 years ago Closed 7 years ago

Crash [@ JS::Value::setObject] or Assertion failure: js::gc::IsCellPointerValid(&obj), at dist/include/js/Value.h:458 with ES6 import

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 8fb36531f7d0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): let m = parseModule(` import A from "A"; `); m.declarationInstantiation(); Backtrace: received signal SIGSEGV, Segmentation fault. JS::Value::setObject (obj=..., this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:469 #0 JS::Value::setObject (obj=..., this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:469 #1 JS::ObjectValue (obj=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:1018 #2 JS_CallFunction (cx=cx@entry=0x7ffff5f14000, obj=..., obj@entry=..., fun=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2946 #3 0x000000000044daef in CallModuleResolveHook (cx=0x7ffff5f14000, module=..., specifier=...) at js/src/shell/js.cpp:4302 #4 0x00000000009fb577 in intrinsic_HostResolveImportedModule (cx=0x7ffff5f14000, argc=<optimized out>, vp=0x7ffff49ea2a0) at js/src/vm/SelfHosting.cpp:2159 #5 0x0000000000564b81 in js::CallJSNative (args=..., native=0x9fb4c0 <intrinsic_HostResolveImportedModule(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f14000) at js/src/vm/JSContext-inl.h:280 #6 js::InternalCallOrConstruct (cx=0x7ffff5f14000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:467 #7 0x000000000056009d in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522 #8 Interpret (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:3086 [...] #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9326 rax 0x1eb7660 32208480 rbx 0xed8bc0 15567808 rcx 0x7fffffffcce0 140737488342240 rdx 0x0 0 rsi 0xfffb7ffff4c00860 -1266637583939488 rdi 0x10 16 rbp 0x7ffff5f06230 140737319559728 rsp 0x7fffffffcb40 140737488341824 r8 0xfff9800000000000 -1829587348619264 r9 0xfffe000000000000 -562949953421312 r10 0x4 4 r11 0xfffb000000000000 -1407374883553280 r12 0x7fffffffcce0 140737488342240 r13 0x7ffff5f14000 140737319616512 r14 0x2 2 r15 0x4 4 rip 0x8aaa99 <JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)+1209> => 0x8aaa99 <JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)+1209>: movl $0x0,0x0 0x8aaaa4 <JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)+1220>: ud2 This was found due to the recent ES grammar updates. Marking s-s because it involves a GC assertion.
This is a shell-only bug caused by my changes in bug 1461751.
Assignee: nobody → jcoppeard
Blocks: 1461751
Group: javascript-core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e862899dca3f user: Jon Coppeard date: Wed May 16 11:59:09 2018 +0100 summary: Bug 1461751 - Simplify module resolve hook to be a function pointer r=luke r=baku This iteration took 245.159 seconds to run.
This was missing a null check in the shell's CallModuleResolveHook function. Normally the resolve hook is set up by the shell module loader which is initialised by InitModuleLoader() if you execute a module with the shell. Attempting to instantiate a module returned from parseModule() needs to fail gracefully if that hasn't happened though.
Attachment #8976604 - Flags: review?(luke)
Attachment #8976604 - Flags: review?(luke) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/39504d83565e Add missing null check when calling shell's module resolve hook r=luke
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: