Closed Bug 864462 Opened 11 years ago Closed 11 years ago

Assertion failure: trc->root, at gc/Verifier.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: gkw, Assigned: billm)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
1.86 KB, text/plain
Details
patch
1.42 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
An upcoming testcase asserts js debug shell on m-c changeset 2aff2d574a1e with --ion-eager --no-jm --no-ti at Assertion failure: trc->root, at gc/Verifier.cpp

Filing first because this is difficult to reproduce on platforms other than an ARM pandaboard, at least for jsfunfuzz. decoder mentions that Langfuzz might have found this as well.

s-s because GC stuff seem to be involved, at least from the assertion message.
Attached file stack 
try {
    m = new Map();
    this.n += 'xxx';
    for (var y = 0; y < 9; ++y) {
        for (var z = 0; z < 9; ++z) {
            n += n;
        }
    }
} catch (e) {}
m.set(n);
verifyprebarriers()
print(Array(0x5a827999));
I was discussing this with billm over IRC just now, so setting needinfo.
Flags: needinfo?(wmccloskey)
I was hoping this was just an OOM, but it looks like it's not. hadOutOfMemory is false for the runtime.

It appears to be some kind of memory corruption. I'm not sure what the next steps are. It's a huge pain to debug.
Flags: needinfo?(wmccloskey)
Here's a second test that reproduces most of the time (if not, then it OOMs):

var BUGNUMBER = '';
function f2(o) {}
function f() {
    verifyprebarriers();
    BUGNUMBER(void 0, f(Int16Array(28800000,-28800)));
}
f();


Valgrind shows nothing unfortunately.
Attached patch patchSplinter Review 
This turned out to be just an OOM. I should have looked more carefully at the assertion itself. For some reason the debugger was trapping at some other location.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #741012 - Flags: review?(terrence)
Group: core-security
We should also land the 2 testcases in this case.
Comment on attachment 741012 [details] [diff] [review]
patch

Review of attachment 741012 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Verifier.cpp
@@ +511,5 @@
>      /* Make all the roots be edges emanating from the root node. */
>      MarkRuntime(trc);
>  
> +    VerifyNode *node;
> +    node = trc->curnode;

Why this change?
Attachment #741012 - Flags: review?(terrence) → review+
> Why this change?

I was getting one of those stupid errors about goto going around a variable initialization.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6b1b8e195cad
https://hg.mozilla.org/mozilla-central/rev/6b1b8e195cad
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: