917733 - Assertion failure: !aheader->hasFreeThings(), at js/src/jsgc.h:531 or Crash [@ js::ObjectImpl::readBarrier]

Status: RESOLVED DUPLICATE of bug 901389

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-beta revision adb9fbeec38d (threadsafe build, run with --ion-eager):


function foo() bar(1,2,3,4,5,6,7,8,9);
function bar(... Number) foo();
foo();

Comment 1

[Christian Holler (:decoder)]

This affects mozilla-beta only, here's the crash trace (actually the crash triggers when using --ion-eager and the assertion pops up if I add --fuzzing-safe):


Program received signal SIGSEGV, Segmentation fault.
js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
173         if (zone->needsBarrier()) {
#0  js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
#1  0x0000000000415851 in get (this=<optimized out>) at ../../gc/Barrier.h:631
#2  operator js::GlobalObject* (this=<optimized out>) at ../../gc/Barrier.h:635
#3  maybeGlobal (this=<optimized out>) at ../../jscompartmentinlines.h:25
#4  JSObject::global (this=<optimized out>) at ../../jsobjinlines.h:771
#5  0x00000000006e0f27 in js_GetClassObject (cxArg=0x18e6890, obj=<optimized out>, key=JSProto_InternalError, objp=0x0) at js/src/jsobj.cpp:3080
#6  0x00000000006e4700 in js_FindClassObject (cx=0x18e6890, protoKey=JSProto_InternalError, vp=JSVAL_VOID, clasp=<optimized out>) at js/src/jsobj.cpp:3151
#7  0x00000000006ea432 in js_GetClassPrototype (cx=0x18e6890, protoKey=<optimized out>, protop=0x0, clasp=0x0) at js/src/jsobj.cpp:5128
rax     0x7     -2111062325329913
rip     0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>
=> 0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>:  cmpb   $0x0,(%rax)
   0x41550f <js::ObjectImpl::readBarrier(js::ObjectImpl*)+79>:  je     0x415549 <js::ObjectImpl::readBarrier(js::ObjectImpl*)+137>


I'm marking this s-s because the assertion involves GC and the test switches between assertion and crash by adding --fuzzing-safe, which doesn't really sound well to me.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Error: Unsupported branch "25 Branch" required by bug

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "25 Branch" required by bug

Comment 4

[David Bolter [:davidb] (NeedInfo me for attention)]

Rating sec-high based on current info.

Comment 5

[Christian Holler (:decoder)]

I'm seeing multiple GC crash signatures on mozilla-beta. Can we get a fix for this so we can rule out that there are more problems on beta?

Comment 6

[Daniel Veditz [:dveditz]]

Akeybl: this is a security vulnerability that regressed sometime between when this was on Mozilla central and the Beta uplift. We should get this fixed before release.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80fe42f29748
user:        Shu-yu Guo
date:        Fri Aug 02 08:24:57 2013 -0700
summary:     Bug 898746 - Type rest argument arrays as dense arrays with unknown element type. (r=bhackett)

Does https://hg.mozilla.org/releases/mozilla-beta/rev/80fe42f29748 or bug 898746 seem possible?

Comment 8

[Shu-yu Guo [:shu]]

Any idea what the first good cset is on central after 80fe42f29748?

Comment 9

[Shu-yu Guo [:shu]]

This was fixed by 901389, which looks like it missed the uplift. Marking duplicate and asking for a? on that bug.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c70720eea645
user:        Shu-yu Guo
date:        Tue Aug 06 18:15:53 2013 -0700
summary:     Bug 901389 - Pass length correctly in creating rest argument template objects in Ion. (r=bhackett)

Yep, that's right.