Assertion failure: [barrier verifier] Unmarked edge: callee, at gc/Verifier.cpp:315

VERIFIED FIXED in Firefox 32

Status

()

defect
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: terrence)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla32
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox31 unaffected, firefox32 verified, firefox-esr24 unaffected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

Reporter

Description

5 years ago
The following testcase asserts on mozilla-central revision b227a707080f (run with --fuzzing-safe):


var argObj = (function () { return arguments })();
gczeal(4);
delete argObj.callee;
Reporter

Comment 2

5 years ago
Marked s-s because this is a GC-related assertion with unknown impact until triaged.
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Reporter

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 3

5 years ago
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140429121708" and the hash "d1e4a93e5b6c".
The "bad" changeset has the timestamp "20140429124009" and the hash "57292971f110".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d1e4a93e5b6c&tochange=57292971f110
Reporter

Comment 4

5 years ago
Regressed by bug 989414, needinfo from terrence based on comment 3 :)
Flags: needinfo?(terrence)
Assignee

Comment 5

5 years ago
Yup, this is almost certainly the BarrieredPtr rewrite. Taking.
Assignee: nobody → terrence
Flags: needinfo?(terrence)
Assignee

Comment 6

5 years ago
Gah! This was dumb. HeapBase dispatches to Heap<T>, so misses pre-barriers. Fortunately the one and only spot this could bite was through the setMagic I added at the same time. Thankfully the solution is trivial.
Attachment #8416039 - Flags: review?(jcoppeard)
Comment on attachment 8416039 [details] [diff] [review]
fuzz_1004457-v0.diff

Review of attachment 8416039 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes, indeed it does.
Attachment #8416039 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/728803659bcb
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Reporter

Updated

5 years ago
Status: RESOLVED → VERIFIED
Reporter

Comment 10

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Did this only affect trunk from the checkin on May 1?
Flags: needinfo?(terrence)
Assignee

Comment 12

5 years ago
The issue was present in m-c between 29 Apr and 14 May. I'm not sure what branches that covers.
Flags: needinfo?(terrence)
That's the day after we branches so this is trunk only.
Reporter

Comment 14

5 years ago
JSBugMon: This bug has been automatically verified fixed on Fx32
Blocks: 989414
Group: core-security
Keywords: regression, sec-high
You need to log in before you can comment on or make changes to this bug.