Assertion failure: [barrier verifier] Unmarked edge: objectElementsOwner, at gc/Verifier.cpp:316

RESOLVED FIXED in mozilla34

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla34
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox34 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision dac8b4a0bd7c (run with --no-threads --fuzzing-safe):


gczeal(4,1);
var N = 100;
function basic(out) {
  for (var i = 0; i < N; i++) {
    var arr = [0, 1, 2, 3, 4];
    arr.length = 6;
  }
}
basic();
(Reporter)

Comment 1

4 years ago
Created attachment 8477213 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

4 years ago
Marked s-s because it's gc-related.
status-firefox34: --- → affected
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9605a571ca8a
user:        Brian Hackett
date:        Tue Aug 19 22:25:37 2014 -0800
summary:     Bug 934450 - Allow objects to have copy on write elements, r=billm,jandem.

This iteration took 288.677 seconds to run.
Blocks: 934450
Flags: needinfo?(bhackett1024)
Keywords: regression
(Assignee)

Comment 4

4 years ago
Created attachment 8479302 [details] [diff] [review]
patch

There should be a write barrier on the owner object pointer when we copy an object's copy-on-write elements for a write.  This pointer is traced through during GC so that the elements stay alive, but isn't used in any other way, so I don't think the lack of this barrier can cause any problems.
Assignee: nobody → bhackett1024
Attachment #8479302 - Flags: review?(wmccloskey)
Flags: needinfo?(bhackett1024)
(Assignee)

Updated

4 years ago
Group: core-security
Attachment #8479302 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/9d7eb12460ce
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Flags: qe-verify-
Depends on: 1060547
You need to log in before you can comment on or make changes to this bug.