Closed
Bug 1096018
Opened 10 years ago
Closed 10 years ago
Assertion failure: [barrier verifier] Unmarked edge: reference-val, at gc/Verifier.cpp:316
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
| Tracking | Status | |
|---|---|---|
| firefox34 | --- | unaffected |
| firefox35 | --- | unaffected |
| firefox36 | --- | verified |
| firefox37 | --- | verified |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.2 | --- | disabled |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Attachments
(2 files)
|
348 bytes,
text/plain
|
Details | |
|
936 bytes,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision d380166816dd (run with --no-threads --fuzzing-safe):
gczeal(4);
var T = TypedObject;
var ValueStruct = new T.StructType({f: T.Any});
var v = new ValueStruct();
function writeValue(o, v, expectedType, expected) {
o.f = v;
}
for (var i = 0; i < 500000; i++)
writeValue(v, { toString: function() { return "helo" } }, "object", "helo");
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Marked this bug s-s as it involves the GC. Needinfo from :nmatsakis due to TypedObject being involved.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/4bdc3391644e user: Brian Hackett date: Tue Nov 04 18:21:47 2014 -0700 summary: Bug 1091329 - Optimize writes to reference members of TypedObjects, r=nmatsakis,jandem. This iteration took 7.595 seconds to run.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d380166816dd).
|
||
Updated•10 years ago
|
status-firefox35:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Flags: needinfo?(nmatsakis) → needinfo?(bhackett1024)
Keywords: regression,
sec-high
|
Assignee | |
Comment 5•10 years ago
|
||
I haven't been able to reproduce this, on either trunk or the reported revision, but this patch should fix the problem. MStoreElement needs to be told whether it needs to include a pre barrier. (StoreUnboxedObjectOrNull/String always include the barrier.)
Flags: needinfo?(bhackett1024)
Attachment #8523570 -
Flags: review?(nmatsakis)
|
||
Updated•10 years ago
|
Assignee: nobody → bhackett1024
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-firefox34:
--- → unaffected
|
||
Updated•10 years ago
|
Group: javascript-core-security
|
||
Updated•10 years ago
|
Attachment #8523570 -
Flags: review?(nmatsakis) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8edd196e6d87
|
|
||
Comment 7•10 years ago
|
||
TypedObject is disabled everywhere except Nightly, so any B2G release should be unaffected.
https://hg.mozilla.org/mozilla-central/rev/8edd196e6d87
Target Milestone: --- → mozilla36
|
||
Comment 9•10 years ago
|
||
This landed on m-c as per comment 8.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•10 years ago
|
|
|
Reporter | |
Comment 10•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx36
|
|
||
Updated•10 years ago
|
Group: javascript-core-security
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•