Closed
Bug 1100129
Opened 10 years ago
Closed 10 years ago
Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | --- | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords)
Attachments
(2 files)
1.68 KB,
text/plain
|
Details | |
801 bytes,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The upcoming testcase asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random jit-tests together with jsfunfuzz, the specific files are: http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/testGeneratorDeepBail.js http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/bug716013.js I'll see if I can get a bisection. Setting s-s and assuming sec-critical because this seems to involve GC (and the verifier).
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 2•10 years ago
|
||
(lldb) bt * thread #1: tid = 0x447787, 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328 frame #1: 0x000000010050a6cc js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::setZeal(this=0x000000010201ff48, zeal='\x04', frequency=0) + 44 at jsgc.cpp:1263 frame #2: 0x00000001000cd6a2 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`GCZeal(cx=0x0000000101b14be0, argc=<unavailable>, vp=0x00007fff5fbfe058) + 306 at TestingFunctions.cpp:488 frame #3: 0x0000000101f9d518 (lldb)
Reporter | ||
Comment 3•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d8cd4f0de4f7 user: Jan de Mooij date: Wed Nov 12 12:12:39 2014 +0100 summary: Bug 1093573 part 10 - Baseline-compile JSOP_RESUME. r=shu,wingo (not sure if this is correct, let me retry bisection overnight)
Reporter | ||
Comment 4•10 years ago
|
||
Yes, I'm fairly autoBisect points fingers at bug 1093573 as per comment 3, but leaving this to Jon/Jan to figure this out.
Flags: needinfo?(jdemooij)
Comment 5•10 years ago
|
||
FWIW, we appear to be able to hit this exact issue trivially on Try SM(ggc) runs when pushing Trunk simulated as a release branch (Aurora and Beta both work). https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3172685&repo=try
Assignee | ||
Comment 7•10 years ago
|
||
We were missing a pre-barrier when nulling out the generator's expression stack slot. This is the only reference to the object so I didn't add a pre-barrier but apparently the verifier isn't happy with that, so let's just add the barrier.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8523930 -
Flags: review?(terrence)
Comment 8•10 years ago
|
||
Comment on attachment 8523930 [details] [diff] [review] Patch Review of attachment 8523930 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, just let's just barrier it unless it's a major performance issue.
Attachment #8523930 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/67886da0a1d8
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/67886da0a1d8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: javascript-core-security
Updated•9 years ago
|
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•