Closed Bug 1100129 Opened 10 years ago Closed 10 years ago

Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp

Categories

(Core :: JavaScript: GC, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla36
Tracking Status
firefox35 --- unaffected
firefox36 --- verified
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords)

Attachments

(2 files)

The upcoming testcase asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific files are:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/testGeneratorDeepBail.js
http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/bug716013.js

I'll see if I can get a bisection.

Setting s-s and assuming sec-critical because this seems to involve GC (and the verifier).
Flags: needinfo?(jcoppeard)
Attached file stack
(lldb) bt
* thread #1: tid = 0x447787, 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328
    frame #1: 0x000000010050a6cc js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::setZeal(this=0x000000010201ff48, zeal='\x04', frequency=0) + 44 at jsgc.cpp:1263
    frame #2: 0x00000001000cd6a2 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`GCZeal(cx=0x0000000101b14be0, argc=<unavailable>, vp=0x00007fff5fbfe058) + 306 at TestingFunctions.cpp:488
    frame #3: 0x0000000101f9d518
(lldb)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d8cd4f0de4f7
user:        Jan de Mooij
date:        Wed Nov 12 12:12:39 2014 +0100
summary:     Bug 1093573 part 10 - Baseline-compile JSOP_RESUME. r=shu,wingo

(not sure if this is correct, let me retry bisection overnight)
Yes, I'm fairly autoBisect points fingers at bug 1093573 as per comment 3, but leaving this to Jon/Jan to figure this out.
Flags: needinfo?(jdemooij)
FWIW, we appear to be able to hit this exact issue trivially on Try SM(ggc) runs when pushing Trunk simulated as a release branch (Aurora and Beta both work).

https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3172685&repo=try
I'll look into this.
Flags: needinfo?(jcoppeard)
Attached patch PatchSplinter Review
We were missing a pre-barrier when nulling out the generator's expression stack slot.

This is the only reference to the object so I didn't add a pre-barrier but apparently the verifier isn't happy with that, so let's just add the barrier.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8523930 - Flags: review?(terrence)
Comment on attachment 8523930 [details] [diff] [review]
Patch

Review of attachment 8523930 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, just let's just barrier it unless it's a major performance issue.
Attachment #8523930 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/67886da0a1d8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.