Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp

VERIFIED FIXED in Firefox 36

Status

()

--
critical
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla36
x86_64
Mac OS X
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox35 unaffected, firefox36 verified, firefox-esr31 unaffected)

Details

Attachments

(2 attachments)

The upcoming testcase asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific files are:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/testGeneratorDeepBail.js
http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/bug716013.js

I'll see if I can get a bisection.

Setting s-s and assuming sec-critical because this seems to involve GC (and the verifier).
Flags: needinfo?(jcoppeard)
Created attachment 8523538 [details]
stack

(lldb) bt
* thread #1: tid = 0x447787, 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001907d6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::endVerifyPreBarriers(this=<unavailable>) + 550 at Verifier.cpp:328
    frame #1: 0x000000010050a6cc js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::gc::GCRuntime::setZeal(this=0x000000010201ff48, zeal='\x04', frequency=0) + 44 at jsgc.cpp:1263
    frame #2: 0x00000001000cd6a2 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`GCZeal(cx=0x0000000101b14be0, argc=<unavailable>, vp=0x00007fff5fbfe058) + 306 at TestingFunctions.cpp:488
    frame #3: 0x0000000101f9d518
(lldb)
Blocks: 1100132
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d8cd4f0de4f7
user:        Jan de Mooij
date:        Wed Nov 12 12:12:39 2014 +0100
summary:     Bug 1093573 part 10 - Baseline-compile JSOP_RESUME. r=shu,wingo

(not sure if this is correct, let me retry bisection overnight)
Yes, I'm fairly autoBisect points fingers at bug 1093573 as per comment 3, but leaving this to Jon/Jan to figure this out.
Flags: needinfo?(jdemooij)
FWIW, we appear to be able to hit this exact issue trivially on Try SM(ggc) runs when pushing Trunk simulated as a release branch (Aurora and Beta both work).

https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3172685&repo=try
(Assignee)

Comment 6

4 years ago
I'll look into this.
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 7

4 years ago
Created attachment 8523930 [details] [diff] [review]
Patch

We were missing a pre-barrier when nulling out the generator's expression stack slot.

This is the only reference to the object so I didn't add a pre-barrier but apparently the verifier isn't happy with that, so let's just add the barrier.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8523930 - Flags: review?(terrence)
Comment on attachment 8523930 [details] [diff] [review]
Patch

Review of attachment 8523930 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, just let's just barrier it unless it's a major performance issue.
Attachment #8523930 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/67886da0a1d8
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
status-firefox36: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Status: RESOLVED → VERIFIED
status-firefox36: fixed → verified
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security
Blocks: 1093573
status-firefox35: --- → unaffected
status-firefox-esr31: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.