1111194 - Assertion failure: [barrier verifier] Unmarked edge: TypeNewScript_function, at js/src/gc/Verifier.cpp:316

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2):

gczeal(4);
function F(){}
    var obj = new F();
    var itrCount = 10000;
    for(var i = 0; i < itrCount; i++) {
        assertEq(obj.value = i, i);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x081f8956 in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:317
317	    MOZ_CRASH();
#0  0x081f8956 in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:317
#1  0x082052af in js::gc::GCRuntime::endVerifyPreBarriers (this=0x965bab8) at js/src/gc/Verifier.cpp:365
#2  0x085de587 in AutoStopVerifyingBarriers (_notifier=..., isShutdown=false, rt=0x965b900, this=0xffffda04) at js/src/gc/GCInternals.h:114
#3  js::gc::GCRuntime::collect (this=0x965bab8, incremental=false, budget=..., gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6247
#4  0x085df407 in js::gc::GCRuntime::gc (this=0x965bab8, gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6312
#5  0x0852d276 in js::DestroyContext (cx=0x96758f0, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:261
#6  0x0852d508 in JS_DestroyContext (cx=0x96758f0) at js/src/jsapi.cpp:753
#7  0x0804bf95 in DestroyContext (cx=0x96758f0, withGC=true) at js/src/shell/js.cpp:5258
#8  0x08069877 in main (argc=0, argv=0x0, envp=0x0) at js/src/shell/js.cpp:5986
eax	0x0	0
ebx	0x9631ff4	157491188
ecx	0xf7e648ac	-135903060
edx	0x0	0
esi	0xffffd4fc	-11012
edi	0xf2234ea0	-232567136
ebp	0xffffd918	4294957336
esp	0xffffd4d0	4294956240
eip	0x81f8956 <AssertMarkedOrAllocated(EdgeValue const&)+342>
=> 0x81f8956 <AssertMarkedOrAllocated(EdgeValue const&)+342>:	movl   $0x7b,0x0
   0x81f8960 <AssertMarkedOrAllocated(EdgeValue const&)+352>:	call   0x804aa00 <abort@plt>


Marking s-s because it's related to GC. Also marking as a fuzzblocker because this is a high frequency crasher (27 reports in the last hour).

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141212092057" and the hash "2e0a0c0d7685".
The "bad" changeset has the timestamp "20141212092456" and the hash "1d8b8c3d74e3".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2e0a0c0d7685&tochange=1d8b8c3d74e3

jsfunfuzz & randorderfuzz hit this a lot too.

Brian, is bug 1107145 a likely regressor?

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Hmm, bug 1107145 tried to simplify TypeObject barriers by calling writeBarrierPre on the parent TypeObject when its addendum changes.  But this is wrong as this call doesn't do anything if the TypeObject has already been marked by the incremental GC.

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f0e3e6f8866d

Comment 4

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f0e3e6f8866d

Comment 5

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.