1125119 - Assertion failure: (ptrBits & 0x7) == 0, at ../../dist/include/js/Value.h:850 or Crash [@ preBarrier] with Uint8ClampedArray

Status: RESOLVED DUPLICATE of bug 1124651

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 494632b9afed (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager):

new Array();
var x = 1;
for (var idx = 0; idx < 7; ++idx) {
  loadFile("");
}
loadFile("x = new Uint8ClampedArray; x.__proto__ = {};");
schedulegc(1);
evaluate("x = 1;", { noScriptRval : true, compileAndGo : true });
x = new Number(1);
function loadFile(lfVarx) {
  function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); 
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
preBarrier (v=$jsval((JSObject *) 0x7fff00000001 Cannot access memory at address 0x7fff00000001)) at js/src/vm/ProxyObject.cpp:104
104	}
#0  preBarrier (v=$jsval((JSObject *) 0x7fff00000001 Cannot access memory at address 0x7fff00000001)) at js/src/vm/ProxyObject.cpp:104
#1  js::BarrieredBase<JS::Value>::pre (this=<optimized out>) at js/src/gc/Barrier.h:452
#2  0x00000000008b98b5 in set (v=..., slot=<optimized out>, kind=js::HeapSlot::Slot, owner=(js::NativeObject *) 0x7ffff565a060 [object global] delegate, this=0x16fe4f0) at js/src/gc/Barrier.h:881
#3  setSlot (value=..., slot=<optimized out>, this=(js::NativeObject * const) 0x7ffff565a060 [object global] delegate) at js/src/vm/NativeObject.h:762
#4  js::NativeObject::setSlotWithType (this=(js::NativeObject * const) 0x7ffff565a060 [object global] delegate, cx=0x16e6ca0, shape=0x7ffff5671380, value=..., overwriting=true) at js/src/vm/NativeObject-inl.h:331
#5  0x00000000008a6a60 in NativeSet (cx=0x16e6ca0, obj=(js::NativeObject * const) 0x7ffff565a060 [object global] delegate, receiver=..., shape=..., strict=<optimized out>, vp=$jsval((JSObject *) 0x7ffff5700000 [object Number])) at js/src/vm/NativeObject.cpp:1957
#6  0x00000000008a756c in SetExistingProperty (strict=false, vp=$jsval((JSObject *) 0x7ffff5700000 [object Number]), shape=0x7ffff5671380, pobj=(js::NativeObject * const) 0x7ffff565a060 [object global] delegate, id=$jsid("x"), receiver=(JSObject * const) 0x7ffff565a060 [object global] delegate, obj=..., cx=0x16e6ca0) at js/src/vm/NativeObject.cpp:2035
#7  js::NativeSetProperty (cx=0x16e6ca0, obj=(js::NativeObject * const) 0x7ffff565a060 [object global] delegate, receiver=(JSObject * const) 0x7ffff565a060 [object global] delegate, id=$jsid("x"), qualified=js::Unqualified, vp=$jsval((JSObject *) 0x7ffff5700000 [object Number]), strict=false) at js/src/vm/NativeObject.cpp:2081
#8  0x00000000005f5472 in js::SetNameOperation (cx=0x16e6ca0, script=<optimized out>, pc=<optimized out>, scope=(JSObject * const) 0x7ffff565a060 [object global] delegate, val=...) at js/src/vm/Interpreter-inl.h:327
#9  0x00000000005e6db6 in js::jit::DoSetPropFallback (cx=0x16e6ca0, frame=0x7fffffffd328, stub_=0x1710be0, lhs=$jsval((JSObject *) 0x7ffff565a060 [object global] delegate), rhs=$jsval((JSObject *) 0x7ffff5700000 [object Number]), res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:8124
#10 0x00007ffff55b59ea in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x7fff00000000	140733193388032
rbx	0xfffc7fff00000001	-985166713454591
rcx	0x146	326
rdx	0x7ffff5671380	140737310561152
rsi	0x16e6ca0	24013984
rdi	0x16fe4f0	24110320
rbp	0x7fff00000001	140733193388033
rsp	0x7fffffffcaf0	140737488341744
r8	0x16fdb40	24107840
r9	0x7fffffffce20	140737488342560
r10	0x17d3770	24983408
r11	0x7ffff566afd9	140737310535641
r12	0x16e6ca0	24013984
r13	0x7ffff5671380	140737310561152
r14	0x16fe4f0	24110320
r15	0x1	1
rip	0x8b0f2a <js::BarrieredBase<JS::Value>::pre()+74>
=> 0x8b0f2a <js::BarrieredBase<JS::Value>::pre()+74>:	mov    0xffff8(%rax),%rax
   0x8b0f31 <js::BarrieredBase<JS::Value>::pre()+81>:	cmpb   $0x0,(%rax)


Marking s-s and sec-critical due to GC related crash with an unsafe address and the assertion likely indicating a memory corruption.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5cec093aeadc
user:        Brian Hackett
date:        Wed Jan 14 08:00:28 2015 -0700
summary:     Bug 1116017 - Don't scan all type sets in compartments on type mutations, r=jandem.

This iteration took 254.980 seconds to run.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision a6f037b538ed).

Comment 3

[Al Billings [:abillings - ex-MoCo]]

Should we close this? Is there more to do here?

Comment 4

[Jeff Walden [:Waldo]]

Given that stack, I rather doubt the underlying issue here was intentionally fixed.  This still should be diagnosed.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Brian, can you take a look at this?

Comment 6

[Brian Hackett [Laid off!]]

This is probably a duplicate of bug 1124651, given the __proto__ mutation and GC timing.  Is there a blame cset for the fix?

Comment 7

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f8d8f84fc7bf
user:        Brian Hackett
date:        Mon Jan 26 08:17:45 2015 -0700
summary:     Bug 1124651 - Make sure type sets with unknown-properties objects are marked as unknown if those objects are swept, r=jandem.

This iteration took 254.234 seconds to run.