Closed Bug 1236600 Opened 7 years ago Closed 6 years ago

Assertion failure: [barrier verifier] Unmarked edge: reference-val, at js/src/gc/Verifier.cpp:301 with TypedObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox45 --- unaffected
firefox46 --- verified
firefox-esr38 --- unaffected

People

(Reporter: decoder, Assigned: efaust)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Fix
5.71 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

try {
    gczeal(4)
} catch (exc) {}
var T = TypedObject;
var ValueStruct = new T.StructType({
    f: T.Any
})
var v = new ValueStruct;
new class get extends Number {};
function writeValue(o, v)
  o.f = v
for (var i = 0; i < 5; i++)
  writeValue(v, {}, "helo")



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302
#0  0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302
#1  js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695d410) at js/src/gc/Verifier.cpp:349
#2  0x0000000000c2ef08 in maybeVerifyPreBarriers (always=true, this=0x7ffff695d410) at js/src/gc/Verifier.cpp:394
#3  js::gc::MaybeVerifyBarriers (cx=cx@entry=0x7ffff6907800, always=always@entry=true) at js/src/gc/Verifier.cpp:404
#4  0x0000000000a8c927 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3973
[...]
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6885
rax	0x0	0
rbx	0x7fffef150070	140737204519024
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffcd70	140737488342384
rsp	0x7fffffffc890	140737488341136
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x2	2
r13	0x7fffffffc940	140737488341312
r14	0x7ffff7e652e0	140737352454880
r15	0x7fffef150030	140737204518960
rip	0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875>
=> 0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875>:	movl   $0x12e,0x0
   0xc17e86 <js::gc::GCRuntime::endVerifyPreBarriers()+886>:	callq  0x4a4a90 <abort()>


Marking s-s until triaged because GC is involved.
Keywords: sec-high
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151009120049" and the hash "2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3".
The "bad" changeset has the timestamp "20151009120613" and the hash "250cd0bf3ce07627f08057cc7a38bc2d67174f9f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3&tochange=250cd0bf3ce07627f08057cc7a38bc2d67174f9f
Eric, is bug 1105463 a likely regressor?
Blocks: 1105463
Flags: needinfo?(efaustbmo)
Attached patch FixSplinter Review 
Nope! Default constructors had nothing to do with this one, other than letting the testcase compile.

The class here only hits the best case between disabling the jits, and doing a few allocations, which allows us to find this lack of prebarrier in TypedObjects.

We were firing a pre-barrier on a different address than we stored to.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8707153 - Flags: review?(jdemooij)
Comment on attachment 8707153 [details] [diff] [review]
Fix

Review of attachment 8707153 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this.
Attachment #8707153 - Flags: review?(jdemooij) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7104d650a97d).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Wait, actually this was resolved when the fix landed:

http://hg.mozilla.org/mozilla-central/rev/1c1727de5b6f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
status-firefox46: affectedverified
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Group: core-security-release
status-firefox45: --- → unaffected
status-firefox-esr38: --- → unaffected
You need to log in before you can comment on or make changes to this bug.