1236600 - Assertion failure: [barrier verifier] Unmarked edge: reference-val, at js/src/gc/Verifier.cpp:301 with TypedObject

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

try {
    gczeal(4)
} catch (exc) {}
var T = TypedObject;
var ValueStruct = new T.StructType({
    f: T.Any
})
var v = new ValueStruct;
new class get extends Number {};
function writeValue(o, v)
  o.f = v
for (var i = 0; i < 5; i++)
  writeValue(v, {}, "helo")



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302
#0  0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302
#1  js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695d410) at js/src/gc/Verifier.cpp:349
#2  0x0000000000c2ef08 in maybeVerifyPreBarriers (always=true, this=0x7ffff695d410) at js/src/gc/Verifier.cpp:394
#3  js::gc::MaybeVerifyBarriers (cx=cx@entry=0x7ffff6907800, always=always@entry=true) at js/src/gc/Verifier.cpp:404
#4  0x0000000000a8c927 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3973
[...]
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6885
rax	0x0	0
rbx	0x7fffef150070	140737204519024
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffcd70	140737488342384
rsp	0x7fffffffc890	140737488341136
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x2	2
r13	0x7fffffffc940	140737488341312
r14	0x7ffff7e652e0	140737352454880
r15	0x7fffef150030	140737204518960
rip	0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875>
=> 0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875>:	movl   $0x12e,0x0
   0xc17e86 <js::gc::GCRuntime::endVerifyPreBarriers()+886>:	callq  0x4a4a90 <abort()>


Marking s-s until triaged because GC is involved.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151009120049" and the hash "2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3".
The "bad" changeset has the timestamp "20151009120613" and the hash "250cd0bf3ce07627f08057cc7a38bc2d67174f9f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3&tochange=250cd0bf3ce07627f08057cc7a38bc2d67174f9f

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Eric, is bug 1105463 a likely regressor?

Comment 3

[Eric Faust [:efaust]]

Attachment: Fix

Nope! Default constructors had nothing to do with this one, other than letting the testcase compile.

The class here only hits the best case between disabling the jits, and doing a few allocations, which allows us to find this lack of prebarrier in TypedObjects.

We were firing a pre-barrier on a different address than we stored to.

Comment 4

[Jan de Mooij [:jandem]]

Comment on attachment 8707153 [details] [diff] [review]
Fix

Review of attachment 8707153 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this.

Comment 5

[Eric Faust [:efaust]]

Landed; Nightly-only.

https://hg.mozilla.org/integration/mozilla-inbound/rev/1c1727de5b6f

Comment 6

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7104d650a97d).

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Wait, actually this was resolved when the fix landed:

http://hg.mozilla.org/mozilla-central/rev/1c1727de5b6f

Comment 8

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.