Closed
Bug 1236600
Opened 7 years ago
Closed 6 years ago
Assertion failure: [barrier verifier] Unmarked edge: reference-val, at js/src/gc/Verifier.cpp:301 with TypedObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox45 | --- | unaffected |
firefox46 | --- | verified |
firefox-esr38 | --- | unaffected |
People
(Reporter: decoder, Assigned: efaust)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
5.71 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): try { gczeal(4) } catch (exc) {} var T = TypedObject; var ValueStruct = new T.StructType({ f: T.Any }) var v = new ValueStruct; new class get extends Number {}; function writeValue(o, v) o.f = v for (var i = 0; i < 5; i++) writeValue(v, {}, "helo") Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302 #0 0x0000000000c17e7b in AssertMarkedOrAllocated (edge=...) at js/src/gc/Verifier.cpp:302 #1 js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695d410) at js/src/gc/Verifier.cpp:349 #2 0x0000000000c2ef08 in maybeVerifyPreBarriers (always=true, this=0x7ffff695d410) at js/src/gc/Verifier.cpp:394 #3 js::gc::MaybeVerifyBarriers (cx=cx@entry=0x7ffff6907800, always=always@entry=true) at js/src/gc/Verifier.cpp:404 #4 0x0000000000a8c927 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3973 [...] #14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6885 rax 0x0 0 rbx 0x7fffef150070 140737204519024 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffcd70 140737488342384 rsp 0x7fffffffc890 140737488341136 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7ffff6f76be0 140737336798176 r11 0x0 0 r12 0x2 2 r13 0x7fffffffc940 140737488341312 r14 0x7ffff7e652e0 140737352454880 r15 0x7fffef150030 140737204518960 rip 0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875> => 0xc17e7b <js::gc::GCRuntime::endVerifyPreBarriers()+875>: movl $0x12e,0x0 0xc17e86 <js::gc::GCRuntime::endVerifyPreBarriers()+886>: callq 0x4a4a90 <abort()> Marking s-s until triaged because GC is involved.
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151009120049" and the hash "2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3". The "bad" changeset has the timestamp "20151009120613" and the hash "250cd0bf3ce07627f08057cc7a38bc2d67174f9f". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2c91f257f53d9c2d1e0df1578ccc0fcf9c740bf3&tochange=250cd0bf3ce07627f08057cc7a38bc2d67174f9f
Eric, is bug 1105463 a likely regressor?
Blocks: 1105463
Flags: needinfo?(efaustbmo)
Assignee | ||
Comment 3•6 years ago
|
||
Nope! Default constructors had nothing to do with this one, other than letting the testcase compile. The class here only hits the best case between disabling the jits, and doing a few allocations, which allows us to find this lack of prebarrier in TypedObjects. We were firing a pre-barrier on a different address than we stored to.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8707153 -
Flags: review?(jdemooij)
Comment 4•6 years ago
|
||
Comment on attachment 8707153 [details] [diff] [review] Fix Review of attachment 8707153 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for fixing this.
Attachment #8707153 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•6 years ago
|
||
Landed; Nightly-only. https://hg.mozilla.org/integration/mozilla-inbound/rev/1c1727de5b6f
Updated•6 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 6•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7104d650a97d).
![]() |
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Wait, actually this was resolved when the fix landed: http://hg.mozilla.org/mozilla-central/rev/1c1727de5b6f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:update]
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
status-firefox45:
--- → unaffected
status-firefox-esr38:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•