Closed Bug 1236638 Opened 7 years ago Closed 7 years ago

Assertion failure: [barrier verifier] Unmarked edge: atom, at js/src/gc/Verifier.cpp:301

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0771c5eab32f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline --gc-zeal=4):

x

Backtrace:

0   js-dbg-64-dm-darwin-0771c5eab32f	0x000000010095068d js::gc::GCRuntime::endVerifyPreBarriers() + 1213 (Verifier.cpp:302)
1   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100950885 js::gc::MaybeVerifyBarriers(JSContext*, bool) + 85 (Verifier.cpp:397)
2   js-dbg-64-dm-darwin-0771c5eab32f	0x00000001007471c0 Interpret(JSContext*, js::RunState&) + 58752 (Interpreter.cpp:3040)
3   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100738bbc js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:407)
4   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100751327 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 583 (Interpreter.cpp:666)
5   js-dbg-64-dm-darwin-0771c5eab32f	0x000000010075170f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 495 (RootingAPI.h:719)
6   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100532551 Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) + 657 (jsapi.cpp:4434)
7   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100532154 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char const*, unsigned long, JS::MutableHandle<JS::Value>) + 420 (jsapi.cpp:4489)
8   js-dbg-64-dm-darwin-0771c5eab32f	0x00000001007d8d1a JSRuntime::initSelfHosting(JSContext*) + 650 (SelfHosting.cpp:1828)
9   js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100524aee js::NewContext(JSRuntime*, unsigned long) + 1134 (jscntxt.cpp:122)
10  js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100006fe5 NewContext(JSRuntime*) + 21 (js.cpp:5988)
11  js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100003f79 main + 8201 (js.cpp:6864)
12  js-dbg-64-dm-darwin-0771c5eab32f	0x0000000100001374 start + 52

This also affects opt builds.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ef6a8586cb4d
parent:      278250:d7a0ad85d9fb
user:        Tooru Fujisawa
date:        Mon Jan 04 06:59:52 2016 +0900
summary:     Bug 1235656 - Part 1: Set canonical name in self-hosted builtins. r=till

Arai-san, is bug 1235656 a likely regressor?

Setting this as [fuzzblocker] because this is affecting --gc-zeal=4 builds severely.

Also setting needinfo? from Terrence in case it is late at night for :arai.
Blocks: 1235656
Flags: needinfo?(terrence)
Flags: needinfo?(arai.unmht)
yes, it's likely.

the unmarked edge is for an JSAtom "ArrayValues", from JSFunction "function ArrayValues" defined in Array.js, but its atom_ member is already changed to "values" atom by _SetCanonicalName.

> static bool
> intrinsic_SetCanonicalName(JSContext* cx, unsigned argc, Value* vp)
> {
>     CallArgs args = CallArgsFromVp(argc, vp);
>     MOZ_ASSERT(args.length() == 2);
> 
>     RootedFunction fun(cx, &args[0].toObject().as<JSFunction>());
>     MOZ_ASSERT(fun->isSelfHostedBuiltin());
>     RootedAtom atom(cx, AtomizeString(cx, args[1].toString()));
>     if (!atom)
>         return false;
> 
>     fun->initAtom(atom);
> #ifdef DEBUG
>     fun->setExtendedSlot(HAS_SELFHOSTED_CANONICAL_NAME_SLOT, BooleanValue(true));
> #endif
>     args.rval().setUndefined();
>     return true;
> }

maybe I should use other way than fun->initAtom() for changing the function's name to reflect it to the edge?
Yes, that is correct. Using ::init on an edge that has already been initialized causes us to miss the pre-barrier; hence the assertion about a missing barrier. We should add fun->setAtom(atom) for this case, as we discussed on IRC.
Flags: needinfo?(terrence)
Thanks :)
Added it.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8703798 - Flags: review?(terrence)
Comment on attachment 8703798 [details] [diff] [review]
Add JSFunction::setAtom and use it in _SetCanonicalName intrinsic to fire the pre-barrier.

Review of attachment 8703798 [details] [diff] [review]:
-----------------------------------------------------------------

Looks great!
Attachment #8703798 - Flags: review?(terrence) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/b7a6c1d777960ae976c19fd9b4612758149b0065
Bug 1236638 - Add JSFunction::setAtom and use it in _SetCanonicalName intrinsic to fire the pre-barrier. r=terrence
https://hg.mozilla.org/mozilla-central/rev/b7a6c1d77796
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.