Closed
Bug 1236638
Opened 10 years ago
Closed 10 years ago
Assertion failure: [barrier verifier] Unmarked edge: atom, at js/src/gc/Verifier.cpp:301
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(1 file)
|
1.64 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0771c5eab32f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline --gc-zeal=4):
x
Backtrace:
0 js-dbg-64-dm-darwin-0771c5eab32f 0x000000010095068d js::gc::GCRuntime::endVerifyPreBarriers() + 1213 (Verifier.cpp:302)
1 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100950885 js::gc::MaybeVerifyBarriers(JSContext*, bool) + 85 (Verifier.cpp:397)
2 js-dbg-64-dm-darwin-0771c5eab32f 0x00000001007471c0 Interpret(JSContext*, js::RunState&) + 58752 (Interpreter.cpp:3040)
3 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100738bbc js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:407)
4 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100751327 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 583 (Interpreter.cpp:666)
5 js-dbg-64-dm-darwin-0771c5eab32f 0x000000010075170f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 495 (RootingAPI.h:719)
6 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100532551 Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) + 657 (jsapi.cpp:4434)
7 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100532154 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char const*, unsigned long, JS::MutableHandle<JS::Value>) + 420 (jsapi.cpp:4489)
8 js-dbg-64-dm-darwin-0771c5eab32f 0x00000001007d8d1a JSRuntime::initSelfHosting(JSContext*) + 650 (SelfHosting.cpp:1828)
9 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100524aee js::NewContext(JSRuntime*, unsigned long) + 1134 (jscntxt.cpp:122)
10 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100006fe5 NewContext(JSRuntime*) + 21 (js.cpp:5988)
11 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100003f79 main + 8201 (js.cpp:6864)
12 js-dbg-64-dm-darwin-0771c5eab32f 0x0000000100001374 start + 52
This also affects opt builds.
|
Reporter | |
Comment 1•10 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ef6a8586cb4d
parent: 278250:d7a0ad85d9fb
user: Tooru Fujisawa
date: Mon Jan 04 06:59:52 2016 +0900
summary: Bug 1235656 - Part 1: Set canonical name in self-hosted builtins. r=till
Arai-san, is bug 1235656 a likely regressor?
Setting this as [fuzzblocker] because this is affecting --gc-zeal=4 builds severely.
Also setting needinfo? from Terrence in case it is late at night for :arai.
|
Assignee | |
Comment 2•10 years ago
|
||
yes, it's likely.
the unmarked edge is for an JSAtom "ArrayValues", from JSFunction "function ArrayValues" defined in Array.js, but its atom_ member is already changed to "values" atom by _SetCanonicalName.
> static bool
> intrinsic_SetCanonicalName(JSContext* cx, unsigned argc, Value* vp)
> {
> CallArgs args = CallArgsFromVp(argc, vp);
> MOZ_ASSERT(args.length() == 2);
>
> RootedFunction fun(cx, &args[0].toObject().as<JSFunction>());
> MOZ_ASSERT(fun->isSelfHostedBuiltin());
> RootedAtom atom(cx, AtomizeString(cx, args[1].toString()));
> if (!atom)
> return false;
>
> fun->initAtom(atom);
> #ifdef DEBUG
> fun->setExtendedSlot(HAS_SELFHOSTED_CANONICAL_NAME_SLOT, BooleanValue(true));
> #endif
> args.rval().setUndefined();
> return true;
> }
maybe I should use other way than fun->initAtom() for changing the function's name to reflect it to the edge?
|
||
Comment 3•10 years ago
|
||
Yes, that is correct. Using ::init on an edge that has already been initialized causes us to miss the pre-barrier; hence the assertion about a missing barrier. We should add fun->setAtom(atom) for this case, as we discussed on IRC.
Flags: needinfo?(terrence)
|
|
Assignee | |
Comment 4•10 years ago
|
||
Thanks :)
Added it.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8703798 -
Flags: review?(terrence)
|
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8703798 [details] [diff] [review]
Add JSFunction::setAtom and use it in _SetCanonicalName intrinsic to fire the pre-barrier.
Review of attachment 8703798 [details] [diff] [review]:
-----------------------------------------------------------------
Looks great!
Attachment #8703798 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b7a6c1d777960ae976c19fd9b4612758149b0065
Bug 1236638 - Add JSFunction::setAtom and use it in _SetCanonicalName intrinsic to fire the pre-barrier. r=terrence
|
|
||
Comment 7•10 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•