Closed Bug 1359252 Opened 7 years ago Closed 7 years ago

Assertion failure: [barrier verifier] Unmarked edge: Object 0x7ffff46d1070 'obj' edge to Object 0x7ffff46f4070, at js/src/gc/Verifier.cpp:379

Categories

(Core :: JavaScript: GC, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla55
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 + verified

People

(Reporter: decoder, Assigned: jonco)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e17cbb839dd2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager):

gczeal(4);
setJitCompilerOption("ion.warmup.trigger", 20);
function h() {
    for ([a, b] in { z: 9 }) {}
}
function g(f) {
    for (var j = 0; j < 999; - j)
        f(0 / 0);
}
g(h);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000e28b93 in js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695e6f8) at js/src/gc/Verifier.cpp:380
#0  0x0000000000e28b93 in js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695e6f8) at js/src/gc/Verifier.cpp:380
#1  0x0000000000e2bef4 in js::gc::GCRuntime::maybeVerifyPreBarriers (this=0x7ffff695e6f8, always=<optimized out>) at js/src/gc/Verifier.cpp:426
#2  0x000000000052ca03 in Interpret (cx=0x7ffff694c000, state=...) at js/src/vm/Interpreter.cpp:1803
#3  0x000000000053b3d2 in js::RunScript (cx=0x7ffff694c000, state=...) at js/src/vm/Interpreter.cpp:410
#4  0x000000000053b957 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694c000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#5  0x000000000053bc38 in InternalCall (cx=cx@entry=0x7ffff694c000, args=...) at js/src/vm/Interpreter.cpp:515
#6  0x000000000053bd6d in js::Call (cx=cx@entry=0x7ffff694c000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534
#7  0x00000000008429a5 in js::jit::InvokeFunction (cx=0x7ffff694c000, obj=..., constructing=<optimized out>, ignoresReturnValue=<optimized out>, argc=0, argv=0x7fffffffbca0, rval=...) at js/src/jit/VMFunctions.cpp:114
#8  0x0000062fcf5ea07c in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffad70	140737488334192
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb1b0	140737488335280
rsp	0x7fffffffac60	140737488333920
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x0	0
r11	0x0	0
r12	0x7ffff46d1070	140737294176368
r13	0x10f01f3	17760755
r14	0x7fffeff4d7f8	140737219188728
r15	0x7ffff46f4070	140737294319728
rip	0xe28b93 <js::gc::GCRuntime::endVerifyPreBarriers()+1395>
=> 0xe28b93 <js::gc::GCRuntime::endVerifyPreBarriers()+1395>:	movl   $0x0,0x0
   0xe28b9e <js::gc::GCRuntime::endVerifyPreBarriers()+1406>:	ud2    


Marking s-s due to GC being involved.
Jon, can you please take a look at this?
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
The write to NativeIterator::obj in CodeGenerator::visitIteratorStartO needs a pre-write barrier as well.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8861865 - Flags: review?(jdemooij)
Jon, are 53/54 also affected?
Flags: needinfo?(jcoppeard)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #3)
No, this was caused by my patch in bug 867815 which landed on 55.
Blocks: 867815
Flags: needinfo?(jcoppeard)
[Tracking Requested - why for this release]:
We can track this for 55. But we would already catch this in sec-high triage and platform triage, in theory.
Comment on attachment 8861865 [details] [diff] [review]
bug1359252-iterator-barrier

Review of attachment 8861865 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, I should have noticed this when I reviewed the patch. Bug 1358599 will change this code so you might want to land first.
Attachment #8861865 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/a2aeaae655d7
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: javascript-core-security → core-security-release
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: