1532289 - Assertion failure: [barrier verifier] Unmarked edge: Object 0x5d10d58d060 'object slot' edge to BigInt 0x5d10d5cc030, at js/src/gc/Verifier.cpp:382

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 06f0c5e35c3a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-warmup-threshold=0):

gczeal(4,10);
function func2() {
each = BigInt(-1);
  for (; each.prop1 ;) {}
}
var ary = [1];
lfSomeObj = minorgc;
lfSomeFunc = deserialize;
uic8 = new Proxy(lfSomeObj, { set: lfSomeFunc });
while (ary[uic8[1] >= 0 ? uic8[1] : 0]) {
  func2();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff5f1c6b8) at js/src/gc/Verifier.cpp:383
#1  0x0000555556065be6 in js::gc::GCRuntime::maybeVerifyPreBarriers (this=0x7ffff5f1c6b8, always=<optimized out>) at js/src/gc/Verifier.cpp:428
#2  0x00005555558e3d7d in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3316
#3  0x00005555558ebb06 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
[...]
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10966
rax	0x555557c3d280	93825033032320
rbx	0x7fffffffc3e0	140737488339936
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556ac2050	93825014702160
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc820	140737488341024
rsp	0x7fffffffc310	140737488339728
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x0	0
r11	0x0	0
r12	0x5d10d58d060	6395430228064
r13	0x555556ac75da	93825014724058
r14	0x7ffff164aac8	140737243294408
r15	0x5d10d5cc030	6395430486064
rip	0x555556060184 <js::gc::GCRuntime::endVerifyPreBarriers()+1556>
=> 0x555556060184 <js::gc::GCRuntime::endVerifyPreBarriers()+1556>:	movl   $0x0,0x0
   0x55555606018f <js::gc::GCRuntime::endVerifyPreBarriers()+1567>:	ud2

Marking s-s because this involves GC.

Comment 1

[Jan de Mooij [:jandem]]

CC'ing BigInt gurus :)

Comment 2

[Andy Wingo [:wingo]]

thanks, am poking :)

This case seems to trigger it just as well:

gczeal(4,10);
function func2() {
each = BigInt(-1);
  for (; each.prop1 ;) {}
}

while (1) { func2() }

Comment 3

[Andy Wingo [:wingo]]

FWIW reverting https://hg.mozilla.org/integration/autoland/rev/9527be2c6bcf does not fix the problem.

Comment 4

[Andy Wingo [:wingo]]

Doesn't seem to happen without Ion. With Ion, seems it needs either offthread compilation enabled, or --ion-offthread-compile=off --ion-warmup-threshold=0. Could we be failing to emit a barrier in Ion? The investigation continues.

Comment 5

[Jan de Mooij [:jandem]]

Wild guess: https://searchfox.org/mozilla-central/rev/92d11a33250a8e368c8ca3e962e15ca67117f765/js/src/vm/TypeInference.cpp#1854-1855

Comment 6

[Andy Wingo [:wingo]]

FWIW, the test I am working with:

gczeal(4,10);
var x;
var y = true;
function func2() {
  x = BigInt(-1);
  while (!y);
}

while (1) { func2() }

@jandem indeed that seems to be the problem, adding bigint there fixes the issue. Still working on a reliable test though.

Comment 7

[Andy Wingo [:wingo]]

Attachment: Bug 1532289 - Fix missing pre-write barrier for BigInt values in Ion

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

This landed and had to be backed out.

Landed: https://hg.mozilla.org/integration/autoland/rev/19047d153c2f5ddf5184def2be0745d2f1d936a8

Backed out for failing its own test: https://hg.mozilla.org/integration/autoland/rev/ed1aa72d1ba31a43c8961272c8253a0cde4ede92

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=retry%2Cusercancel%2Ctestfailed%2Cbusted%2Cexception&group_state=expanded&revision=19047d153c2f5ddf5184def2be0745d2f1d936a8
Log: https://treeherder.mozilla.org/logviewer.html#?job_id=231969342&repo=autoland
TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug1532289.js | Timeout (code -6, args "--ion-warmup-threshold=0 --ion-offthread-compile=off --no-baseline --no-ion --more-compartments") [150.0 s]

Comment 9

[Robin Templeton [:terpri]]

the timeout appears to be caused by using gczeal mode 4 under --no-baseline --no-ion

i'll upload a version of this patch that skips the test if baseline is disabled, which should prevent the failure

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/9d5e6a41565dd171c74b0200b6149f8d27fe61ac

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/9d5e6a41565d

Comment 12

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.