Closed Bug 1532289 Opened 2 years ago Closed 2 years ago

Assertion failure: [barrier verifier] Unmarked edge: Object 0x5d10d58d060 'object slot' edge to BigInt 0x5d10d5cc030, at js/src/gc/Verifier.cpp:382

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- verified

People

(Reporter: decoder, Assigned: wingo)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect] [post-critsmash-triage])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 06f0c5e35c3a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-warmup-threshold=0):

gczeal(4,10);
function func2() {
each = BigInt(-1);
  for (; each.prop1 ;) {}
}
var ary = [1];
lfSomeObj = minorgc;
lfSomeFunc = deserialize;
uic8 = new Proxy(lfSomeObj, { set: lfSomeFunc });
while (ary[uic8[1] >= 0 ? uic8[1] : 0]) {
  func2();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff5f1c6b8) at js/src/gc/Verifier.cpp:383
#1  0x0000555556065be6 in js::gc::GCRuntime::maybeVerifyPreBarriers (this=0x7ffff5f1c6b8, always=<optimized out>) at js/src/gc/Verifier.cpp:428
#2  0x00005555558e3d7d in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3316
#3  0x00005555558ebb06 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
[...]
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10966
rax	0x555557c3d280	93825033032320
rbx	0x7fffffffc3e0	140737488339936
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556ac2050	93825014702160
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc820	140737488341024
rsp	0x7fffffffc310	140737488339728
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x0	0
r11	0x0	0
r12	0x5d10d58d060	6395430228064
r13	0x555556ac75da	93825014724058
r14	0x7ffff164aac8	140737243294408
r15	0x5d10d5cc030	6395430486064
rip	0x555556060184 <js::gc::GCRuntime::endVerifyPreBarriers()+1556>
=> 0x555556060184 <js::gc::GCRuntime::endVerifyPreBarriers()+1556>:	movl   $0x0,0x0
   0x55555606018f <js::gc::GCRuntime::endVerifyPreBarriers()+1567>:	ud2

Marking s-s because this involves GC.

CC'ing BigInt gurus :)

Flags: needinfo?(wingo)
Flags: needinfo?(robin)

thanks, am poking :)

This case seems to trigger it just as well:

gczeal(4,10);
function func2() {
each = BigInt(-1);
  for (; each.prop1 ;) {}
}

while (1) { func2() }
Flags: needinfo?(wingo)

FWIW reverting https://hg.mozilla.org/integration/autoland/rev/9527be2c6bcf does not fix the problem.

Doesn't seem to happen without Ion. With Ion, seems it needs either offthread compilation enabled, or --ion-offthread-compile=off --ion-warmup-threshold=0. Could we be failing to emit a barrier in Ion? The investigation continues.

FWIW, the test I am working with:

gczeal(4,10);
var x;
var y = true;
function func2() {
  x = BigInt(-1);
  while (!y);
}

while (1) { func2() }

@jandem indeed that seems to be the problem, adding bigint there fixes the issue. Still working on a reliable test though.

Flags: needinfo?(robin)
Keywords: checkin-needed
Keywords: sec-high

the timeout appears to be caused by using gczeal mode 4 under --no-baseline --no-ion

i'll upload a version of this patch that skips the test if baseline is disabled, which should prevent the failure

Flags: needinfo?(wingo)
Keywords: checkin-needed
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Flags: qe-verify-
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect] [post-critsmash-triage]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.