Closed
Bug 1620196
Opened 4 years ago
Closed 4 years ago
Assertion failure: [barrier verifier] Unmarked edge: JS Object 0x3f1462eaa040 'FinalizationRecordObject weak group' edge to JS Object 0x3f1462ea9040, at gc/Verifier.cpp:384 with --enable-weak-refs
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla76
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect][bugmon:confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200303-d7e7f63dc1bf (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --enable-weak-refs test.js):
gczeal(4);
let heldValues = [];
group = new FinalizationGroup(iterator => {
heldValues.push(...iterator);
});
group.register({}, 42);
gc();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000564c83727018 in js::gc::GCRuntime::endVerifyPreBarriers() ()
#0 0x0000564c83727018 in js::gc::GCRuntime::endVerifyPreBarriers() ()
#1 0x0000564c83727369 in js::gc::GCRuntime::maybeVerifyPreBarriers(bool) ()
#2 0x0000564c82cdd7e4 in Interpret(JSContext*, js::RunState&) ()
#3 0x0000564c82cdb5a3 in js::RunScript(JSContext*, js::RunState&) ()
#4 0x0000564c82cf0df3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5 0x0000564c82cf23d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#6 0x0000564c82d7832a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#7 0x0000564c82d779b6 in js::FinalizationGroupObject::cleanupQueuedRecords(JSContext*, JS::Handle<js::FinalizationGroupObject*>, JS::Handle<JSObject*>) ()
#8 0x0000564c82e18291 in JS::CleanupQueuedFinalizationGroup(JSContext*, JS::Handle<JSObject*>) ()
#9 0x0000564c82b8d6f3 in RunShellJobs(JSContext*) ()
#10 0x0000564c82b781e9 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#11 0x0000564c82b7175e in main ()
rax 0x564c842337ad 94886634403757
rbx 0x564c8434b74a 94886635550538
rcx 0x564c852fb850 94886652000336
rdx 0x0 0
rsi 0x7fe5b0383770 140624480712560
rdi 0x7fe5b0382540 140624480707904
rbp 0x7ffcd90ddbd0 140723950050256
rsp 0x7ffcd90dd720 140723950049056
r8 0x7fe5b0383770 140624480712560
r9 0x7fe5b147cd00 140624498511104
r10 0x0 0
r11 0x0 0
r12 0x564c8425f94a 94886634584394
r13 0x7fe5a9b3d610 140624371373584
r14 0x7ffcd90dd7a0 140723950049184
r15 0x564c8433e0d9 94886635495641
rip 0x564c83727018 <js::gc::GCRuntime::endVerifyPreBarriers()+2104>
=> 0x564c83727018 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+2104>: movl $0x181,0x0
0x564c83727023 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+2115>: callq 0x564c82bf9d8e <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Jonco, could you look at this regression bug, it seems to be related to Finalization Groups
Flags: needinfo?(jcoppeard)
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Priority: -- → P1
|
|
Assignee | |
Comment 3•4 years ago
|
||
The pre-write barrier protects against moving an object from in front of the 'marking wavefront' to behind it and leaving it reachable but unmarked. It does this by marking the object when it is removed from it initial position (when the pointer is overwritten). Since weak edges are not marked anyway this barrier doesn't make sense (there is no marking wavefront for weak edges). Instead weak edges must have a read barrier if their value escapes, but that is not check by the pre-barrier verifier.
|
||
Updated•4 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][bugmon:confirmed]
|
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200313163649-87ab9a88abce
The bug appears to have been introduced in the following build range:
> Start: f3da8ae9d1a3e74cd273746da51a035ddc572bee (20200225214332)
> End: 7f41334e10443f4f1c7426e86fb0cb7adfdf4d62 (20200226092757)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3da8ae9d1a3e74cd273746da51a035ddc572bee&tochange=7f41334e10443f4f1c7426e86fb0cb7adfdf4d62
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ef8263db97e0 The pre-barrier verifier shouldn't check weak edges as these don't need this barrier r=sfink
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Updated•4 years ago
|
status-firefox73:
--- → unaffected
status-firefox74:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite+
|
||
Comment 7•4 years ago
|
||
The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 8•4 years ago
|
||
FinalizationRegistry support is only present on nightly.
Flags: needinfo?(jcoppeard)
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200422163521-2203d818a3b4. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•