Closed Bug 1683309 Opened 5 years ago Closed 5 years ago

Assertion failure: [barrier verifier] Unmarked edge: JS Object 0xebbb6d1dee0 'object slot' edge to JS Object 0xebbb6d29f60, at gc/Verifier.cpp:392

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 --- unaffected
firefox86 --- fixed

People

(Reporter: decoder, Assigned: mgaudet)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(3 files)

Testcase
164 bytes, text/plain
Details
Bug 1683309 - Barrier writes to AbstractGeneratorObject slots during FinalYieldRval r?iain
48 bytes, text/x-phabricator-request
Details | Review
Bug 1683309 - Retitle MStoreFixedSlot::New to NewUnbarriered r?jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201217-2ab4142f19bc (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --warp-async):

evalInWorker(`
  gczeal(4);
  function f86(depth) {
    var x = async target => ([]);
    o62 = unescape;
    x(o62.prop, o62);
    f86(true + 1);
  }
  f86(0);
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574ea5b6 in js::gc::GCRuntime::endVerifyPreBarriers() ()
#1  0x000055555744359c in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#2  0x000055555741e66f in js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::GCReason, long) ()
#3  0x000055555741e31d in js::gc::GCRuntime::gcIfRequested() ()
#4  0x00005555573f62d6 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#5  0x00005555573f615e in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*) ()
#6  0x0000555556b26e67 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) ()
#7  0x0000555556e96ce6 in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#8  0x0000555556e96598 in js::NewObjectWithGivenTaggedProto(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#9  0x0000555556f45346 in js::SavedFrame::create(JSContext*) ()
#10 0x0000555556f4e7f5 in js::SavedStacks::createFrameFromLookup(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#11 0x0000555556f4e492 in js::SavedStacks::getOrCreateSavedFrame(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#12 0x0000555556f4b582 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#13 0x0000555556f4a605 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#14 0x00005555571b41c5 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#15 0x0000555556db97a9 in PromiseDebugInfo::setResolutionInfo(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<js::SavedFrame*>) ()
#16 0x0000555556db92a6 in js::PromiseObject::onSettled(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<js::SavedFrame*>) ()
#17 0x0000555556db8c47 in ResolvePromise(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, JS::PromiseState, JS::Handle<js::SavedFrame*>) ()
#18 0x0000555556dd7644 in FulfillMaybeWrappedPromise(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) ()
#19 0x0000555556dae7e9 in ResolvePromiseInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) ()
#20 0x0000555556d07129 in js::AsyncFunctionResolve(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>, js::AsyncFunctionResolveKind) ()
#21 0x00001cb4f21b857d in ?? ()
#22 0x00007ffff682b940 in ?? ()
#23 0x00007ffff682ba00 in ?? ()
#24 0x0000555557f8e7a0 in js::jit::vmFunctions ()
#25 0x00001cb4f21fd173 in ?? ()
#26 0x0000000000002820 in ?? ()
#27 0x00000ebbb6d66040 in ?? ()
#28 0xfffe0ebbb6d660a0 in ?? ()
#29 0x0000000000000000 in ?? ()
rax	0x55555571832e	93824994083630
rbx	0x55555581fdbd	93824995163581
rcx	0x555557fd0888	93825036781704
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff682a5a0	140737329145248
rsp	0x7ffff682a0e0	140737329144032
r8	0x7ffff7105770	140737338431344
r9	0x7ffff6967700	140737330444032
r10	0x0	0
r11	0x0	0
r12	0x555555874b79	93824995511161
r13	0x7ffff13a9310	140737240535824
r14	0x7ffff682a170	140737329144176
r15	0x555555746197	93824994271639
rip	0x5555574ea5b6 <js::gc::GCRuntime::endVerifyPreBarriers()+1990>
=> 0x5555574ea5b6 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+1990>:	movl   $0x189,0x0
   0x5555574ea5c1 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+2001>:	callq  0x555556a90402 <abort>

Another warp-async issue, disabled on Nightly.

Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201218095607-2231d839f1e7.
The bug appears to have been introduced in the following build range:

Start: a4ce10afc0f660ece5eca5f3d700646d8dd19c4c (20201215174456)
End: 1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0 (20201215174615)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a4ce10afc0f660ece5eca5f3d700646d8dd19c4c&tochange=1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Preliminary Analysis:

  1. The edge is from [object AsyncFunctionGenerator] (an AbstractGeneratorObject) to the Caller slot, which has [object Function "x"] in it.
  2. In Warp, this edge is written as part of MGenerator, which codegens to a call to js::jit::CreateGenerator. This in turn calls AbstractGeneratorObject::create.
  3. The generator object is rooted and allocated in this frame, and then the write to the callee slot happens here, going through NativeObject::setFixedSlot, which as I understand it should be doing the barriers for us.

So at least initially I'm not clear how we're missing a barrier.

/me facepalms

I think I may have it.

One other place it's written to is in build_FinalYieldRval. I tried making that store barriered, then tested... but forgot to build. Looking at it, it may be sufficient to fix this test case.

Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P1
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/209a821d9511 Barrier writes to AbstractGeneratorObject slots during FinalYieldRval r=iain https://hg.mozilla.org/integration/autoland/rev/9fe6e56c5f84 Retitle MStoreFixedSlot::New to NewUnbarriered r=jandem
Crash Signature: [@ js::gc::ArenaCellSet::check]

https://hg.mozilla.org/mozilla-central/rev/209a821d9511
https://hg.mozilla.org/mozilla-central/rev/9fe6e56c5f84

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210105215658-bcfbf7c9d108.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: