Closed Bug 1804626 Opened 3 years ago Closed 3 years ago

Assertion failure: [barrier verifier] Unmarked edge: JS Object 247352a740b0 'shape' edge to JS Shape 247352a64160, at gc/Verifier.cpp:384

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- unaffected
firefox108 --- unaffected
firefox109 --- fixed
firefox110 --- fixed

People

(Reporter: decoder, Assigned: alexical)

References

(Regression)

Details

(6 keywords, Whiteboard: [bugmon:update,bisected,confirmed][post-critsmash-triage][adv-main109+r])

Attachments

(3 files, 1 obsolete file)

Detailed Crash Information
1.04 KB, text/plain
Details
Testcase
123 bytes, text/plain
Details
Bug 1804626 - Backed out changeset 77591550134c r?iain
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20221208-58f36d1b73c5 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager):

function a() {}
function b(c) {
  c.d = 2;
}
function e() {
  f = new a;
  verifyprebarriers();
  b(f);
}
for (;;)
  new e;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555576c6129 in js::gc::GCRuntime::endVerifyPreBarriers() ()
#1  0x000055555723a5ea in VerifyPreBarriers(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000285a1fd9d862 in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x55555592788d	93824996243597
rbx	0x5555558cc698	93824995870360
rcx	0x555558368c98	93825040551064
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffc0d0	140737488339152
rsp	0x7fffffffbc20	140737488337952
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99800	140737353717760
r10	0x0	0
r11	0x0	0
r12	0x247352a740b0	40077726531760
r13	0x555555880b15	93824995560213
r14	0x7fffffffbca0	140737488338080
r15	0x5555559134cc	93824996160716
rip	0x5555576c6129 <js::gc::GCRuntime::endVerifyPreBarriers()+2105>
=> 0x5555576c6129 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+2105>:	movl   $0x181,0x0
   0x5555576c6134 <_ZN2js2gc9GCRuntime20endVerifyPreBarriersEv+2116>:	callq  0x555556c7948c <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20221208153054-5b38548871de.
The bug appears to have been introduced in the following build range:

Start: bd22ade4bc203f6f74578b64405d5ac1cb0df980 (20221204030525)
End: 77591550134cad0a4943249c27acf6097a4b2871 (20221204033701)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd22ade4bc203f6f74578b64405d5ac1cb0df980&tochange=77591550134cad0a4943249c27acf6097a4b2871

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Flags: needinfo?(dothayer)
Regressed by: 1800384

Set release status flags based on info from the regressing bug 1800384

status-firefox107: --- → unaffected
status-firefox108: --- → unaffected
status-firefox-esr102: --- → unaffected

It looks like shapes are not being traced through MIR ops, instead relying on
the fact that shapes must always be tenured, and thus can only go away during
a compacting GC which will throw away Ion code anyway. Accordingly our
assumptions for why this optimization was okay were skewed.

Assignee: nobody → dothayer
Status: NEW → ASSIGNED
Component: JavaScript: GC → JavaScript Engine: JIT

This assertion is going off because it thinks we souldn't be accessing a cell's
zone off-thread. In fact we are marking and the mutator is not running so this
is fine. The problem is we didn't set GC use to marking for the background mark
task (not parallel marking, this does single threaded marking off-thread during
sweeping).

Severity: -- → S2
Priority: -- → P1

Backed out changeset 77591550134c r=iain
https://hg.mozilla.org/integration/autoland/rev/deb7d446c1d59be174cb6c92b4afed603768f7c0
https://hg.mozilla.org/mozilla-central/rev/deb7d446c1d5

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox109: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch

Bug marked as FIXED but still reproduces on mozilla-central 20221209044848-408707dd85c5. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Sorry, posted patch to the wrong bug.

Comment on attachment 9307521 [details]
Bug 1804626 - Set GC use during background marking to satisfy assertions r?sfink

Revision D164320 was moved to bug 1804787. Setting attachment 9307521 [details] to obsolete.

Attachment #9307521 - Attachment is obsolete: true

Hey Jason - how precisely does Bugmon verify the reproducibility of the issue? I'm unable to reproduce this locally and it really doesn't seem like it should be happening anymore.

Flags: needinfo?(dothayer) → needinfo?(jkratzer)

Doug, I verified this manually and can confirm that it is fixed. Bugmon marked it as still active based on the patch revision in comment 7.

Flags: needinfo?(jkratzer)

Set release status flags based on info from the regressing bug 1800384

status-firefox110: --- → affected

Okay - given the manual confirmation in comment 12 and the fact that the fixing change landed before the freeze ended, I'm going to remove the bugmon keyword, mark this as fixed, and update the status flags.

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox109: affectedfixed
status-firefox110: affectedfixed
Keywords: bugmon
Resolution: --- → FIXED
Flags: qe-verify-
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:update,bisected,confirmed][post-critsmash-triage]
Whiteboard: [bugmon:update,bisected,confirmed][post-critsmash-triage] → [bugmon:update,bisected,confirmed][post-critsmash-triage][adv-main109+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: