Closed
Bug 768732
Opened 10 years ago
Closed 10 years ago
"Assertion failure: [barrier verifier] Unmarked edge: element,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | --- | unaffected |
| firefox15 | --- | disabled |
| firefox16 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: billm)
References
Details
(4 keywords, Whiteboard: [advisory-tracking-])
Attachments
(2 files)
|
13.40 KB,
text/plain
|
Details | |
|
2.50 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
a = ''
b = []
a = b.concat(a)
Object.defineProperty(a, 3, {
e: gczeal(4, 2)
})
asserts js debug shell on m-c changeset 5c07a681371d with and without patch v3 from bug 757199 applied, at Assertion failure: [barrier verifier] Unmarked edge: element, without any CLI arguments.
gczeal seems involved so setting s-s to be safe.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 97431:bd1992ab029b
user: Bill McCloskey
date: Fri Jun 22 11:30:48 2012 -0700
summary: Bug 766355 - Fix GC valgrind warnings (r=terrence)
|
Assignee | |
Updated•10 years ago
|
Assignee: general → wmccloskey
|
|
Assignee | |
Comment 1•10 years ago
|
||
In this test case, we're slowifying a dense array. The following steps can happen: 1. Start an incremental GC. 2. Enter the array slowification. It will set obj->elements to empty while keeping the elements rooted with an AutoRooter. 3. It allocates some shapes. At this point, it's possible we could do a GC slice. If we scan the array during this time, it will look empty. The incremental GC only scans the autorooted elements in the first slice, which might have taken place before the slowification started. This patch invokes a write barrier on all the elements during slowification. This is a bit expensive, but we're already allocating a shape for every element, so I don't think it should be too bad. And it only happens when we're running an incremental GC.
Attachment #637310 -
Flags: review?(bhackett1024)
|
||
Updated•10 years ago
|
Attachment #637310 -
Flags: review?(bhackett1024) → review+
|
Reporter | |
Comment 2•10 years ago
|
||
Assuming sec-critical based on comment 1, please change if this is not the case.
Keywords: sec-critical
|
||
Updated•10 years ago
|
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
|
|
Reporter | |
Comment 3•10 years ago
|
||
Incremental GC is only enabled by default on 16, so setting the rest unaffected/disabled on 15.
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → disabled
|
|
Assignee | |
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/864f8f84cc53
Target Milestone: --- → mozilla16
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/864f8f84cc53
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: js-triage-needed
|
||
Updated•10 years ago
|
Whiteboard: [advisory-tracking-]
|
||
Updated•10 years ago
|
Group: core-security
|
||
Comment 8•10 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug768732.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•