Closed Bug 768732 Opened 11 years ago Closed 11 years ago

"Assertion failure: [barrier verifier] Unmarked edge: element,"


(Core :: JavaScript Engine, defect)

Windows 7
Not set



Tracking Status
firefox13 --- unaffected
firefox14 --- unaffected
firefox15 --- disabled
firefox16 + fixed
firefox-esr10 --- unaffected


(Reporter: gkw, Assigned: billm)



(4 keywords, Whiteboard: [advisory-tracking-])


(2 files)

Attached file stack from Windows 7
a = ''
b = []
a = b.concat(a)
Object.defineProperty(a, 3, {
  e: gczeal(4, 2)

asserts js debug shell on m-c changeset 5c07a681371d with and without patch v3 from bug 757199 applied, at Assertion failure: [barrier verifier] Unmarked edge: element, without any CLI arguments.

gczeal seems involved so setting s-s to be safe.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   97431:bd1992ab029b
user:        Bill McCloskey
date:        Fri Jun 22 11:30:48 2012 -0700
summary:     Bug 766355 - Fix GC valgrind warnings (r=terrence)
Assignee: general → wmccloskey
Attached patch patchSplinter Review
In this test case, we're slowifying a dense array. The following steps can happen:

1. Start an incremental GC.
2. Enter the array slowification. It will set obj->elements to empty while keeping the elements rooted with an AutoRooter.
3. It allocates some shapes. At this point, it's possible we could do a GC slice. If we scan the array during this time, it will look empty.

The incremental GC only scans the autorooted elements in the first slice, which might have taken place before the slowification started.

This patch invokes a write barrier on all the elements during slowification. This is a bit expensive, but we're already allocating a shape for every element, so I don't think it should be too bad. And it only happens when we're running an incremental GC.
Attachment #637310 - Flags: review?(bhackett1024)
Attachment #637310 - Flags: review?(bhackett1024) → review+
Assuming sec-critical based on comment 1, please change if this is not the case.
Keywords: sec-critical
Incremental GC is only enabled by default on 16, so setting the rest unaffected/disabled on 15.
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: js-triage-needed
Whiteboard: [advisory-tracking-]
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug768732.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.