Closed Bug 770954 Opened 12 years ago Closed 12 years ago

Assertion failure: [barrier verifier] Unmarked edge: value, at jsgc.cpp:4580

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox14 --- unaffected
firefox15 --- unaffected
firefox16 + unaffected
firefox17 --- verified
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: js-triage-needed [jsbugmon:update][adv-track-main17-])

Attachments

(1 file, 1 obsolete file)

v2
3.51 KB, patch
billm
: review+
Details | Diff | Splinter Review 
The following test asserts on mozilla-central revision b6aa44d8f11f (options -m -n -a):


gczeal(4);
var s = new Set;
s.add(-0);
s.add(0);
assertEq(s.delete(-0), true);
assertEq(s.has(0), (true  ));
assertEq(s.has(-0), false);
var m = new Map;
m.set(-0, 'x');
assertEq(m.has(0), false);
assertEq(m.get(0), undefined);
assertEq(m.has(-0), true);
assertEq(m.delete(-0), true);


S-s due to GC-related assertion.
Assignee: general → wmccloskey
Keywords: sec-high
Jason, there's a problem here where the write barrier for incremental GC isn't being invoked correctly. In order for incremental GC to be correct, we need to ensure that once a Map entry gets into a state where it won't be traced during GC, then we call a write barrier on. That's not happening here in the m.delete(-0) call.

My initial expectation was that OrderedHashTable would call the destructor on the entry when removing it. That would cause the write barrier to be invoked. However, it seems to call the destructor more lazily, either when the table is resized or destroyed.

Somehow we need to call the destructor immediately upon removing the value, or we have to replace it with some dummy value, which will also cause the barrier to be invoked.
Keywords: sec-highsec-critical
Assignee: wmccloskey → general
OK, I'll take this. OrderedHashTable bounced, for unrelated reasons, so this won't affect anyone for a while. Sigh.
Assignee: general → jorendorff
(leaving tracking-firefox16 unset for now because the code from bug 743107 isn't in 16 now, but could end up in it at some point)
Blocks: 743107
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
Let's "track" this for 16 anyway -- at the very least to double check whether bug 743107 did or didn't land in that cycle.
status-firefox14: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
Attached patch v1 (obsolete) — Splinter Review 
+1 line of code
+12 lines of comments
+25 lines of tests
Attachment #643219 - Flags: review?(wmccloskey)
Comment on attachment 643219 [details] [diff] [review]
v1

For the first comment, could you just say something like:
"We no longer plan to mark this value, so force an incremental write barrier on it by overwriting it."
Attachment #643219 - Flags: review?(wmccloskey) → review+
Attached patch v2Splinter Review 
Not quite as pretty as v1.

The line I added:
    e->value = Value();
doesn't compile in GCC 4.2! The compiler wants a copy constructor for that Value type. I can't see why. This code explicitly calls the default constructor, and then calls e->value.operator=, which (I checked) takes a reference argument, not a copy.

Simpler example that also doesn't compile in g++-4.2:

    struct X {
        X() {}
        explicit X(const X &x) {}
        void operator=(const X &x) {}
    };
    void f() {
        X x;
        x = X();  // error: no matching function for call to 'X::X(X)'
    }

If the 'explicit' tag on RelocatableValue's copy constructor is valuable, I can work around this some other way. Destroying removed values wouldn't be so bad. Another alternative is to do violence to the OrderedHashMap API to require the implementation to provide a makeEmpty() function that clears the whole entry, not just the key.
Attachment #643219 - Attachment is obsolete: true
Attachment #643231 - Flags: review?(wmccloskey)
Attachment #643231 - Flags: review?(wmccloskey) → review+
Jason, I wanted to help land this but it bitrotted a little:

$ hg qpush
applying bug-770954-OHT-gc-v2.patch
patching file js/src/builtin/MapObject.cpp
Hunk #1 FAILED at 581
Hunk #2 FAILED at 966
2 out of 2 hunks FAILED -- saving rejects to file js/src/builtin/MapObject.cpp.rej
patch failed, unable to continue (try -v)
patch failed, rejects left in working dir
errors during apply, please fix and refresh bug-770954-OHT-gc-v2.patch
Gary, that's because the patch that caused this was backed out. Now it's relanded, and this patch has landed on top of it:

https://hg.mozilla.org/integration/mozilla-inbound/rev/aa8bab8cc31f
Great, thanks for the clarification!
https://hg.mozilla.org/mozilla-central/rev/aa8bab8cc31f
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox17: --- → fixed
Resolution: --- → FIXED
Marking 16 as unaffected as the regressing patch was backed out from 16.
status-firefox16: affectedunaffected
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
status-firefox17: fixedverified
Target Milestone: --- → mozilla17
Whiteboard: js-triage-needed [jsbugmon:update] → js-triage-needed [jsbugmon:update][adv-track-main17-]
Group: core-security
Keywords: regression
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: