If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at jsgc.cpp:4711

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
5 years ago
2 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox16 unaffected, firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision a29f6c635516 (run with --ion -n -m --ion-eager):


gcPreserveCode()
gczeal(4);
function f() {
    var a = [], i, N = 10;
    for (i = 0; i < N; i++)
        a[i] = {
		m: function() { return 0; }, 
		m: function() { return (false  ); }
		};
        schedulegc(10);
        assertEq(f(), 1);
}
f();
(Assignee)

Updated

5 years ago
Assignee: general → dvander
Status: NEW → ASSIGNED
Hardware: x86 → x86_64
(Assignee)

Comment 1

5 years ago
Created attachment 642811 [details] [diff] [review]
fix

INITPROP can initialize the same element twice, meaning we may need a write barrier.
Attachment #642811 - Flags: review?(jdemooij)
(Assignee)

Comment 2

5 years ago
CC'ing Bill and Brian since I think JM+TI might have the same bug, but I can't reproduce it with this test case.
I tried to write a JM test case for this, but for some reason gczeal(4) seems to be totally disabling the methodjit. That didn't used to happen. I'll look into it tomorrow.
Comment on attachment 642811 [details] [diff] [review]
fix

Review of attachment 642811 [details] [diff] [review]:
-----------------------------------------------------------------

Please add the testcase too, or do you want to do that after JM is fixed?
Attachment #642811 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 5

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/699ab277c0b8 (test case unfortunately iloops)

Bill, should I keep this open or file a separate bug for JM?
Blocks: 774859
I cloned this into bug 774859.
(Assignee)

Comment 7

5 years ago
Thanks!
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
status-firefox16: --- → unaffected
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 8

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.