Closed Bug 857094 Opened 12 years ago Closed 12 years ago

Assertion failure: [barrier verifier] Unmarked edge: objectElements, at gc/Verifier.cpp:596

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 + fixed
firefox23 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][adv-main22-])

Attachments

(2 files)

fix
4.45 KB, patch
sstangl
: review+
Details | Diff | Splinter Review
patch for Firefox 22
5.05 KB, patch
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision aae004a3c5d9 (run with --ion-eager): gczeal(4); var shape = [5]; for (var i = 0; i < 7; i++) { shape.push(i+1); var p = new ParallelArray(shape, function(k) { return k; }); var r = p.scatter([0,1,0,3,04 ], 9, function (a,b) { return a+b; }, 10); }
Marked s-s because this involves GC.
Whiteboard: [jsbugmon:update,bisect]
I cannot reproduce locally with a debug shell and --ion-eager.
(In reply to Shu-yu Guo [:shu] from comment #2) > I cannot reproduce locally with a debug shell and --ion-eager. What OS are you using, and what build options? The debug shell was built with --enable-debug --enable-optimize --enable-valgrind on Linux, built for x86 (32 bit). If that doesn't help reproducing, let me know.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 125555:b00eb1ef1517 user: Nicholas D. Matsakis date: Tue Mar 19 22:12:27 2013 -0400 summary: Bug 829602 - Enable self-hosted parallelarray r=dvander,till This iteration took 170.963 seconds to run.
(In reply to Christian Holler (:decoder) from comment #3) > (In reply to Shu-yu Guo [:shu] from comment #2) > > I cannot reproduce locally with a debug shell and --ion-eager. > > What OS are you using, and what build options? The debug shell was built > with --enable-debug --enable-optimize --enable-valgrind on Linux, built for > x86 (32 bit). > > If that doesn't help reproducing, let me know. Interesting. This is only reproducible with a non-threadsafe shell for me.
Attached patch fixSplinter Review
Missed checking if MStoreElement needs a prebarrier when inlining UnsafeSetElement.
Attachment #733145 - Flags: review?(sstangl)
Assignee: general → shu
Comment on attachment 733145 [details] [diff] [review] fix Review of attachment 733145 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/MCallOptimize.cpp @@ +1000,5 @@ > callInfo.getArg(elemi), > /* needsHoleCheck = */ false); > store->setRacy(); > > + // Determine whether a write barrier is required. The code following the comment is nicely self-explanatory, so we can remove the comment. (jsop_setelem_dense() has a similar redundant comment which can also be removed.)
Attachment #733145 - Flags: review?(sstangl) → review+
(In reply to Sean Stangl [:sstangl] from comment #7) > Comment on attachment 733145 [details] [diff] [review] > fix > > Review of attachment 733145 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/ion/MCallOptimize.cpp > @@ +1000,5 @@ > > callInfo.getArg(elemi), > > /* needsHoleCheck = */ false); > > store->setRacy(); > > > > + // Determine whether a write barrier is required. > > The code following the comment is nicely self-explanatory, so we can remove > the comment. (jsop_setelem_dense() has a similar redundant comment which can > also be removed.) I thought it might be good to have it in there since 'barrier' is overloaded between type and write barriers. But perhaps the absence of a TypeSet around the code is enough to distinguish it as a write vs type barrier when eyeballing.
https://hg.mozilla.org/mozilla-central/rev/1aa1dc84a1a4
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox23: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Since this affected previous branches at the time it landed (fx22) and is a security bug of unstated severity this patch should have sought sec-approval before landing. Please put together a Fx22 patch and request aurora approval, or explain that this turns out not to have been a security bug after all.
Blocks: 829602
status-b2g18: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox22: --- → +
tracking-firefox23: --- → +
Flags: needinfo?(shu)
Keywords: regression
[Approval Request Comment] Bug caused by (feature/regressing bug #): 807853 User impact if declined: Possibly exploitable GC security bug Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): None String or IDL/UUID changes made by this patch: This is the commmit from m-c, should apply cleanly to Aurora.
Attachment #744942 - Flags: approval-mozilla-aurora?
Flags: needinfo?(shu)
Was this caused by bug 829602 (FF22) or bug 807853 (FF21)?
status-firefox21: unaffected?
Attachment #744942 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Alex Keybl [:akeybl] from comment #14) > Was this caused by bug 829602 (FF22) or bug 807853 (FF21)? Sorry, it's 829602. The code was added in 807853, but it had no users until 829602 landed.
Keywords: checkin-needed
status-firefox21: ?unaffected
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: