Assertion failure: trc->root, at gc/Verifier.cpp

RESOLVED FIXED in mozilla23

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla23
ARM
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
An upcoming testcase asserts js debug shell on m-c changeset 2aff2d574a1e with --ion-eager --no-jm --no-ti at Assertion failure: trc->root, at gc/Verifier.cpp

Filing first because this is difficult to reproduce on platforms other than an ARM pandaboard, at least for jsfunfuzz. decoder mentions that Langfuzz might have found this as well.

s-s because GC stuff seem to be involved, at least from the assertion message.
(Reporter)

Comment 1

5 years ago
Created attachment 740461 [details]
stack

try {
    m = new Map();
    this.n += 'xxx';
    for (var y = 0; y < 9; ++y) {
        for (var z = 0; z < 9; ++z) {
            n += n;
        }
    }
} catch (e) {}
m.set(n);
verifyprebarriers()
print(Array(0x5a827999));
(Reporter)

Comment 2

5 years ago
I was discussing this with billm over IRC just now, so setting needinfo.
Flags: needinfo?(wmccloskey)
(Assignee)

Comment 3

5 years ago
I was hoping this was just an OOM, but it looks like it's not. hadOutOfMemory is false for the runtime.

It appears to be some kind of memory corruption. I'm not sure what the next steps are. It's a huge pain to debug.
Flags: needinfo?(wmccloskey)
Here's a second test that reproduces most of the time (if not, then it OOMs):

var BUGNUMBER = '';
function f2(o) {}
function f() {
    verifyprebarriers();
    BUGNUMBER(void 0, f(Int16Array(28800000,-28800)));
}
f();


Valgrind shows nothing unfortunately.
(Assignee)

Comment 5

5 years ago
Created attachment 741012 [details] [diff] [review]
patch

This turned out to be just an OOM. I should have looked more carefully at the assertion itself. For some reason the debugger was trapping at some other location.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #741012 - Flags: review?(terrence)
(Assignee)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 6

5 years ago
We should also land the 2 testcases in this case.
Comment on attachment 741012 [details] [diff] [review]
patch

Review of attachment 741012 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Verifier.cpp
@@ +511,5 @@
>      /* Make all the roots be edges emanating from the root node. */
>      MarkRuntime(trc);
>  
> +    VerifyNode *node;
> +    node = trc->curnode;

Why this change?
Attachment #741012 - Flags: review?(terrence) → review+
(Assignee)

Comment 8

5 years ago
> Why this change?

I was getting one of those stupid errors about goto going around a variable initialization.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6b1b8e195cad
https://hg.mozilla.org/mozilla-central/rev/6b1b8e195cad
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.