Closed
Bug 905897
Opened 11 years ago
Closed 11 years ago
Assertion failure: [barrier verifier] Unmarked edge: baseline-stub-ioncode, at gc/Verifier.cpp:570 with setObjectMetadataCallback and ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 905903
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [fuzzblocker] [jsbugmon:testComment=9,origRev=1179318fb5aa])
Attachments
(1 file)
|
784 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision a8daa428ccbc (threadsafe build, run with --fuzzing-safe --ion-eager --ion-parallel-compile=on --thread-count=2):
var lfcode = new Array();
lfcode.push("4");
lfcode.push(" var p = new ParallelArray(a);");
lfcode.push("function testBoxDoubleWithDoubleSizedInt()\n{\n}\ngczeal(4);");
lfcode.push("setObjectMetadataCallback(function(obj) {\n });\ngczeal(1);");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
case 4: eval("(function() { " + lfVarx + " })();"); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Needinfo from Brian because setObjectMetadataCallback is used. This is very similar to bug 886850. In fact the signature is the same, that's why I didn't report it earlier. S-s because that other bug is s-s.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:ignore][fuzzblocker]
|
|
Reporter | |
Comment 3•11 years ago
|
||
I forgot to mention that you need to run this test multiple times. I recommend at least 100. It showed a chance of 4% to reproduce on my system.
|
|
Reporter | |
Updated•11 years ago
|
Summary: Assertion failure: [barrier verifier] Unmarked edge: baseline-stub-ioncode, at gc/Verifier.cpp:570 with setObjectMetadataCallback → Assertion failure: [barrier verifier] Unmarked edge: baseline-stub-ioncode, at gc/Verifier.cpp:570 with setObjectMetadataCallback and ParallelArray
|
||
Comment 4•11 years ago
|
||
Niko, could you maybe look at this? It involves parallel array. In a previous instance, the involvement of setObjectMetadataCallback just exposed an underlying issue.
Flags: needinfo?(nmatsakis)
|
Assignee | |
Updated•11 years ago
|
Assignee: general → nmatsakis
|
|
Assignee | |
Comment 6•11 years ago
|
||
What configure options did you use when building? I am having trouble reproducing (even running 100 times).
Flags: needinfo?(choller)
|
|
||
Comment 7•11 years ago
|
||
I'm going to mark this sec-high until we know that this is just some weirdness of setObjectMetadataCallback in particular.
Keywords: sec-high
|
|
Reporter | |
Comment 8•11 years ago
|
||
I just reproduced the issue with the test in comment 0 on the following build (m-c rev 1179318fb5aa, options as in comment 0): --disable-debug --enable-optimize --enable-valgrind --enable-gczeal --enable-threadsafe --with-system-nspr I'm also trying to get another test that doesn't depend on threadsafe builds.
Flags: needinfo?(choller)
Hardware: x86 → x86_64
|
|
Reporter | |
Comment 9•11 years ago
|
||
Here's another test for m-c rev 1179318fb5aa (options --fuzzing-safe --ion-eager):
gczeal(4);
loadFile("with (false) '/x{{0}/';");
loadFile("setObjectMetadataCallback(function(obj) {});");
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
evaluate(lfVarx);
}
} catch (lfVare) {}
}
it raises
Assertion failure: [barrier verifier] Unmarked edge: baseline-monitor-stub-ioncode, at gc/Verifier.cpp:570
This test reproduces cleanly for me on 32/64 bit debug+opt and opt builds (all non-threadsafe). I assume this might be the same issue. Of course we cannot be sure until we fixed all of these setObjectMetadataCallback problems, but I suggest we start by fixing those that reproduce easiest.Whiteboard: [jsbugmon:ignore][fuzzblocker] → [jsbugmon:update,bisect,testComment=9,origRev=1179318fb5aa][fuzzblocker]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect,testComment=9,origRev=1179318fb5aa][fuzzblocker] → [fuzzblocker] [jsbugmon:update,testComment=9,origRev=1179318fb5aa]
|
|
Reporter | |
Comment 10•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/be1399f8f973 user: Brian Hackett date: Thu May 30 17:37:22 2013 -0600 summary: Bug 850026 - Allow metadata objects to be associated with JS objects, and add a hook for attaching metadata to newly created objects, r=luke. This iteration took 1.022 seconds to run.
|
|
Assignee | |
Comment 11•11 years ago
|
||
decoder -- I'll take a look at reproducing the first problem given those configure flags etc, thanks. The second test case doesn't involve ParallelArray or any parts of the engine that I'm particularly familiar with though.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=9,origRev=1179318fb5aa] → [fuzzblocker] [jsbugmon:update,testComment=9,origRev=1179318fb5aa,ignore]
|
|
Reporter | |
Comment 12•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ce5bc913350a).
|
|
||
Comment 13•11 years ago
|
||
A similarish bug was fixed recently, not involving Parallel Array, so perhaps this was a dupe.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=9,origRev=1179318fb5aa,ignore] → [fuzzblocker] [jsbugmon:bisectfix,testComment=9,origRev=1179318fb5aa]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisectfix,testComment=9,origRev=1179318fb5aa] → [fuzzblocker] [jsbugmon:testComment=9,origRev=1179318fb5aa]
|
|
Reporter | |
Comment 14•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/fbecef67074c user: Kannan Vijayan date: Tue Sep 24 16:38:45 2013 -0400 summary: Bug 905903 - Properly trace ICTypeMonitor chains for pre-barrier when unlinking them. r=terrence This iteration took 372.259 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•