Closed Bug 917733 Opened 9 years ago Closed 8 years ago

Assertion failure: !aheader->hasFreeThings(), at js/src/jsgc.h:531 or Crash [@ js::ObjectImpl::readBarrier]


(Core :: JavaScript Engine, defect)

25 Branch
Not set



Tracking Status
firefox24 --- unaffected
firefox25 - affected
firefox26 - ?
firefox27 --- unaffected


(Reporter: decoder, Unassigned)



(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

The following testcase asserts on mozilla-beta revision adb9fbeec38d (threadsafe build, run with --ion-eager):

function foo() bar(1,2,3,4,5,6,7,8,9);
function bar(... Number) foo();
This affects mozilla-beta only, here's the crash trace (actually the crash triggers when using --ion-eager and the assertion pops up if I add --fuzzing-safe):

Program received signal SIGSEGV, Segmentation fault.
js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
173         if (zone->needsBarrier()) {
#0  js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
#1  0x0000000000415851 in get (this=<optimized out>) at ../../gc/Barrier.h:631
#2  operator js::GlobalObject* (this=<optimized out>) at ../../gc/Barrier.h:635
#3  maybeGlobal (this=<optimized out>) at ../../jscompartmentinlines.h:25
#4  JSObject::global (this=<optimized out>) at ../../jsobjinlines.h:771
#5  0x00000000006e0f27 in js_GetClassObject (cxArg=0x18e6890, obj=<optimized out>, key=JSProto_InternalError, objp=0x0) at js/src/jsobj.cpp:3080
#6  0x00000000006e4700 in js_FindClassObject (cx=0x18e6890, protoKey=JSProto_InternalError, vp=JSVAL_VOID, clasp=<optimized out>) at js/src/jsobj.cpp:3151
#7  0x00000000006ea432 in js_GetClassPrototype (cx=0x18e6890, protoKey=<optimized out>, protop=0x0, clasp=0x0) at js/src/jsobj.cpp:5128
rax     0x7     -2111062325329913
rip     0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>
=> 0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>:  cmpb   $0x0,(%rax)
   0x41550f <js::ObjectImpl::readBarrier(js::ObjectImpl*)+79>:  je     0x415549 <js::ObjectImpl::readBarrier(js::ObjectImpl*)+137>

I'm marking this s-s because the assertion involves GC and the test switches between assertion and crash by adding --fuzzing-safe, which doesn't really sound well to me.
Crash Signature: [@ js::ObjectImpl::readBarrier]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Version: Trunk → 25 Branch
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Unsupported branch "25 Branch" required by bug
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "25 Branch" required by bug
Rating sec-high based on current info.
Keywords: sec-high
I'm seeing multiple GC crash signatures on mozilla-beta. Can we get a fix for this so we can rule out that there are more problems on beta?
Akeybl: this is a security vulnerability that regressed sometime between when this was on Mozilla central and the Beta uplift. We should get this fixed before release.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80fe42f29748
user:        Shu-yu Guo
date:        Fri Aug 02 08:24:57 2013 -0700
summary:     Bug 898746 - Type rest argument arrays as dense arrays with unknown element type. (r=bhackett)

Does or bug 898746 seem possible?
Blocks: 898746
Any idea what the first good cset is on central after 80fe42f29748?
Flags: needinfo?(shu)
This was fixed by 901389, which looks like it missed the uplift. Marking duplicate and asking for a? on that bug.
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 901389
autoBisect shows this is probably related to the following changeset:

The first good revision is:
user:        Shu-yu Guo
date:        Tue Aug 06 18:15:53 2013 -0700
summary:     Bug 901389 - Pass length correctly in creating rest argument template objects in Ion. (r=bhackett)

Yep, that's right.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.