Assertion failure: !aheader->hasFreeThings(), at js/src/jsgc.h:531 or Crash [@ js::ObjectImpl::readBarrier]

RESOLVED DUPLICATE of bug 901389

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 901389
5 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 5 keywords)

25 Branch
x86_64
Linux
assertion, crash, regression, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 unaffected, firefox25- affected, firefox26- ?, firefox27 unaffected)

Details

(Whiteboard: [jsbugmon:], crash signature)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-beta revision adb9fbeec38d (threadsafe build, run with --ion-eager):


function foo() bar(1,2,3,4,5,6,7,8,9);
function bar(... Number) foo();
foo();
(Reporter)

Comment 1

5 years ago
This affects mozilla-beta only, here's the crash trace (actually the crash triggers when using --ion-eager and the assertion pops up if I add --fuzzing-safe):


Program received signal SIGSEGV, Segmentation fault.
js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
173         if (zone->needsBarrier()) {
#0  js::ObjectImpl::readBarrier (obj=0x7ffff694d060) at ../../vm/ObjectImpl-inl.h:173
#1  0x0000000000415851 in get (this=<optimized out>) at ../../gc/Barrier.h:631
#2  operator js::GlobalObject* (this=<optimized out>) at ../../gc/Barrier.h:635
#3  maybeGlobal (this=<optimized out>) at ../../jscompartmentinlines.h:25
#4  JSObject::global (this=<optimized out>) at ../../jsobjinlines.h:771
#5  0x00000000006e0f27 in js_GetClassObject (cxArg=0x18e6890, obj=<optimized out>, key=JSProto_InternalError, objp=0x0) at js/src/jsobj.cpp:3080
#6  0x00000000006e4700 in js_FindClassObject (cx=0x18e6890, protoKey=JSProto_InternalError, vp=JSVAL_VOID, clasp=<optimized out>) at js/src/jsobj.cpp:3151
#7  0x00000000006ea432 in js_GetClassPrototype (cx=0x18e6890, protoKey=<optimized out>, protop=0x0, clasp=0x0) at js/src/jsobj.cpp:5128
rax     0x7     -2111062325329913
rip     0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>
=> 0x41550c <js::ObjectImpl::readBarrier(js::ObjectImpl*)+76>:  cmpb   $0x0,(%rax)
   0x41550f <js::ObjectImpl::readBarrier(js::ObjectImpl*)+79>:  je     0x415549 <js::ObjectImpl::readBarrier(js::ObjectImpl*)+137>


I'm marking this s-s because the assertion involves GC and the test switches between assertion and crash by adding --fuzzing-safe, which doesn't really sound well to me.
Crash Signature: [@ js::ObjectImpl::readBarrier]
status-firefox25: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Version: Trunk → 25 Branch
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
(Reporter)

Comment 2

5 years ago
JSBugMon: Cannot process bug: Error: Unsupported branch "25 Branch" required by bug
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
(Reporter)

Comment 3

5 years ago
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "25 Branch" required by bug
Rating sec-high based on current info.
Keywords: sec-high
(Reporter)

Comment 5

5 years ago
I'm seeing multiple GC crash signatures on mozilla-beta. Can we get a fix for this so we can rule out that there are more problems on beta?
Akeybl: this is a security vulnerability that regressed sometime between when this was on Mozilla central and the Beta uplift. We should get this fixed before release.
status-firefox24: --- → unaffected
status-firefox26: --- → ?
status-firefox27: --- → unaffected
tracking-firefox25: --- → +
Keywords: regression
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80fe42f29748
user:        Shu-yu Guo
date:        Fri Aug 02 08:24:57 2013 -0700
summary:     Bug 898746 - Type rest argument arrays as dense arrays with unknown element type. (r=bhackett)

Does https://hg.mozilla.org/releases/mozilla-beta/rev/80fe42f29748 or bug 898746 seem possible?
Blocks: 898746
Flags: needinfo?(shu)

Comment 8

5 years ago
Any idea what the first good cset is on central after 80fe42f29748?
Flags: needinfo?(shu)

Comment 9

5 years ago
This was fixed by 901389, which looks like it missed the uplift. Marking duplicate and asking for a? on that bug.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 901389
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c70720eea645
user:        Shu-yu Guo
date:        Tue Aug 06 18:15:53 2013 -0700
summary:     Bug 901389 - Pass length correctly in creating rest argument template objects in Ion. (r=bhackett)

Yep, that's right.

Updated

5 years ago
tracking-firefox25: + → -
tracking-firefox26: --- → -

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.