Closed
Bug 1004457
Opened 11 years ago
Closed 11 years ago
Assertion failure: [barrier verifier] Unmarked edge: callee, at gc/Verifier.cpp:315
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla32
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | unaffected |
| firefox32 | --- | verified |
| firefox-esr24 | --- | unaffected |
People
(Reporter: decoder, Assigned: terrence)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b227a707080f (run with --fuzzing-safe):
var argObj = (function () { return arguments })();
gczeal(4);
delete argObj.callee;
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Marked s-s because this is a GC-related assertion with unknown impact until triaged.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20140429121708" and the hash "d1e4a93e5b6c".
The "bad" changeset has the timestamp "20140429124009" and the hash "57292971f110".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d1e4a93e5b6c&tochange=57292971f110
|
|
Reporter | |
Comment 4•11 years ago
|
||
Regressed by bug 989414, needinfo from terrence based on comment 3 :)
Flags: needinfo?(terrence)
|
Assignee | |
Comment 5•11 years ago
|
||
Yup, this is almost certainly the BarrieredPtr rewrite. Taking.
Assignee: nobody → terrence
Flags: needinfo?(terrence)
|
|
Assignee | |
Comment 6•11 years ago
|
||
Gah! This was dumb. HeapBase dispatches to Heap<T>, so misses pre-barriers. Fortunately the one and only spot this could bite was through the setMagic I added at the same time. Thankfully the solution is trivial.
Attachment #8416039 -
Flags: review?(jcoppeard)
|
||
Comment 7•11 years ago
|
||
Comment on attachment 8416039 [details] [diff] [review]
fuzz_1004457-v0.diff
Review of attachment 8416039 [details] [diff] [review]:
-----------------------------------------------------------------
Ah yes, indeed it does.
Attachment #8416039 -
Flags: review?(jcoppeard) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 10•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 11•11 years ago
|
||
Did this only affect trunk from the checkin on May 1?
|
|
||
Updated•11 years ago
|
status-firefox30:
--- → ?
status-firefox31:
--- → ?
status-firefox-esr24:
--- → unaffected
Flags: needinfo?(terrence)
|
|
Assignee | |
Comment 12•11 years ago
|
||
The issue was present in m-c between 29 Apr and 14 May. I'm not sure what branches that covers.
Flags: needinfo?(terrence)
|
|
||
Comment 13•11 years ago
|
||
That's the day after we branches so this is trunk only.
status-firefox30:
? → ---
|
|
Reporter | |
Updated•10 years ago
|
|
|
Reporter | |
Comment 14•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx32
|
||
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•