The following testcase crashes on mozilla-central revision e17cbb839dd2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager): gczeal(4); setJitCompilerOption("ion.warmup.trigger", 20); function h() { for ([a, b] in { z: 9 }) {} } function g(f) { for (var j = 0; j < 999; - j) f(0 / 0); } g(h); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000e28b93 in js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695e6f8) at js/src/gc/Verifier.cpp:380 #0 0x0000000000e28b93 in js::gc::GCRuntime::endVerifyPreBarriers (this=this@entry=0x7ffff695e6f8) at js/src/gc/Verifier.cpp:380 #1 0x0000000000e2bef4 in js::gc::GCRuntime::maybeVerifyPreBarriers (this=0x7ffff695e6f8, always=<optimized out>) at js/src/gc/Verifier.cpp:426 #2 0x000000000052ca03 in Interpret (cx=0x7ffff694c000, state=...) at js/src/vm/Interpreter.cpp:1803 #3 0x000000000053b3d2 in js::RunScript (cx=0x7ffff694c000, state=...) at js/src/vm/Interpreter.cpp:410 #4 0x000000000053b957 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694c000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488 #5 0x000000000053bc38 in InternalCall (cx=cx@entry=0x7ffff694c000, args=...) at js/src/vm/Interpreter.cpp:515 #6 0x000000000053bd6d in js::Call (cx=cx@entry=0x7ffff694c000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #7 0x00000000008429a5 in js::jit::InvokeFunction (cx=0x7ffff694c000, obj=..., constructing=<optimized out>, ignoresReturnValue=<optimized out>, argc=0, argv=0x7fffffffbca0, rval=...) at js/src/jit/VMFunctions.cpp:114 #8 0x0000062fcf5ea07c in ?? () [...] #17 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffad70 140737488334192 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb1b0 140737488335280 rsp 0x7fffffffac60 140737488333920 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x0 0 r11 0x0 0 r12 0x7ffff46d1070 140737294176368 r13 0x10f01f3 17760755 r14 0x7fffeff4d7f8 140737219188728 r15 0x7ffff46f4070 140737294319728 rip 0xe28b93 <js::gc::GCRuntime::endVerifyPreBarriers()+1395> => 0xe28b93 <js::gc::GCRuntime::endVerifyPreBarriers()+1395>: movl $0x0,0x0 0xe28b9e <js::gc::GCRuntime::endVerifyPreBarriers()+1406>: ud2 Marking s-s due to GC being involved.

Jon, can you please take a look at this?

The write to NativeIterator::obj in CodeGenerator::visitIteratorStartO needs a pre-write barrier as well.

Jon, are 53/54 also affected?

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #3) No, this was caused by my patch in bug 867815 which landed on 55.

[Tracking Requested - why for this release]:

We can track this for 55. But we would already catch this in sec-high triage and platform triage, in theory.

Comment on attachment 8861865 [details] [diff] [review] bug1359252-iterator-barrier Review of attachment 8861865 [details] [diff] [review]: ----------------------------------------------------------------- Sorry, I should have noticed this when I reviewed the patch. Bug 1358599 will change this code so you might want to land first.

JSBugMon: This bug has been automatically verified fixed.