verifyprebarriers() x = [] function z() {} Object.defineProperty(x, 2, { value: z }) gczeal(2, 2) y = x.slice(2) y.e = (function() {}) asserts js opt shell on m-c changeset deb98a757d4a without any CLI arguments at Assertion failure: [barrier verifier] Unmarked edge: element, My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others. s-s because gczeal is involved just-to-be-safe.

(not sure if this is really correct) autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 99987:139a8f2a8538 user: Terrence Cole date: Wed Jun 20 18:48:56 2012 -0700 summary: Bug 764962 - Add a verifier mode for GenerationalGC post barriers; r=billm I verify that the parent changeset 440ac3414c64 of this changeset, does not assert with the following testcase: verifybarriers() x = [] function z() {} Object.defineProperty(x, 2, { value: z }) gczeal(2, 2) y = x.slice(2) y.e = (function() {}) (I changed verifyprebarriers() to verifybarriers() here)

Woohoo! My first sec-crit fuzz bug :-).

(In reply to Terrence Cole [:terrence] from comment #2) > Woohoo! My first sec-crit fuzz bug :-). Setting sec-critical. :)

Bill, thanks for all the help with tracking this down! I couldn't put the fix quite where we planned for reasons I added to the comment. What do I need to do to land this? Do we need a cover bug? Should I gin up a fake commit message? Should it land in Aurora and Beta too?

Comment on attachment 646663 [details] [diff] [review] v0 This affects aurora but not beta. Since this doesn't affect a release, I think it's fine to land on inbound and aurora with a simple commit message like "Move array slowification barrier."

(In reply to Terrence Cole [:terrence] from comment #6) > https://hg.mozilla.org/integration/mozilla-inbound/rev/71c43f0a8e2c Since this appears to have stuck on central, could you please nominate for Aurora?

Comment on attachment 646663 [details] [diff] [review] v0 [Approval Request Comment] Bug caused by (feature/regressing bug #): Use after free if incremental GC is triggered in a certain spot. User impact if declined: Rare crash during Incremental GC. Testing completed (on m-c, etc.): Has been on m-c for a couple days now. Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.

Comment on attachment 646663 [details] [diff] [review] v0 low risk, approving for aurora and if you could drop in a mozilla-central url with where this landed as well as update the status flags once this is uplifted that would be appreciated, thank you.

And backed out in: https://hg.mozilla.org/releases/mozilla-aurora/rev/e0d6e40bc40b I forgot that we have updated the name of the verifybarriers() function.

JSBugMon: This bug has been automatically verified fixed.

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug777992.js.