Closed Bug 885648 Opened 11 years ago Closed 11 years ago

Assertion failure: [barrier verifier] Unmarked edge: Generator Floating Stack, at gc/Verifier.cpp:572

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- fixed
firefox25 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
(deleted), text/plain
Details
Patch
(deleted), patch
terrence
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The following testcase asserts on mozilla-central revision 83aa31ec53d9 (no options required): gczeal(4,1); var iterable = { persistedProp: 17 }; var keys = ["foo", "bar", "baz"]; var vals = [6, 5, 14]; iterable.__iterator__ = function(keysOnly) { for (var i = 0; i < keys.length; i++) yield [keys[i], vals[i]]; }; var it = Iterator(iterable); while (true) { var nextVal = it.next(); }
Marked s-s until investigated because it's GC-related.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/3efe3f3d2c25 user: Jan de Mooij date: Wed Jun 19 19:10:04 2013 +0200 summary: Bug 882111 - Don't push an interpreter frame when calling into the JITs. r=djvj This iteration took 333.917 seconds to run.
jandem, is bug 882111 likely related?
Flags: needinfo?(jdemooij)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4) > jandem, is bug 882111 likely related? Totally, I knew it was bug 882111 when I saw the title. Floating generator frames are a pain. I will look into this soon.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached patch Patch (deleted) — Splinter Review
Need a pre-barrier when writing to the generator's stack.
Attachment #767117 - Flags: review?(terrence)
Flags: needinfo?(jdemooij)
(The patch also removes an outdated comment: we no longer push generators back on the stack after they've been copied to the heap.)
Comment on attachment 767117 [details] [diff] [review] Patch Review of attachment 767117 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: js/src/jsiter.cpp @@ +1562,1 @@ > gen->regs.sp[-1] = arg; I think we probably also need a post barrier after the write. HeapValue::writeBarrierPost(cx->runtime, gen->regs.sp[-1], &gen->regs.sp[-1]);
Attachment #767117 - Flags: review?(terrence) → review+
Comment on attachment 767117 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 882111 User impact if declined: Crashes, security bugs Testing completed (on m-c, etc.): On m-i Risk to taking this patch (and alternatives if risky): Very low String or IDL/UUID changes made by this patch: None
Attachment #767117 - Flags: approval-mozilla-aurora?
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/092642aee390
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox25: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Attachment #767117 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: