The following testcase crashes on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 8f08240128c8 (run with --fuzzing-safe --ion-eager): var gTestcases = new Array(); var gTc = gTestcases.length; function TestCase(n, d, e, a) { gTestcases[gTc++] = this; for ( gTc=0; gTc < gTestcases.length; gTc++ ) { try { gTestcases[gTc].passed = writeTestCaseResult(); } catch(e) { } } } gczeal(7,1); Object.prototype[1] = 'peek1'; new TestCase(); new TestCase(); new TestCase(); new TestCase();

Crash trace: Program received signal SIGSEGV, Segmentation fault. GetGCThingRuntime (thing=0x2b2b2b2b2b2b2b2b) at dist/include/js/HeapAPI.h:126 126 return *reinterpret_cast<JS::shadow::Runtime **>(addr); (gdb) bt 16 #0 GetGCThingRuntime (thing=0x2b2b2b2b2b2b2b2b) at dist/include/js/HeapAPI.h:126 #1 isTenured (this=0x2b2b2b2b2b2b2b2b) at ../gc/Heap.h:1043 #2 arenaHeader (this=0x2b2b2b2b2b2b2b2b) at ../gc/Heap.h:953 #3 tenuredZone (this=0x2b2b2b2b2b2b2b2b) at ../gc/Heap.h:1019 #4 zone (this=0x2b2b2b2b2b2b2b2b) at ../gc/Barrier.h:153 #5 zone (this=0x7ffff58009a0) at ../vm/ObjectImpl.h:1522 #6 js::Nursery::moveToTenured (this=0x172cb70, trc=0x7fffffffbd20, src=<optimized out>) at js/src/gc/Nursery.cpp:439 #7 0x0000000000aacebb in MinorGCCallback (thingp=0x7fffffffc218, jstrc=<optimized out>, kind=<optimized out>) at js/src/gc/Nursery.cpp:571 #8 js::Nursery::MinorGCCallback (jstrc=<optimized out>, thingp=0x7fffffffc218, kind=<optimized out>) at js/src/gc/Nursery.cpp:567 #9 0x00000000004c2156 in MarkInternal<JSObject> (trc=0x7fffffffbd20, thingp=0x7fffffffc218) at js/src/gc/Marking.cpp:195 #10 0x00000000008e2122 in MarkIonJSFrame (frame=..., trc=0x7fffffffbd20) at js/src/jit/IonFrames.cpp:795 #11 MarkJitActivation (activations=..., trc=0x7fffffffbd20) at js/src/jit/IonFrames.cpp:1057 #12 js::jit::MarkJitActivations (rt=<optimized out>, trc=0x7fffffffbd20) at js/src/jit/IonFrames.cpp:1079 #13 0x000000000052e25d in js::gc::MarkRuntime (trc=0x7fffffffbd20, useSavedRoots=<optimized out>) at js/src/gc/RootMarking.cpp:723 #14 0x0000000000aad70c in js::Nursery::collect (this=0x172cb70, rt=0x172be60, reason=<optimized out>) at js/src/gc/Nursery.cpp:594 #15 0x00000000007636be in js::gc::NewGCThing<JSShortString, (js::AllowGC)1> (cx=0x174a3e0, heap=js::gc::TenuredHeap, thingSize=64, kind=js::gc::FINALIZE_SHORT_STRING) at ../jsgcinlines.h:412 (More stack frames follow...) (gdb) x /i $pc => 0xaac82e <js::Nursery::moveToTenured(js::gc::MinorCollectionTracer*, JSObject*)+46>: mov (%rdx),%rax (gdb) info reg rdx rdx 0x2b2b2b2b2b2ffff8 3110627432037613560

So the sequence of events is that an object is allocated in the nursery, then it is moved to tenured and the nursery swept, and then the original nursery location is marked as part of a new GC cycle. The old pointer is marked as part of the ion stack ("ion-gc-spill"). So it seems that something is missing a postbarrier, and the pointer it holds is then being spilled onto the stack. Here is the stack when the object is allocated: Hardware watchpoint 2: -location *(uintptr_t*)0x7ffff47009a0 Old value = 3182967604875373612 New value = 140737292599632 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2283 2283 ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory. (gdb) bt #0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2283 #1 0x0000000000748919 in js_memcpy (dst_=0x7ffff47009a0, src_=0x1a90118, len=64) at ../jsutil.h:33 #2 0x000000000075bc7d in js::NewObjectCache::copyCachedToObject (dst=(JSObject *) 0x7ffff47009a0 [object Object], src=(JSObject *) 0x1a90118 [object Object], kind=js::gc::FINALIZE_OBJECT4_BACKGROUND) at ../vm/Runtime.h:397 #3 0x000000000075b88c in js::NewObjectCache::newObjectFromHit (this=0x1a8fb40, cx=0x1aad650, entry_=8, heap=js::gc::DefaultHeap) at ../vm/Runtime-inl.h:55 #4 0x0000000000830e54 in NewObjectWithType (cx=0x1aad650, type=0x7ffff4537890, parent=(JSObject *) 0x7ffff453a060 [object global] delegate, allocKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, newKind=js::GenericObject) at /home/jon/work/rooting/js/src/jsobj.cpp:1463 #5 0x000000000083210b in CreateThisForFunctionWithType (cx=0x1aad650, type=0x7ffff4537890, parent=(JSObject *) 0x7ffff453a060 [object global] delegate, newKind=js::GenericObject) at /home/jon/work/rooting/js/src/jsobj.cpp:1578 #6 0x0000000000831c1b in js::CreateThisForFunctionWithProto (cx=0x1aad650, callee=(JSObject * const) 0x7ffff4549a40 [object Function "TestCase"], proto=(JSObject *) 0x7ffff453c080 [object Object] delegate, newKind=js::GenericObject) at /home/jon/work/rooting/js/src/jsobj.cpp:1591 #7 0x000000000083225f in js::CreateThisForFunction (cx=0x1aad650, callee=(JSObject * const) 0x7ffff4549a40 [object Function "TestCase"], newType=false) at /home/jon/work/rooting/js/src/jsobj.cpp:1619 #8 0x0000000000a538b7 in js::jit::CanEnter (cx=0x1aad650, state=...) at /home/jon/work/rooting/js/src/jit/Ion.cpp:1903 #9 0x00000000004c84c1 in js::RunScript (cx=0x1aad650, state=...) at /home/jon/work/rooting/js/src/vm/Interpreter.cpp:395 #10 0x00000000004d4ac2 in js::Invoke (cx=0x1aad650, args=..., construct=js::CONSTRUCT) at /home/jon/work/rooting/js/src/vm/Interpreter.cpp:482 #11 0x00000000004d5710 in js::InvokeConstructor (cx=0x1aad650, args=...) at /home/jon/work/rooting/js/src/vm/Interpreter.cpp:542 #12 0x00000000004d59cf in js::InvokeConstructor (cx=0x1aad650, fval=$jsval((JSObject *) 0x7ffff4549a40 [object Function "TestCase"]), argc=0, argv=0x7fffffffd918, rval=0x7fffffffd8c0) at /home/jon/work/rooting/js/src/vm/Interpreter.cpp:567 #13 0x000000000099a86a in js::jit::DoCallFallback (cx=0x1aad650, frame=0x7fffffffd948, stub=0x1aee0e8, argc=0, vp=0x7fffffffd908, res=JSVAL_VOID) at /home/jon/work/rooting/js/src/jit/BaselineIC.cpp:7581 #14 0x00007ffff7fef995 in ?? () #15 0x00007fffffffd908 in ?? () #16 0x00007fffffffd8c0 in ?? () #17 0xfff9000000000000 in ?? () #18 0x0000000001a81708 in js::jit::DoCallNativeSetterInfo () #19 0x00007ffff463bf70 in ?? () #20 0x00007ffff7ff11af in ?? () #21 0x0000000000000402 in ?? () #22 0x00007fffffffd948 in ?? () #23 0x0000000001aee0e8 in ?? () #24 0x0000000000000000 in ?? ()

This is the same problem as bug 924864. The fix for that also makes this test case work.