Last Comment Bug 645505 - "Assertion failure: caller->fun()->isHeavyweight(),"
: "Assertion failure: caller->fun()->isHeavyweight(),"
Status: RESOLVED FIXED
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz 630996
  Show dependency treegraph
 
Reported: 2011-03-27 09:06 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-08-31 04:28 PDT (History)
8 users (show)
gary: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
?


Attachments
stack (4.23 KB, text/plain)
2011-03-27 09:23 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-03-27 09:06:21 PDT
Math.p = 0
f = (function () {
    return ((eval("") for ({} in Math)))
})
for (i in f()) {}

asserts js debug shell on TM changeset 5152bdff3c9c without -m nor -j at Assertion failure: caller->fun()->isHeavyweight()

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-03-27 09:23:01 PDT
Created attachment 522223 [details]
stack
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-03-27 09:42:14 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   63366:dbb123c798c8
user:        Luke Wagner
date:        Mon Mar 14 11:30:36 2011 -0700
summary:     Bug 636296 - Change meaning of JSStackFrame::hasCallObj to be more sane (r=waldo)
Comment 3 Luke Wagner [:luke] 2011-03-27 18:26:12 PDT
Ah ha.  Bug 636296 strengthened this assertion (http://hg.mozilla.org/tracemonkey/rev/dbb123c798c8#l9.12 .

So either:
 (1) the new assertion is overzealous (NB: the meaning of hasCallObj has changed, which is why I touched this)
 (2) there is a bug in the heavyweight-marking of generator expressions

I was under the impression that the implication
  contains a direct eval ==> is heavyweight
held, so it seems like (2).  Anyone here familiar with generator expression parser magic?
Comment 4 David Mandelin [:dmandelin] 2011-03-28 18:01:59 PDT
(In reply to comment #3)
> Ah ha.  Bug 636296 strengthened this assertion
> (http://hg.mozilla.org/tracemonkey/rev/dbb123c798c8#l9.12 .
> 
> So either:
>  (1) the new assertion is overzealous (NB: the meaning of hasCallObj has
> changed, which is why I touched this)
>  (2) there is a bug in the heavyweight-marking of generator expressions
> 
> I was under the impression that the implication
>   contains a direct eval ==> is heavyweight
> held, so it seems like (2).  Anyone here familiar with generator expression
> parser magic?

I agree with the analysis. Also, dis() applied to a test case where this code is wrapped in a function shows that the generation function is not marked heavyweight.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2011-08-12 02:26:37 PDT
Comment 0 no longer asserts after the following fix landed on JM:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   71037:cbf05c26053e
user:        Brian Hackett
date:        Tue Jun 07 16:33:25 2011 -0700
summary:     [INFER] Fix no-op propagation of deoptimization flags for array comprehensions, bug 660538.

Thus, the assertion is likely to be fixed when TI lands on mozilla-central some weeks later.

(it still asserts in mozilla-inbound changeset 223d4f4bd252, tip as of now)
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2011-08-31 04:28:35 PDT
Fixed by landing of TI on m-i/m-c:

http://hg.mozilla.org/mozilla-central/rev/b61af4d7dc7c (last TI changeset on TI branch)
http://hg.mozilla.org/mozilla-central/rev/31b79d4e90f4 (merge of last green m-i changeset to m-c)

Note You need to log in before you can comment on or make changes to this bug.