Last Comment Bug 726799 - "Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit
: "Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit
Status: VERIFIED FIXED
[sg:critical] js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla12
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: jsfunfuzz 706914
  Show dependency treegraph
 
Reported: 2012-02-13 14:54 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:33 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
fixed
unaffected


Attachments
stack (1.14 KB, text/plain)
2012-02-13 14:54 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (867 bytes, patch)
2012-02-15 15:49 PST, Brian Hackett (:bhackett)
dvander: review+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-02-13 14:54:44 PST
Created attachment 596805 [details]
stack

function tryItOut(code) {
    f = eval("(function(){" + code + "})")
    for (e in f()) {}
}
mjitChunkLimit(25)
tryItOut("\
    for each(x in[0,0,0,0,0,0,0]) {\
        function f(b) {\
            Object.defineProperty(b,\"\",({t:f}))\
        }\
        for each(d in[(1),String,String,String,String,(0),String,(1),String]) {\
            try{\
                f(d);\
                yield\
            }catch(e){}\
        }\
    }\
")

asserts js debug shell on m-c changeset ebafee0cea36 with -m and -n at Assertion failure: !f.fp()->finishedInInterpreter(),
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-02-13 15:14:48 PST
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84835:d0c192e5bd41
user:        Brian Hackett
date:        Wed Jan 18 16:40:18 2012 -0800
summary:     Compile large scripts in chunks, bug 706914. r=dvander
Comment 2 Brian Hackett (:bhackett) 2012-02-15 15:49:29 PST
Created attachment 597590 [details] [diff] [review]
patch

With chunk compilation it is possible we could compile a portion of a generator script (previously, we relied on the presence of JSOP_GENERATOR or JSOP_YIELD to abort compilation).  s-s to be safe, generator frames behave pretty differently from normal frames and it's possible the VM could be confused in worse ways by this accidental compilation.
Comment 3 Brian Hackett (:bhackett) 2012-02-16 15:26:56 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa8ab7f39600
Comment 4 Ed Morley [:emorley] 2012-02-17 05:11:27 PST
https://hg.mozilla.org/mozilla-central/rev/aa8ab7f39600
Comment 5 Daniel Veditz [:dveditz] 2012-03-22 13:36:54 PDT
Comment on attachment 597590 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): 706914
User impact if declined: potentially exposed to a security hole for 6 wks
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): We'd compile code dangerously
String changes made by this patch: none
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2012-03-22 13:44:18 PDT
Verified FIXED:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   87060:aa8ab7f39600
user:        Brian Hackett
date:        Thu Feb 16 15:26:30 2012 -0800
summary:     Ensure that generators are never compiled, bug 726799. r=dvander
Comment 7 Alex Keybl [:akeybl] 2012-03-26 14:12:20 PDT
Comment on attachment 597590 [details] [diff] [review]
patch

[Triage Comment]
Approved for Beta 12 since this is an sg:crit and we'll have the opportunity to mitigate any fallout. Please land before EOD tomorrow (3/27).
Comment 8 Brian Hackett (:bhackett) 2012-03-27 17:24:13 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/37ac63b43ce6
Comment 9 Christian Holler (:decoder) 2013-01-19 14:33:04 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.