"Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit

VERIFIED FIXED in Firefox 12

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
VERIFIED FIXED
Reported:
7 years ago
Modified:
6 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Version:
Trunk
Target:
mozilla12
Platform:
x86
Linux
Keywords:
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ fixed, firefox13 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed)

Attachments

(2 attachments)

stack
1.14 KB, text/plain
Details
patch
867 bytes, patch
dvander
: review+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
(Reporter)

Description

7 years ago 
Created attachment 596805 [details]
stack

function tryItOut(code) {
    f = eval("(function(){" + code + "})")
    for (e in f()) {}
}
mjitChunkLimit(25)
tryItOut("\
    for each(x in[0,0,0,0,0,0,0]) {\
        function f(b) {\
            Object.defineProperty(b,\"\",({t:f}))\
        }\
        for each(d in[(1),String,String,String,String,(0),String,(1),String]) {\
            try{\
                f(d);\
                yield\
            }catch(e){}\
        }\
    }\
")

asserts js debug shell on m-c changeset ebafee0cea36 with -m and -n at Assertion failure: !f.fp()->finishedInInterpreter(),
(Reporter)

Comment 1

7 years ago 
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84835:d0c192e5bd41
user:        Brian Hackett
date:        Wed Jan 18 16:40:18 2012 -0800
summary:     Compile large scripts in chunks, bug 706914. r=dvander
Blocks: 706914
 (Assignee)

Updated

7 years ago
Group: core-security
 (Assignee)

Comment 2

7 years ago 
Created attachment 597590 [details] [diff] [review]
patch

With chunk compilation it is possible we could compile a portion of a generator script (previously, we relied on the presence of JSOP_GENERATOR or JSOP_YIELD to abort compilation).  s-s to be safe, generator frames behave pretty differently from normal frames and it's possible the VM could be confused in worse ways by this accidental compilation.
Assignee: general → bhackett1024
Attachment #597590 - Flags: review?(dvander)
 (Reporter)

Updated

7 years ago
Whiteboard: js-triage-needed → [sg:critical?] js-triage-needed
 (Reporter)

Updated

7 years ago
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical] js-triage-needed
Attachment #597590 - Flags: review?(dvander) → review+

Comment 4

7 years ago 
https://hg.mozilla.org/mozilla-central/rev/aa8ab7f39600
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
status-firefox13: --- → fixed
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +

Comment 5

7 years ago 
Comment on attachment 597590 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): 706914
User impact if declined: potentially exposed to a security hole for 6 wks
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): We'd compile code dangerously
String changes made by this patch: none
Attachment #597590 - Flags: approval-mozilla-beta?
 (Reporter)

Comment 6

7 years ago 
Verified FIXED:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   87060:aa8ab7f39600
user:        Brian Hackett
date:        Thu Feb 16 15:26:30 2012 -0800
summary:     Ensure that generators are never compiled, bug 726799. r=dvander
Status: RESOLVED → VERIFIED
Flags: in-testsuite?

Comment 7

7 years ago 
Comment on attachment 597590 [details] [diff] [review]
patch

[Triage Comment]
Approved for Beta 12 since this is an sg:crit and we'll have the opportunity to mitigate any fallout. Please land before EOD tomorrow (3/27).
Attachment #597590 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
 (Assignee)

Comment 8

7 years ago 
https://hg.mozilla.org/releases/mozilla-beta/rev/37ac63b43ce6
Target Milestone: mozilla13 → mozilla12
status-firefox12: affected → fixed
Group: core-security

Comment 9

6 years ago 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.