Last Comment Bug 726799 - "Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit
: "Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit
[sg:critical] js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: mozilla12
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 706914
  Show dependency treegraph
Reported: 2012-02-13 14:54 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:33 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (1.14 KB, text/plain)
2012-02-13 14:54 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (867 bytes, patch)
2012-02-15 15:49 PST, Brian Hackett (:bhackett)
dvander: review+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-02-13 14:54:44 PST
Created attachment 596805 [details]

function tryItOut(code) {
    f = eval("(function(){" + code + "})")
    for (e in f()) {}
    for each(x in[0,0,0,0,0,0,0]) {\
        function f(b) {\
        for each(d in[(1),String,String,String,String,(0),String,(1),String]) {\

asserts js debug shell on m-c changeset ebafee0cea36 with -m and -n at Assertion failure: !f.fp()->finishedInInterpreter(),
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-02-13 15:14:48 PST
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84835:d0c192e5bd41
user:        Brian Hackett
date:        Wed Jan 18 16:40:18 2012 -0800
summary:     Compile large scripts in chunks, bug 706914. r=dvander
Comment 2 User image Brian Hackett (:bhackett) 2012-02-15 15:49:29 PST
Created attachment 597590 [details] [diff] [review]

With chunk compilation it is possible we could compile a portion of a generator script (previously, we relied on the presence of JSOP_GENERATOR or JSOP_YIELD to abort compilation).  s-s to be safe, generator frames behave pretty differently from normal frames and it's possible the VM could be confused in worse ways by this accidental compilation.
Comment 3 User image Brian Hackett (:bhackett) 2012-02-16 15:26:56 PST
Comment 4 User image Ed Morley [:emorley] 2012-02-17 05:11:27 PST
Comment 5 User image Daniel Veditz [:dveditz] 2012-03-22 13:36:54 PDT
Comment on attachment 597590 [details] [diff] [review]

[Approval Request Comment]
Regression caused by (bug #): 706914
User impact if declined: potentially exposed to a security hole for 6 wks
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): We'd compile code dangerously
String changes made by this patch: none
Comment 6 User image Gary Kwong [:gkw] [:nth10sd] 2012-03-22 13:44:18 PDT
Verified FIXED:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   87060:aa8ab7f39600
user:        Brian Hackett
date:        Thu Feb 16 15:26:30 2012 -0800
summary:     Ensure that generators are never compiled, bug 726799. r=dvander
Comment 7 User image Alex Keybl [:akeybl] 2012-03-26 14:12:20 PDT
Comment on attachment 597590 [details] [diff] [review]

[Triage Comment]
Approved for Beta 12 since this is an sg:crit and we'll have the opportunity to mitigate any fallout. Please land before EOD tomorrow (3/27).
Comment 8 User image Brian Hackett (:bhackett) 2012-03-27 17:24:13 PDT
Comment 9 User image Christian Holler (:decoder) 2013-01-19 14:33:04 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.