"Assertion failure: !f.fp()->finishedInInterpreter()," with mjitChunkLimit
VERIFIED
FIXED
in Firefox 12
Status
()
People
(Reporter: gkw, Assigned: bhackett)
Tracking
(Blocks: 1 bug, {assertion, regression, testcase})
Firefox Tracking Flags
(firefox11 unaffected, firefox12+ fixed, firefox13 fixed, firefox-esr10 unaffected)
Details
(Whiteboard: [sg:critical] js-triage-needed)
Attachments
(2 attachments)
1.14 KB,
text/plain
|
Details | |
867 bytes,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Created attachment 596805 [details]
stack
function tryItOut(code) {
f = eval("(function(){" + code + "})")
for (e in f()) {}
}
mjitChunkLimit(25)
tryItOut("\
for each(x in[0,0,0,0,0,0,0]) {\
function f(b) {\
Object.defineProperty(b,\"\",({t:f}))\
}\
for each(d in[(1),String,String,String,String,(0),String,(1),String]) {\
try{\
f(d);\
yield\
}catch(e){}\
}\
}\
")
asserts js debug shell on m-c changeset ebafee0cea36 with -m and -n at Assertion failure: !f.fp()->finishedInInterpreter(),
![]() |
(Reporter) | |
Comment 1•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 84835:d0c192e5bd41 user: Brian Hackett date: Wed Jan 18 16:40:18 2012 -0800 summary: Compile large scripts in chunks, bug 706914. r=dvander
Blocks: 706914
(Assignee) | ||
Updated•7 years ago
|
Group: core-security
(Assignee) | ||
Comment 2•7 years ago
|
||
Created attachment 597590 [details] [diff] [review] patch With chunk compilation it is possible we could compile a portion of a generator script (previously, we relied on the presence of JSOP_GENERATOR or JSOP_YIELD to abort compilation). s-s to be safe, generator frames behave pretty differently from normal frames and it's possible the VM could be confused in worse ways by this accidental compilation.
Assignee: general → bhackett1024
Attachment #597590 -
Flags: review?(dvander)
![]() |
(Reporter) | |
Updated•7 years ago
|
Whiteboard: js-triage-needed → [sg:critical?] js-triage-needed
![]() |
(Reporter) | |
Updated•7 years ago
|
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical] js-triage-needed
Attachment #597590 -
Flags: review?(dvander) → review+
(Assignee) | ||
Comment 3•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa8ab7f39600
Comment 4•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/aa8ab7f39600
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Updated•7 years ago
|
status-firefox13: --- → fixed
Updated•7 years ago
|
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +
Comment 5•7 years ago
|
||
Comment on attachment 597590 [details] [diff] [review] patch [Approval Request Comment] Regression caused by (bug #): 706914 User impact if declined: potentially exposed to a security hole for 6 wks Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): We'd compile code dangerously String changes made by this patch: none
Attachment #597590 -
Flags: approval-mozilla-beta?
![]() |
(Reporter) | |
Comment 6•7 years ago
|
||
Verified FIXED: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 87060:aa8ab7f39600 user: Brian Hackett date: Thu Feb 16 15:26:30 2012 -0800 summary: Ensure that generators are never compiled, bug 726799. r=dvander
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Comment 7•7 years ago
|
||
Comment on attachment 597590 [details] [diff] [review] patch [Triage Comment] Approved for Beta 12 since this is an sg:crit and we'll have the opportunity to mitigate any fallout. Please land before EOD tomorrow (3/27).
Attachment #597590 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
(Assignee) | ||
Comment 8•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/37ac63b43ce6
Target Milestone: mozilla13 → mozilla12
Updated•7 years ago
|
status-firefox12: affected → fixed
Updated•7 years ago
|
Group: core-security
Comment 9•6 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•