Created attachment 596805 [details] stack function tryItOut(code) { f = eval("(function(){" + code + "})") for (e in f()) {} } mjitChunkLimit(25) tryItOut("\ for each(x in[0,0,0,0,0,0,0]) {\ function f(b) {\ Object.defineProperty(b,\"\",({t:f}))\ }\ for each(d in[(1),String,String,String,String,(0),String,(1),String]) {\ try{\ f(d);\ yield\ }catch(e){}\ }\ }\ ") asserts js debug shell on m-c changeset ebafee0cea36 with -m and -n at Assertion failure: !f.fp()->finishedInInterpreter(),
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 84835:d0c192e5bd41 user: Brian Hackett date: Wed Jan 18 16:40:18 2012 -0800 summary: Compile large scripts in chunks, bug 706914. r=dvander
Created attachment 597590 [details] [diff] [review] patch With chunk compilation it is possible we could compile a portion of a generator script (previously, we relied on the presence of JSOP_GENERATOR or JSOP_YIELD to abort compilation). s-s to be safe, generator frames behave pretty differently from normal frames and it's possible the VM could be confused in worse ways by this accidental compilation.
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa8ab7f39600
https://hg.mozilla.org/mozilla-central/rev/aa8ab7f39600
Comment on attachment 597590 [details] [diff] [review] patch [Approval Request Comment] Regression caused by (bug #): 706914 User impact if declined: potentially exposed to a security hole for 6 wks Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): We'd compile code dangerously String changes made by this patch: none
Verified FIXED: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 87060:aa8ab7f39600 user: Brian Hackett date: Thu Feb 16 15:26:30 2012 -0800 summary: Ensure that generators are never compiled, bug 726799. r=dvander
Comment on attachment 597590 [details] [diff] [review] patch [Triage Comment] Approved for Beta 12 since this is an sg:crit and we'll have the opportunity to mitigate any fallout. Please land before EOD tomorrow (3/27).
https://hg.mozilla.org/releases/mozilla-beta/rev/37ac63b43ce6
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
or
