x = {} x.valueOf = (function(stdlib, foreign) { "use asm" var ff = foreign.ff function f(y) { y = +y; ff(0) } return f })(this, { ff: Object.preventExtensions }); + x asserts js debug shell on m-c changeset cea75ce9a559 without any CLI arguments at Assertion failure: isInterpreter(), at vm/Stack.h

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/f5eca934fa16 user: Jan de Mooij date: Fri Jun 21 08:28:06 2013 +0200 summary: Bug 881902 - Remove ContextStack and StackSpace. r=luke,njn This iteration took 286.692 seconds to run.

jandem, is bug 881902 a possible regressor?

When we enter Odin, we push an (inactive) JitActivation for FFI calls into Ion. Then we call a native (Object.preventExtensions) from asm.js, the native enters the decompiler and the inactive JitActivation confuses ScriptFrameIter::numFrameSlots. This patch makes ScriptFrameIter::numFrameSlots a bit nicer/more robust.

Comment on attachment 766279 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 881902 User impact if declined: Crashes Testing completed (on m-c, etc.): On m-c Risk to taking this patch (and alternatives if risky): Very low String or IDL/UUID changes made by this patch: None

Low risk uplift, approving for uplift but no need to track, unless we have any crash--signatures to be associated with crash-stats.

Is it ok to test this with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-21-mozilla-central-debug/jsshell-mac64.zip ? I get "./js testcase warning: successfully compiled asm.js code (total compilation time 1ms) testcase:13:0 TypeError: 0 is not an object", so cannot reproduce the initial problem.

Try the binary from 2013-06-22 or the day after. Or probably this needs a deterministic shell, but I didn't check (the downloaded binaries are not compiled with --enable-more-deterministic).

Thanks Gary. Reproduced with 2013-06-22-mozilla-central-debug/jsshell-mac64. Verified fixed FF 25 2013-10-06-mozilla-beta-debug, Mac OS X 10.8.4

Sure! In the future, you might want to check that the revision is at least rev cea75ce9a559 in this case, it is usually specified in the initial bug report. e.g. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/06/2013-06-22-mozilla-central-debug/firefox-24.0a1.en-US.debug-mac64.txt

You're right, I was thinking the 2013-06-21 build has at least that revision (cause it was filed in that day), without checking. But still don't know how is possible to file a bug today and to reproduce only on tomorrow's build.

> But still don't know how is possible to file a bug today and to reproduce > only on tomorrow's build. I probably updated and fuzzed the rev on the same day (after the nightly binary was produced), finding this bug in the same day, so this rev will only appear in the binary on the next day.