1248233 - "Assertion failure: (((aRep->flags) & 0x1) != 0)" aka "JSREPORT_IS_WARNING(aRep->flags)"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

Attachment: testcase

Assertion failure: (((aRep->flags) & 0x1) != 0), at dom/base/ScriptSettings.cpp:469

This is an expansion of:

-> 469    MOZ_ASSERT(JSREPORT_IS_WARNING(aRep->flags));

Comment 1

[Bobby Holley (:bholley)]

bz, my impression is that you're digging into this stuff at the moment. Assuming you are, can you have a look at this while you're there? It looks like some codepath is causing us to reach the warning reporter with a non-warning.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Looks like js::ReportOutOfMemory explicitly calls the context error reporter no matter what flags we set about wanting to control error reporting.  In this case, it's being called with this stack:

#1  0x00000001081ef314 in js::ReportOutOfMemory (cxArg=0x12fd9f000) at jscntxt.cpp:323
#2  0x000000010850e44c in js::NativeObject::goodElementsAllocationAmount (cx=0x12fd9f000, reqCapacity=4294967295, length=4294967295, goodAmount=0x7fff5fbfb18c) at NativeObject.cpp:692
#3  0x000000010850e1b5 in js::NativeObject::growElements (this=0x11b201270, cx=0x12fd9f000, reqCapacity=4294967295) at NativeObject.cpp:780
#4  0x0000000108533ed9 in js::NativeObject::ensureElements (this=0x11b201270, cx=0x12fd9f000, capacity=4294967295) at NativeObject.h:954
#5  0x0000000107c204fa in EnsureNewArrayElements (cx=0x12fd9f000, obj=0x11b201270, length=4294967295) at ../../../mozilla/js/src/jsarray.cpp:3321
#6  0x0000000107c1f46f in NewArray (cxArg=0x12fd9f000, length=4294967295, protoArg={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x108fcad48}, newKind=js::GenericObject) at ../../../mozilla/js/src/jsarray.cpp:3407
#7  0x0000000107c20dd5 in NewArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3570
#8  0x0000000107c1b63c in js::NewFullyAllocatedArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3586
#9  0x0000000107c1a4e9 in js::array_splice_impl (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8, returnValueIsUsed=true) at ../../../mozilla/js/src/jsarray.cpp:2425
#10 0x0000000107c29db8 in array_splice (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8) at ../../../mozilla/js/src/jsarray.cpp:2364
#11 0x00000001085208fd in js::CallJSNative (cx=0x12fd9f000, native=0x107c29d90 <array_splice(JSContext*, unsigned int, JS::Value*)>, args=@0x7fff5fbfbc60) at jscntxtinlines.h:235

This behavior from js::ReportOutOfMemory is totally incompatible with what we're trying to do in terms of pushing all error reporting up to the API consumer....

The good news is that this already has a JS_IsRunning check.  So I think it just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well, right?

Comment 3

[Bobby Holley (:bholley)]

(In reply to Boris Zbarsky [:bz] from comment #2)
> The good news is that this already has a JS_IsRunning check.  So I think it
> just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well,
> right?

That sounds reasonable to me.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Attachment: Make js::ReportOutOfMemory respect the autoJSAPIOwnsErrorReporting() flag on the context options

Comment 5

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/37f1e7428a70

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/37f1e7428a70