Closed Bug 598969 Opened 14 years ago Closed 14 years ago

After ES5 preventExtensions/freeze/seal landing, test_canvas.html mochitest fails

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sayrer, Assigned: sayrer)

References

Details

(Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 files)

standalone test case
1.06 KB, text/html
Details
workaround
901 bytes, patch
brendan
: review+
Details | Diff | Splinter Review 
failed | unexpected exception thrown in: test_2d_imageData_create_large

InternalError: allocation size overflow
failing here:

var imgdata = ctx.createImageData(1000, 2000);
Attached file standalone test case 

    
    

    
  
Looks like preventExtensions is doing something pretty inefficient here:

#0	0x1017fc935 in js_ReportAllocationOverflow at jscntxt.cpp:1435
#1	0x10191ea2c in js::ContextAllocPolicy::reportAllocOverflow at jscntxt.h:3394
#2	0x101885a18 in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::changeTableSize at jshashtable.h:501
#3	0x101885c5a in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::add at jshashtable.h:625
#4	0x101885cf3 in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::add at jshashtable.h:656
#5	0x101885d47 in js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::add at jshashtable.h:1054
#6	0x10187fc0e in Enumerate<KeyEnumeration> at jsiter.cpp:227
#7	0x101881173 in Snapshot<KeyEnumeration> at jsiter.cpp:361
#8	0x10188122a in GetPropertyNames at jsiter.cpp:394
#9	0x101932150 in JSObject::preventExtensions at jsobjinlines.h:85
#10	0x101932357 in TypedArrayTemplate<uint8_clamped>::makeFastWithPrivate at jstypedarray.cpp:971
#11	0x101938cc6 in TypedArrayTemplate<uint8_clamped>::create at jstypedarray.cpp:790
#12	0x101923f83 in TypedArrayConstruct at jstypedarray.cpp:1667
#13	0x10192429d in js_CreateTypedArray at jstypedarray.cpp:1685
#14	0x100f609ed in nsIDOMCanvasRenderingContext2D_CreateImageData at CustomQS_Canvas2D.h:189
#15	0x101a10565 in CallCompiler::generateNativeStub at MonoIC.cpp:460
#16	0x101a0e493 in js::mjit::ic::NativeCall at MonoIC.cpp:687
#17	0x1071d2b9e in ??
#18	0x1019cb0e7 in EnterMethodJIT at MethodJIT.cpp:785
#19	0x1019cb2a1 in js::mjit::JaegerShot at MethodJIT.cpp:813
#20	0x10187c007 in js::RunScript at jsinterp.cpp:481
#21	0x10187cf9d in js::Invoke at jsinterp.cpp:592

    
    

    
  

      
      
      
      

        Attached patch
          
          
        workaroundSplinter Review
      

    


  
I filed bug 599008 to follow up on this issue.
Assignee: general → sayrer

    
  

        Attachment #477980 -
        Flags: review?(brendan)

        Attachment #477980 -
        Flags: review?(brendan) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/c47ad06461ee
Whiteboard: [fixed-in-tracemonkey]

    
  
Blocks: 492849

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/c47ad06461ee
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: