"Assertion failure: (((aRep->flags) & 0x1) != 0)" aka "JSREPORT_IS_WARNING(aRep->flags)"

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla47
assertion, testcase
Points:
---

Firefox Tracking Flags

(firefox47 fixed)

Details

(Whiteboard: [btpp-backlog])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8719265 [details]
testcase

Assertion failure: (((aRep->flags) & 0x1) != 0), at dom/base/ScriptSettings.cpp:469

This is an expansion of:

-> 469    MOZ_ASSERT(JSREPORT_IS_WARNING(aRep->flags));

Updated

2 years ago
Flags: needinfo?(bholley)
Flags: needinfo?(u562683) → needinfo?(bobbyholley)
Whiteboard: [btpp-backlog]
bz, my impression is that you're digging into this stuff at the moment. Assuming you are, can you have a look at this while you're there? It looks like some codepath is causing us to reach the warning reporter with a non-warning.
Flags: needinfo?(bobbyholley)
Looks like js::ReportOutOfMemory explicitly calls the context error reporter no matter what flags we set about wanting to control error reporting.  In this case, it's being called with this stack:

#1  0x00000001081ef314 in js::ReportOutOfMemory (cxArg=0x12fd9f000) at jscntxt.cpp:323
#2  0x000000010850e44c in js::NativeObject::goodElementsAllocationAmount (cx=0x12fd9f000, reqCapacity=4294967295, length=4294967295, goodAmount=0x7fff5fbfb18c) at NativeObject.cpp:692
#3  0x000000010850e1b5 in js::NativeObject::growElements (this=0x11b201270, cx=0x12fd9f000, reqCapacity=4294967295) at NativeObject.cpp:780
#4  0x0000000108533ed9 in js::NativeObject::ensureElements (this=0x11b201270, cx=0x12fd9f000, capacity=4294967295) at NativeObject.h:954
#5  0x0000000107c204fa in EnsureNewArrayElements (cx=0x12fd9f000, obj=0x11b201270, length=4294967295) at ../../../mozilla/js/src/jsarray.cpp:3321
#6  0x0000000107c1f46f in NewArray (cxArg=0x12fd9f000, length=4294967295, protoArg={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x108fcad48}, newKind=js::GenericObject) at ../../../mozilla/js/src/jsarray.cpp:3407
#7  0x0000000107c20dd5 in NewArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3570
#8  0x0000000107c1b63c in js::NewFullyAllocatedArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3586
#9  0x0000000107c1a4e9 in js::array_splice_impl (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8, returnValueIsUsed=true) at ../../../mozilla/js/src/jsarray.cpp:2425
#10 0x0000000107c29db8 in array_splice (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8) at ../../../mozilla/js/src/jsarray.cpp:2364
#11 0x00000001085208fd in js::CallJSNative (cx=0x12fd9f000, native=0x107c29d90 <array_splice(JSContext*, unsigned int, JS::Value*)>, args=@0x7fff5fbfbc60) at jscntxtinlines.h:235

This behavior from js::ReportOutOfMemory is totally incompatible with what we're trying to do in terms of pushing all error reporting up to the API consumer....

The good news is that this already has a JS_IsRunning check.  So I think it just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well, right?
Component: DOM → JavaScript Engine
(In reply to Boris Zbarsky [:bz] from comment #2)
> The good news is that this already has a JS_IsRunning check.  So I think it
> just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well,
> right?

That sounds reasonable to me.
Created attachment 8720005 [details] [diff] [review]
Make js::ReportOutOfMemory respect the autoJSAPIOwnsErrorReporting() flag on the context options
Attachment #8720005 - Flags: review?(luke)
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

Updated

2 years ago
Attachment #8720005 - Flags: review?(luke) → review+

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/37f1e7428a70
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.