After ES5 preventExtensions/freeze/seal landing, test_canvas.html mochitest fails

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Robert Sayre, Assigned: Robert Sayre)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 attachments)

(Assignee)

Description

8 years ago
failed | unexpected exception thrown in: test_2d_imageData_create_large

InternalError: allocation size overflow
(Assignee)

Comment 1

8 years ago
failing here:

var imgdata = ctx.createImageData(1000, 2000);
(Assignee)

Comment 2

8 years ago
Created attachment 477962 [details]
standalone test case
(Assignee)

Comment 3

8 years ago
Looks like preventExtensions is doing something pretty inefficient here:

#0	0x1017fc935 in js_ReportAllocationOverflow at jscntxt.cpp:1435
#1	0x10191ea2c in js::ContextAllocPolicy::reportAllocOverflow at jscntxt.h:3394
#2	0x101885a18 in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::changeTableSize at jshashtable.h:501
#3	0x101885c5a in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::add at jshashtable.h:625
#4	0x101885cf3 in js::detail::HashTable<jsid const, js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::SetOps, js::ContextAllocPolicy>::add at jshashtable.h:656
#5	0x101885d47 in js::HashSet<jsid, IdHashPolicy, js::ContextAllocPolicy>::add at jshashtable.h:1054
#6	0x10187fc0e in Enumerate<KeyEnumeration> at jsiter.cpp:227
#7	0x101881173 in Snapshot<KeyEnumeration> at jsiter.cpp:361
#8	0x10188122a in GetPropertyNames at jsiter.cpp:394
#9	0x101932150 in JSObject::preventExtensions at jsobjinlines.h:85
#10	0x101932357 in TypedArrayTemplate<uint8_clamped>::makeFastWithPrivate at jstypedarray.cpp:971
#11	0x101938cc6 in TypedArrayTemplate<uint8_clamped>::create at jstypedarray.cpp:790
#12	0x101923f83 in TypedArrayConstruct at jstypedarray.cpp:1667
#13	0x10192429d in js_CreateTypedArray at jstypedarray.cpp:1685
#14	0x100f609ed in nsIDOMCanvasRenderingContext2D_CreateImageData at CustomQS_Canvas2D.h:189
#15	0x101a10565 in CallCompiler::generateNativeStub at MonoIC.cpp:460
#16	0x101a0e493 in js::mjit::ic::NativeCall at MonoIC.cpp:687
#17	0x1071d2b9e in ??
#18	0x1019cb0e7 in EnterMethodJIT at MethodJIT.cpp:785
#19	0x1019cb2a1 in js::mjit::JaegerShot at MethodJIT.cpp:813
#20	0x10187c007 in js::RunScript at jsinterp.cpp:481
#21	0x10187cf9d in js::Invoke at jsinterp.cpp:592
(Assignee)

Comment 4

8 years ago
Created attachment 477980 [details] [diff] [review]
workaround

I filed bug 599008 to follow up on this issue.
Assignee: general → sayrer
(Assignee)

Updated

8 years ago
Attachment #477980 - Flags: review?(brendan)
Attachment #477980 - Flags: review?(brendan) → review+
(Assignee)

Comment 5

8 years ago
http://hg.mozilla.org/tracemonkey/rev/c47ad06461ee
Whiteboard: [fixed-in-tracemonkey]
(Assignee)

Updated

8 years ago
Blocks: 492849
(Assignee)

Comment 6

8 years ago
http://hg.mozilla.org/mozilla-central/rev/c47ad06461ee
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.