Last Comment Bug 757682 - SIGABRT on MapsGL; assertion failure with JSProto_DataView JSProtoKey in TypeObject::setFlagsFromKey
: SIGABRT on MapsGL; assertion failure with JSProto_DataView JSProtoKey in Type...
Status: RESOLVED FIXED
[js:p1:fx15]
: crash, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- normal (vote)
: mozilla15
Assigned To: Steve Fink [:sfink] [:s:]
:
: Jason Orendorff [:jorendorff]
Mentors:
: 758398 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-22 17:43 PDT by Karl Tomlinson (:karlt)
Modified: 2012-06-22 11:52 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed


Attachments
Add JSProto_DataView to the setFlagsFromKey assert (1.13 KB, patch)
2012-05-24 12:54 PDT, Steve Fink [:sfink] [:s:]
bhackett1024: review+
Details | Diff | Splinter Review

Description Karl Tomlinson (:karlt) 2012-05-22 17:43:32 PDT
1. Load maps.google.com.
2. Turn on MapsGL.

#5  0x00007fe6b57fa43f in raise () from /lib64/libpthread.so.0
#6  0x00007fe6b1904c61 in js::types::TypeObject::setFlagsFromKey (this=0x7fe62ad46640, cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:1324
#7  0x00007fe6b1909e9f in js::types::TypeCompartment::newTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, script=0x7fe64ff86cb8, key=JSProto_DataView, proto=0x7fe64ffaa580, unknown=false) at /home/karl/moz/dev/js/src/jsinfer.cpp:1892
#8  0x00007fe6b190a11c in js::types::TypeCompartment::newAllocationSiteTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, key=...) at /home/karl/moz/dev/js/src/jsinfer.cpp:1917
#9  0x00007fe6b1883c8a in js::types::TypeScript::InitObject (cx=0x7fe650442600, script=0x7fe64ff86cb8, pc=0x7fe6711f31f4 "R", kind=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:554
#10 0x00007fe6b1883972 in js::types::GetTypeCallerInitObject (cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:280
#11 0x00007fe6b19ee2df in js::DataViewObject::create (cx=0x7fe650442600, byteOffset=0, byteLength=2495, arrayBuffer=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarrayinlines.h:117
#12 0x00007fe6b19f1ed2 in js::DataViewObject::construct (cx=0x7fe650442600, bufobj=0x7fe62ad10ce0, args=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2219
#13 0x00007fe6b19f2455 in js::DataViewObject::class_constructor (cx=0x7fe650442600, argc=1, vp=0x7fe6863002c8) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2298
#14 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#15 0x00007fe6b1926981 in js::CallJSNativeConstructor (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:416
#16 0x00007fe6b192e5fe in js::InvokeConstructorKernel (cx=0x7fe650442600, argsRef=...) at /home/karl/moz/dev/js/src/jsinterp.cpp:381
#17 0x00007fe6b193b939 in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300160, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2510
#18 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04430, fp=0x7fe686300160) at /home/karl/moz/dev/js/src/jsinterp.cpp:266
#19 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326
#20 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#21 0x00007fe6b18da78c in js_fun_call (cx=0x7fe650442600, argc=0, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:655
#22 0x00007fe6b18da90f in js_fun_apply (cx=0x7fe650442600, argc=1, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:673
#23 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18da7e7 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#24 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310
#25 0x00007fe6b193b97c in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300060, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2513
#26 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04040, fp=0x7fe686300060) at /home/karl/moz/dev/js/src/jsinterp.cpp:266
#27 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326
#28 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#29 0x00007fe6b18db31e in js::CallOrConstructBoundFunction (cx=0x7fe650442600, argc=1, vp=0x7fe686300020) at /home/karl/moz/dev/js/src/jsfun.cpp:858
#30 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18db11f <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#31 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310
#32 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#33 0x00007fe6b192e48e in js::Invoke (cx=0x7fe650442600, thisv=..., fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsinterp.cpp:358
#34 0x00007fe6b18739ac in JS_CallFunctionValue (cx=0x7fe650442600, obj=0x7fe64ffd8480, fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsapi.cpp:5471
#35 0x00007fe6b0968a4b in nsXPCWrappedJSClass::CallMethod (this=0x7fe678cfda10, wrapper=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, nativeParams=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJSClass.cpp:1474
#36 0x00007fe6b095f3de in nsXPCWrappedJS::CallMethod (this=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, params=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJS.cpp:579
#37 0x00007fe6b1167c82 in PrepareAndDispatch (self=0x7fe66b50ca20, methodIndex=3, args=0x7fff73a52e70, gpregs=0x7fff73a52df0, fpregs=0x7fff73a52e20) at /home/karl/moz/dev/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
#38 0x00007fe6b1166e2b in SharedStub () from /home/karl/moz/dev/obj/dist/bin/libxul.so
#39 0x00007fe6afc5a590 in nsRefreshDriver::Notify (this=0x7fe6501c9c30, aTimer=0x7fe67da704a0) at /home/karl/moz/dev/layout/base/nsRefreshDriver.cpp:358
#40 0x00007fe6b114868c in nsTimerImpl::Fire (this=0x7fe67da704a0) at /home/karl/moz/dev/xpcom/threads/nsTimerImpl.cpp:476

(gdb) p key
$2 = JSProto_DataView
Comment 2 Steve Fink [:sfink] [:s:] 2012-05-24 11:33:02 PDT
(In reply to Karl Tomlinson (:karlt) from comment #1)
> http://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=f81ffb3fba84&tochange=f36749114f76
> 
> Bug 741041 perhaps.

Very probable. I'm looking into this regardless.
Comment 3 Steve Fink [:sfink] [:s:] 2012-05-24 12:54:28 PDT
Created attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

This bug was actually introduced in bug 575688, which implemented the DataView class from the typed array spec. The WebGL maps must check whether DataView is available and use it if so. We had a debug assert that needed to be widened a bit.
Comment 4 Steve Fink [:sfink] [:s:] 2012-05-24 13:19:51 PDT
Sadly, I already wrote a test that would catch this, and landed it with 575688: js/src/tests/js1_8_5/extensions/dataview.js. But tinderbox doesn't run those tests, and when I run it manually I tend to pass either no flags or -m -a, and the test will only fail with -n (to enable type inference). (I just ran into the assertion independently, right after having fixed this.)
Comment 5 Steve Fink [:sfink] [:s:] 2012-05-24 14:54:18 PDT
*** Bug 758398 has been marked as a duplicate of this bug. ***
Comment 6 Steve Fink [:sfink] [:s:] 2012-05-24 20:55:39 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0c597ce2acc
Comment 7 Ed Morley [:emorley] 2012-05-25 08:28:48 PDT
https://hg.mozilla.org/mozilla-central/rev/a0c597ce2acc
Comment 8 Steve Fink [:sfink] [:s:] 2012-06-19 14:16:50 PDT
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 575688
User impact if declined: websites eg the WebGL version of google maps will crash debug browsers
Testing completed (on m-c, etc.): It's been on m-c for nearly a month
Risk to taking this patch (and alternatives if risky): (debug assertion only)
String or UUID changes made by this patch: none
Comment 9 Alex Keybl [:akeybl] 2012-06-19 20:09:08 PDT
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

[Triage Comment]
No risk to normal users, approved for Aurora 15.
Comment 10 Steve Fink [:sfink] [:s:] 2012-06-22 11:50:41 PDT
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

Whoops, sorry! It appears that the fix already made it into Aurora. (And the triggering bug is not on beta.)
Comment 11 Andrew McCreight [:mccr8] 2012-06-22 11:52:01 PDT
Marking fixed in 15 per comment 10.

Note You need to log in before you can comment on or make changes to this bug.