The default bug view has changed. See this FAQ.

SIGABRT on MapsGL; assertion failure with JSProto_DataView JSProtoKey in TypeObject::setFlagsFromKey

RESOLVED FIXED in Firefox 15

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: karlt, Assigned: sfink)

Tracking

({crash, regression})

Other Branch
mozilla15
x86_64
Linux
crash, regression
Points:
---

Firefox Tracking Flags

(firefox15+ fixed)

Details

(Whiteboard: [js:p1:fx15])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
1. Load maps.google.com.
2. Turn on MapsGL.

#5  0x00007fe6b57fa43f in raise () from /lib64/libpthread.so.0
#6  0x00007fe6b1904c61 in js::types::TypeObject::setFlagsFromKey (this=0x7fe62ad46640, cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:1324
#7  0x00007fe6b1909e9f in js::types::TypeCompartment::newTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, script=0x7fe64ff86cb8, key=JSProto_DataView, proto=0x7fe64ffaa580, unknown=false) at /home/karl/moz/dev/js/src/jsinfer.cpp:1892
#8  0x00007fe6b190a11c in js::types::TypeCompartment::newAllocationSiteTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, key=...) at /home/karl/moz/dev/js/src/jsinfer.cpp:1917
#9  0x00007fe6b1883c8a in js::types::TypeScript::InitObject (cx=0x7fe650442600, script=0x7fe64ff86cb8, pc=0x7fe6711f31f4 "R", kind=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:554
#10 0x00007fe6b1883972 in js::types::GetTypeCallerInitObject (cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:280
#11 0x00007fe6b19ee2df in js::DataViewObject::create (cx=0x7fe650442600, byteOffset=0, byteLength=2495, arrayBuffer=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarrayinlines.h:117
#12 0x00007fe6b19f1ed2 in js::DataViewObject::construct (cx=0x7fe650442600, bufobj=0x7fe62ad10ce0, args=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2219
#13 0x00007fe6b19f2455 in js::DataViewObject::class_constructor (cx=0x7fe650442600, argc=1, vp=0x7fe6863002c8) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2298
#14 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#15 0x00007fe6b1926981 in js::CallJSNativeConstructor (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:416
#16 0x00007fe6b192e5fe in js::InvokeConstructorKernel (cx=0x7fe650442600, argsRef=...) at /home/karl/moz/dev/js/src/jsinterp.cpp:381
#17 0x00007fe6b193b939 in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300160, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2510
#18 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04430, fp=0x7fe686300160) at /home/karl/moz/dev/js/src/jsinterp.cpp:266
#19 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326
#20 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#21 0x00007fe6b18da78c in js_fun_call (cx=0x7fe650442600, argc=0, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:655
#22 0x00007fe6b18da90f in js_fun_apply (cx=0x7fe650442600, argc=1, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:673
#23 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18da7e7 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#24 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310
#25 0x00007fe6b193b97c in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300060, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2513
#26 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04040, fp=0x7fe686300060) at /home/karl/moz/dev/js/src/jsinterp.cpp:266
#27 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326
#28 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#29 0x00007fe6b18db31e in js::CallOrConstructBoundFunction (cx=0x7fe650442600, argc=1, vp=0x7fe686300020) at /home/karl/moz/dev/js/src/jsfun.cpp:858
#30 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18db11f <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397
#31 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310
#32 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125
#33 0x00007fe6b192e48e in js::Invoke (cx=0x7fe650442600, thisv=..., fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsinterp.cpp:358
#34 0x00007fe6b18739ac in JS_CallFunctionValue (cx=0x7fe650442600, obj=0x7fe64ffd8480, fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsapi.cpp:5471
#35 0x00007fe6b0968a4b in nsXPCWrappedJSClass::CallMethod (this=0x7fe678cfda10, wrapper=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, nativeParams=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJSClass.cpp:1474
#36 0x00007fe6b095f3de in nsXPCWrappedJS::CallMethod (this=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, params=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJS.cpp:579
#37 0x00007fe6b1167c82 in PrepareAndDispatch (self=0x7fe66b50ca20, methodIndex=3, args=0x7fff73a52e70, gpregs=0x7fff73a52df0, fpregs=0x7fff73a52e20) at /home/karl/moz/dev/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
#38 0x00007fe6b1166e2b in SharedStub () from /home/karl/moz/dev/obj/dist/bin/libxul.so
#39 0x00007fe6afc5a590 in nsRefreshDriver::Notify (this=0x7fe6501c9c30, aTimer=0x7fe67da704a0) at /home/karl/moz/dev/layout/base/nsRefreshDriver.cpp:358
#40 0x00007fe6b114868c in nsTimerImpl::Fire (this=0x7fe67da704a0) at /home/karl/moz/dev/xpcom/threads/nsTimerImpl.cpp:476

(gdb) p key
$2 = JSProto_DataView
(Reporter)

Comment 1

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f81ffb3fba84&tochange=f36749114f76

Bug 741041 perhaps.
Blocks: 741041
tracking-firefox15: --- → ?
Keywords: regression
tracking-firefox15: ? → +
Whiteboard: [js:p1:fx15]
(Assignee)

Comment 2

5 years ago
(In reply to Karl Tomlinson (:karlt) from comment #1)
> http://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=f81ffb3fba84&tochange=f36749114f76
> 
> Bug 741041 perhaps.

Very probable. I'm looking into this regardless.
Assignee: general → sphink
Status: NEW → ASSIGNED
(Assignee)

Comment 3

5 years ago
Created attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

This bug was actually introduced in bug 575688, which implemented the DataView class from the typed array spec. The WebGL maps must check whether DataView is available and use it if so. We had a debug assert that needed to be widened a bit.
Attachment #626921 - Flags: review?(bhackett1024)
(Assignee)

Updated

5 years ago
No longer blocks: 741041
Attachment #626921 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 4

5 years ago
Sadly, I already wrote a test that would catch this, and landed it with 575688: js/src/tests/js1_8_5/extensions/dataview.js. But tinderbox doesn't run those tests, and when I run it manually I tend to pass either no flags or -m -a, and the test will only fail with -n (to enable type inference). (I just ran into the assertion independently, right after having fixed this.)
(Assignee)

Updated

5 years ago
Duplicate of this bug: 758398
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0c597ce2acc
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/a0c597ce2acc
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

5 years ago
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 575688
User impact if declined: websites eg the WebGL version of google maps will crash debug browsers
Testing completed (on m-c, etc.): It's been on m-c for nearly a month
Risk to taking this patch (and alternatives if risky): (debug assertion only)
String or UUID changes made by this patch: none
Attachment #626921 - Flags: approval-mozilla-aurora?

Comment 9

5 years ago
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

[Triage Comment]
No risk to normal users, approved for Aurora 15.
Attachment #626921 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 10

5 years ago
Comment on attachment 626921 [details] [diff] [review]
Add JSProto_DataView to the setFlagsFromKey assert

Whoops, sorry! It appears that the fix already made it into Aurora. (And the triggering bug is not on beta.)
Attachment #626921 - Flags: approval-mozilla-aurora+
Marking fixed in 15 per comment 10.
status-firefox15: --- → fixed
You need to log in before you can comment on or make changes to this bug.