Closed
Bug 1248233
Opened 9 years ago
Closed 9 years ago
"Assertion failure: (((aRep->flags) & 0x1) != 0)" aka "JSREPORT_IS_WARNING(aRep->flags)"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla47
Tracking | Status | |
---|---|---|
firefox47 | --- | fixed |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: assertion, testcase, Whiteboard: [btpp-backlog])
Attachments
(2 files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
Assertion failure: (((aRep->flags) & 0x1) != 0), at dom/base/ScriptSettings.cpp:469
This is an expansion of:
-> 469 MOZ_ASSERT(JSREPORT_IS_WARNING(aRep->flags));
Updated•9 years ago
|
Flags: needinfo?(bholley)
Updated•9 years ago
|
Flags: needinfo?(u562683) → needinfo?(bobbyholley)
Whiteboard: [btpp-backlog]
Comment 1•9 years ago
|
||
bz, my impression is that you're digging into this stuff at the moment. Assuming you are, can you have a look at this while you're there? It looks like some codepath is causing us to reach the warning reporter with a non-warning.
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 2•9 years ago
|
||
Looks like js::ReportOutOfMemory explicitly calls the context error reporter no matter what flags we set about wanting to control error reporting. In this case, it's being called with this stack:
#1 0x00000001081ef314 in js::ReportOutOfMemory (cxArg=0x12fd9f000) at jscntxt.cpp:323
#2 0x000000010850e44c in js::NativeObject::goodElementsAllocationAmount (cx=0x12fd9f000, reqCapacity=4294967295, length=4294967295, goodAmount=0x7fff5fbfb18c) at NativeObject.cpp:692
#3 0x000000010850e1b5 in js::NativeObject::growElements (this=0x11b201270, cx=0x12fd9f000, reqCapacity=4294967295) at NativeObject.cpp:780
#4 0x0000000108533ed9 in js::NativeObject::ensureElements (this=0x11b201270, cx=0x12fd9f000, capacity=4294967295) at NativeObject.h:954
#5 0x0000000107c204fa in EnsureNewArrayElements (cx=0x12fd9f000, obj=0x11b201270, length=4294967295) at ../../../mozilla/js/src/jsarray.cpp:3321
#6 0x0000000107c1f46f in NewArray (cxArg=0x12fd9f000, length=4294967295, protoArg={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x108fcad48}, newKind=js::GenericObject) at ../../../mozilla/js/src/jsarray.cpp:3407
#7 0x0000000107c20dd5 in NewArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3570
#8 0x0000000107c1b63c in js::NewFullyAllocatedArrayTryReuseGroup (cx=0x12fd9f000, obj=0x13e529580, length=4294967295, newKind=js::GenericObject, forceAnalyze=false) at ../../../mozilla/js/src/jsarray.cpp:3586
#9 0x0000000107c1a4e9 in js::array_splice_impl (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8, returnValueIsUsed=true) at ../../../mozilla/js/src/jsarray.cpp:2425
#10 0x0000000107c29db8 in array_splice (cx=0x12fd9f000, argc=1, vp=0x7fff5fbfbcb8) at ../../../mozilla/js/src/jsarray.cpp:2364
#11 0x00000001085208fd in js::CallJSNative (cx=0x12fd9f000, native=0x107c29d90 <array_splice(JSContext*, unsigned int, JS::Value*)>, args=@0x7fff5fbfbc60) at jscntxtinlines.h:235
This behavior from js::ReportOutOfMemory is totally incompatible with what we're trying to do in terms of pushing all error reporting up to the API consumer....
The good news is that this already has a JS_IsRunning check. So I think it just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well, right?
Component: DOM → JavaScript Engine
Comment 3•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #2)
> The good news is that this already has a JS_IsRunning check. So I think it
> just needs a check for cx->options().autoJSAPIOwnsErrorReporting() as well,
> right?
That sounds reasonable to me.
Assignee | ||
Comment 4•9 years ago
|
||
Attachment #8720005 -
Flags: review?(luke)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Updated•9 years ago
|
Attachment #8720005 -
Flags: review?(luke) → review+
Comment 6•9 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•