1. Load maps.google.com. 2. Turn on MapsGL. #5 0x00007fe6b57fa43f in raise () from /lib64/libpthread.so.0 #6 0x00007fe6b1904c61 in js::types::TypeObject::setFlagsFromKey (this=0x7fe62ad46640, cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:1324 #7 0x00007fe6b1909e9f in js::types::TypeCompartment::newTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, script=0x7fe64ff86cb8, key=JSProto_DataView, proto=0x7fe64ffaa580, unknown=false) at /home/karl/moz/dev/js/src/jsinfer.cpp:1892 #8 0x00007fe6b190a11c in js::types::TypeCompartment::newAllocationSiteTypeObject (this=0x7fe650582b90, cx=0x7fe650442600, key=...) at /home/karl/moz/dev/js/src/jsinfer.cpp:1917 #9 0x00007fe6b1883c8a in js::types::TypeScript::InitObject (cx=0x7fe650442600, script=0x7fe64ff86cb8, pc=0x7fe6711f31f4 "R", kind=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:554 #10 0x00007fe6b1883972 in js::types::GetTypeCallerInitObject (cx=0x7fe650442600, key=JSProto_DataView) at /home/karl/moz/dev/js/src/jsinferinlines.h:280 #11 0x00007fe6b19ee2df in js::DataViewObject::create (cx=0x7fe650442600, byteOffset=0, byteLength=2495, arrayBuffer=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarrayinlines.h:117 #12 0x00007fe6b19f1ed2 in js::DataViewObject::construct (cx=0x7fe650442600, bufobj=0x7fe62ad10ce0, args=..., proto=0x0) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2219 #13 0x00007fe6b19f2455 in js::DataViewObject::class_constructor (cx=0x7fe650442600, argc=1, vp=0x7fe6863002c8) at /home/karl/moz/dev/js/src/jstypedarray.cpp:2298 #14 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397 #15 0x00007fe6b1926981 in js::CallJSNativeConstructor (cx=0x7fe650442600, native=0x7fe6b19f21bc <js::DataViewObject::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:416 #16 0x00007fe6b192e5fe in js::InvokeConstructorKernel (cx=0x7fe650442600, argsRef=...) at /home/karl/moz/dev/js/src/jsinterp.cpp:381 #17 0x00007fe6b193b939 in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300160, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2510 #18 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04430, fp=0x7fe686300160) at /home/karl/moz/dev/js/src/jsinterp.cpp:266 #19 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326 #20 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125 #21 0x00007fe6b18da78c in js_fun_call (cx=0x7fe650442600, argc=0, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:655 #22 0x00007fe6b18da90f in js_fun_apply (cx=0x7fe650442600, argc=1, vp=0x7fe686300138) at /home/karl/moz/dev/js/src/jsfun.cpp:673 #23 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18da7e7 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397 #24 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310 #25 0x00007fe6b193b97c in js::Interpret (cx=0x7fe650442600, entryFrame=0x7fe686300060, interpMode=js::JSINTERP_NORMAL) at /home/karl/moz/dev/js/src/jsinterp.cpp:2513 #26 0x00007fe6b192dea1 in js::RunScript (cx=0x7fe650442600, script=0x7fe64ff04040, fp=0x7fe686300060) at /home/karl/moz/dev/js/src/jsinterp.cpp:266 #27 0x00007fe6b192e2a0 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:326 #28 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125 #29 0x00007fe6b18db31e in js::CallOrConstructBoundFunction (cx=0x7fe650442600, argc=1, vp=0x7fe686300020) at /home/karl/moz/dev/js/src/jsfun.cpp:858 #30 0x00007fe6b1926887 in js::CallJSNative (cx=0x7fe650442600, native=0x7fe6b18db11f <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/karl/moz/dev/js/src/jscntxtinlines.h:397 #31 0x00007fe6b192e1b1 in js::InvokeKernel (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.cpp:310 #32 0x00007fe6b18825ae in js::Invoke (cx=0x7fe650442600, args=..., construct=js::NO_CONSTRUCT) at /home/karl/moz/dev/js/src/jsinterp.h:125 #33 0x00007fe6b192e48e in js::Invoke (cx=0x7fe650442600, thisv=..., fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsinterp.cpp:358 #34 0x00007fe6b18739ac in JS_CallFunctionValue (cx=0x7fe650442600, obj=0x7fe64ffd8480, fval=..., argc=1, argv=0x7fff73a527d0, rval=0x7fff73a52910) at /home/karl/moz/dev/js/src/jsapi.cpp:5471 #35 0x00007fe6b0968a4b in nsXPCWrappedJSClass::CallMethod (this=0x7fe678cfda10, wrapper=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, nativeParams=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJSClass.cpp:1474 #36 0x00007fe6b095f3de in nsXPCWrappedJS::CallMethod (this=0x7fe67dd6f300, methodIndex=3, info=0x7fe6939281d8, params=0x7fff73a52cd0) at /home/karl/moz/dev/js/xpconnect/src/XPCWrappedJS.cpp:579 #37 0x00007fe6b1167c82 in PrepareAndDispatch (self=0x7fe66b50ca20, methodIndex=3, args=0x7fff73a52e70, gpregs=0x7fff73a52df0, fpregs=0x7fff73a52e20) at /home/karl/moz/dev/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121 #38 0x00007fe6b1166e2b in SharedStub () from /home/karl/moz/dev/obj/dist/bin/libxul.so #39 0x00007fe6afc5a590 in nsRefreshDriver::Notify (this=0x7fe6501c9c30, aTimer=0x7fe67da704a0) at /home/karl/moz/dev/layout/base/nsRefreshDriver.cpp:358 #40 0x00007fe6b114868c in nsTimerImpl::Fire (this=0x7fe67da704a0) at /home/karl/moz/dev/xpcom/threads/nsTimerImpl.cpp:476 (gdb) p key $2 = JSProto_DataView

http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f81ffb3fba84&tochange=f36749114f76 Bug 741041 perhaps.

(In reply to Karl Tomlinson (:karlt) from comment #1) > http://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=f81ffb3fba84&tochange=f36749114f76 > > Bug 741041 perhaps. Very probable. I'm looking into this regardless.

This bug was actually introduced in bug 575688, which implemented the DataView class from the typed array spec. The WebGL maps must check whether DataView is available and use it if so. We had a debug assert that needed to be widened a bit.

Sadly, I already wrote a test that would catch this, and landed it with 575688: js/src/tests/js1_8_5/extensions/dataview.js. But tinderbox doesn't run those tests, and when I run it manually I tend to pass either no flags or -m -a, and the test will only fail with -n (to enable type inference). (I just ran into the assertion independently, right after having fixed this.)

Comment on attachment 626921 [details] [diff] [review] Add JSProto_DataView to the setFlagsFromKey assert [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 575688 User impact if declined: websites eg the WebGL version of google maps will crash debug browsers Testing completed (on m-c, etc.): It's been on m-c for nearly a month Risk to taking this patch (and alternatives if risky): (debug assertion only) String or UUID changes made by this patch: none

Comment on attachment 626921 [details] [diff] [review] Add JSProto_DataView to the setFlagsFromKey assert [Triage Comment] No risk to normal users, approved for Aurora 15.

Comment on attachment 626921 [details] [diff] [review] Add JSProto_DataView to the setFlagsFromKey assert Whoops, sorry! It appears that the fix already made it into Aurora. (And the triggering bug is not on beta.)

Marking fixed in 15 per comment 10.