Closed
Bug 1016859
Opened 10 years ago
Closed 3 years ago
Assertion failure and crash for SPSProfiler: 'offset < length()', at /js/src/jsscript.h:942
Categories
(Core :: Gecko Profiler, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 994957
People
(Reporter: whimboo, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash)
While running a debug build to investigate bug 1009675, I frequently hit this assertion and crash at least on Linux: Assertion failure: offset < length(), at /mozilla/code/firefox/aurora/js/src/jsscript.h:942 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff8643d8f8, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942 942 JS_ASSERT(offset < length()); (gdb) bt #0 0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff8643d8f8, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942 #1 0x00007ffff22dfdda in js::ProfileEntry::pc (this=0x7ffff6ca5600) at /mozilla/code/firefox/aurora/js/src/vm/SPSProfiler.cpp:330 #2 0x00007ffff0e5d89b in addProfileEntry (entry=..., aProfile=..., stack=0x7ffff6ca5000, lastpc=0x0) at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:351 #3 0x00007ffff0e5daad in doSampleStackTrace (aStack=0x7ffff6ca5000, aProfile=..., sample=0x7ffffffed820) at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:561 #4 0x00007ffff0e5dd20 in TableTicker::InplaceTick (this=0x7fffb40e7d40, sample=0x7ffffffed820) at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:640 #5 0x00007ffff0e5db72 in TableTicker::Tick (this=0x7fffb40e7d40, sample=0x7ffffffed820) at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:578 #6 0x00007ffff0e3a66d in ProfilerSignalHandler (signal=27, info=0x7ffffffed9b0, context=0x7ffffffed880) at /mozilla/code/firefox/aurora/tools/profiler/platform-linux.cc:227 #7 <signal handler called> #8 0x00007ffff1e741f2 in ThingIsPermanentAtom<js::ObjectImpl> (thing=0x7fffddeaa000) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:140 #9 0x00007ffff1e6c93f in CheckMarkedThing<js::ObjectImpl> (trc=0x7fffddeaa4a0, thing=0x7fffb93cfe20) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:163 #10 0x00007ffff1e65a27 in MarkInternal<js::ObjectImpl> (trc=0x7fffddeaa4a0, thingp=0x7ffffffedf00) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:211 #11 0x00007ffff1e728bc in js::gc::MarkUnbarriered<js::ObjectImpl> (trc=0x7fffddeaa4a0, thingp=0x7ffffffedf00, name=0x7ffff33a85e8 "read barrier") at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:261 #12 0x00007ffff1e2959a in js::gc::BarrieredCell<js::ObjectImpl>::readBarrier (thing=0x7fffb93cfe20) at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:198 #13 0x00007ffff1e29ca2 in js::ReadBarriered<js::GlobalObject>::get (this=0x7fffb7adb048) at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:1199 #14 0x00007ffff1e295f0 in js::ReadBarriered<js::GlobalObject>::operator js::GlobalObject* (this=0x7fffb7adb048) at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:1203 #15 0x00007ffff1e28a9e in JSCompartment::maybeGlobal (this=0x7fffb7adb000) at /mozilla/code/firefox/aurora/js/src/jscompartmentinlines.h:25 #16 0x00007ffff1e2900d in JSObject::global (this=0x7fff99b50cc0) at /mozilla/code/firefox/aurora/js/src/jsobjinlines.h:649 #17 0x00007ffff20b7c08 in JSCompartment::wrap (this=0x7fff98c3a800, cx=0x7fff94ad46e0, obj=..., existingArg=...) at /mozilla/code/firefox/aurora/js/src/jscompartment.cpp:345 #18 0x00007ffff221f3d5 in js::CrossCompartmentWrapper::get (this=0x7ffff574b6d0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fff94ad46e0, wrapper=..., receiver=..., id=..., vp=...) at /mozilla/code/firefox/aurora/js/src/jswrapper.cpp:322 #19 0x00007ffff21a76f1 in js::Proxy::get (cx=0x7fff94ad46e0, proxy=..., receiver=..., id=..., vp=...) at /mozilla/code/firefox/aurora/js/src/jsproxy.cpp:2536 #20 0x00007ffff21a7875 in js::Proxy::callProp (cx=0x7fff94ad46e0, proxy=..., receiver=..., id=..., vp=...) at /mozilla/code/firefox/aurora/js/src/jsproxy.cpp:2546 #21 0x00007fffbace8fbf in ?? () #22 0x00007fff94ad46e0 in ?? () #23 0x00007ffffffee390 in ?? () #24 0x0000000000000000 in ?? () Affected code in SPSProfiler.cpp: 327 JS_FRIEND_API(jsbytecode*) 328 ProfileEntry::pc() const volatile 329 { 330 return idx == NullPCIndex ? nullptr : script()->offsetToPC(idx); 331 } When I continue Firefox crashes with signal 11: Program /mozilla/code/firefox/obj/aurora/dist/bin/firefox (pid = 25766) received signal 11. Stack: UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04ED6FDE] UNKNOWN [/lib/x86_64-linux-gnu/libpthread.so.0 +0x00010340] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0479AC1B] js::ProfileEntry::pc() const volatile+0x0000003A [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04CACDDA] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382A89B] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AAAD] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AD20] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AB72] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0380766D] UNKNOWN [/lib/x86_64-linux-gnu/libpthread.so.0 +0x00010340] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x048411F2] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0483993F] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04832A27] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0483F8BC] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F659A] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F6CA2] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F65F0] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F5A9E] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F600D] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04A84C08] js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)+0x00000159 [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04BEC3D5] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04B746F1] UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04B74875] UNKNOWN 0x7fffbace8fbf
Reporter | ||
Comment 1•10 years ago
|
||
Looks like I always hit this problem when I'm trying to login via Persona for https://mozqa.etherpad.mozilla.org. When I click sign-in inside of the opened Persona popup, this assertion happens. (gdb) frame 0 #0 0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff9bf87e70, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942 942 JS_ASSERT(offset < length()); (gdb) p offset $2 = 232 (gdb) p length() $1 = 35
Comment 2•10 years ago
|
||
Chances are this is a duplicate of bug 992377.
Comment 3•10 years ago
|
||
Can this reproduce on FF32? If this is a dupe of 992377 - which is possibly a dupe of 994957 - then it should not and we should look into uplifting the fix in bug 994957 to 31.
Flags: needinfo?(hskupin)
Comment 4•10 years ago
|
||
Henrik, do you still see it? Untracking for now. Please resubmit if it still occurs.
Updated•10 years ago
|
Flags: needinfo?(hskupin)
Comment 5•3 years ago
|
||
Hey Henrik,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(hskupin)
Reporter | ||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•3 years ago
|
Flags: needinfo?(hskupin)
You need to log in
before you can comment on or make changes to this bug.
Description
•