Closed Bug 1016859 Opened 10 years ago Closed 3 years ago

Assertion failure and crash for SPSProfiler: 'offset < length()', at /js/src/jsscript.h:942

Categories

(Core :: Gecko Profiler, defect)

32 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 994957
Tracking Status
firefox31 - affected
firefox32 --- ?

People

(Reporter: whimboo, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash)

While running a debug build to investigate bug 1009675, I frequently hit this assertion and crash at least on Linux:

Assertion failure: offset < length(), at /mozilla/code/firefox/aurora/js/src/jsscript.h:942

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff8643d8f8, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942
942         JS_ASSERT(offset < length());
(gdb) bt
#0  0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff8643d8f8, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942
#1  0x00007ffff22dfdda in js::ProfileEntry::pc (this=0x7ffff6ca5600) at /mozilla/code/firefox/aurora/js/src/vm/SPSProfiler.cpp:330
#2  0x00007ffff0e5d89b in addProfileEntry (entry=..., aProfile=..., stack=0x7ffff6ca5000, lastpc=0x0)
    at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:351
#3  0x00007ffff0e5daad in doSampleStackTrace (aStack=0x7ffff6ca5000, aProfile=..., sample=0x7ffffffed820)
    at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:561
#4  0x00007ffff0e5dd20 in TableTicker::InplaceTick (this=0x7fffb40e7d40, sample=0x7ffffffed820)
    at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:640
#5  0x00007ffff0e5db72 in TableTicker::Tick (this=0x7fffb40e7d40, sample=0x7ffffffed820) at /mozilla/code/firefox/aurora/tools/profiler/TableTicker.cpp:578
#6  0x00007ffff0e3a66d in ProfilerSignalHandler (signal=27, info=0x7ffffffed9b0, context=0x7ffffffed880)
    at /mozilla/code/firefox/aurora/tools/profiler/platform-linux.cc:227
#7  <signal handler called>
#8  0x00007ffff1e741f2 in ThingIsPermanentAtom<js::ObjectImpl> (thing=0x7fffddeaa000) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:140
#9  0x00007ffff1e6c93f in CheckMarkedThing<js::ObjectImpl> (trc=0x7fffddeaa4a0, thing=0x7fffb93cfe20) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:163
#10 0x00007ffff1e65a27 in MarkInternal<js::ObjectImpl> (trc=0x7fffddeaa4a0, thingp=0x7ffffffedf00) at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:211
#11 0x00007ffff1e728bc in js::gc::MarkUnbarriered<js::ObjectImpl> (trc=0x7fffddeaa4a0, thingp=0x7ffffffedf00, name=0x7ffff33a85e8 "read barrier")
    at /mozilla/code/firefox/aurora/js/src/gc/Marking.cpp:261
#12 0x00007ffff1e2959a in js::gc::BarrieredCell<js::ObjectImpl>::readBarrier (thing=0x7fffb93cfe20) at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:198
#13 0x00007ffff1e29ca2 in js::ReadBarriered<js::GlobalObject>::get (this=0x7fffb7adb048) at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:1199
#14 0x00007ffff1e295f0 in js::ReadBarriered<js::GlobalObject>::operator js::GlobalObject* (this=0x7fffb7adb048)
    at /mozilla/code/firefox/aurora/js/src/gc/Barrier.h:1203
#15 0x00007ffff1e28a9e in JSCompartment::maybeGlobal (this=0x7fffb7adb000) at /mozilla/code/firefox/aurora/js/src/jscompartmentinlines.h:25
#16 0x00007ffff1e2900d in JSObject::global (this=0x7fff99b50cc0) at /mozilla/code/firefox/aurora/js/src/jsobjinlines.h:649
#17 0x00007ffff20b7c08 in JSCompartment::wrap (this=0x7fff98c3a800, cx=0x7fff94ad46e0, obj=..., existingArg=...)
    at /mozilla/code/firefox/aurora/js/src/jscompartment.cpp:345
#18 0x00007ffff221f3d5 in js::CrossCompartmentWrapper::get (this=0x7ffff574b6d0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fff94ad46e0, wrapper=..., 
    receiver=..., id=..., vp=...) at /mozilla/code/firefox/aurora/js/src/jswrapper.cpp:322
#19 0x00007ffff21a76f1 in js::Proxy::get (cx=0x7fff94ad46e0, proxy=..., receiver=..., id=..., vp=...) at /mozilla/code/firefox/aurora/js/src/jsproxy.cpp:2536
#20 0x00007ffff21a7875 in js::Proxy::callProp (cx=0x7fff94ad46e0, proxy=..., receiver=..., id=..., vp=...)
    at /mozilla/code/firefox/aurora/js/src/jsproxy.cpp:2546
#21 0x00007fffbace8fbf in ?? ()
#22 0x00007fff94ad46e0 in ?? ()
#23 0x00007ffffffee390 in ?? ()
#24 0x0000000000000000 in ?? ()

Affected code in SPSProfiler.cpp:

327 JS_FRIEND_API(jsbytecode*)
328 ProfileEntry::pc() const volatile
329 {
330     return idx == NullPCIndex ? nullptr : script()->offsetToPC(idx);
331 }

When I continue Firefox crashes with signal 11:

Program /mozilla/code/firefox/obj/aurora/dist/bin/firefox (pid = 25766) received signal 11.
Stack:
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04ED6FDE]
UNKNOWN [/lib/x86_64-linux-gnu/libpthread.so.0 +0x00010340]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0479AC1B]
js::ProfileEntry::pc() const volatile+0x0000003A [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04CACDDA]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382A89B]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AAAD]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AD20]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0382AB72]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0380766D]
UNKNOWN [/lib/x86_64-linux-gnu/libpthread.so.0 +0x00010340]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x048411F2]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0483993F]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04832A27]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x0483F8BC]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F659A]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F6CA2]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F65F0]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F5A9E]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x047F600D]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04A84C08]
js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)+0x00000159 [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04BEC3D5]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04B746F1]
UNKNOWN [/mozilla/code/firefox/obj/aurora/dist/bin/libxul.so +0x04B74875]
UNKNOWN 0x7fffbace8fbf
Looks like I always hit this problem when I'm trying to login via Persona for https://mozqa.etherpad.mozilla.org. When I click sign-in inside of the opened Persona popup, this assertion happens. 

(gdb) frame 0
#0  0x00007ffff1dcdc1b in JSScript::offsetToPC (this=0x7fff9bf87e70, offset=232) at /mozilla/code/firefox/aurora/js/src/jsscript.h:942
942         JS_ASSERT(offset < length());
(gdb) p offset
$2 = 232
(gdb) p length()
$1 = 35
Chances are this is a duplicate of bug 992377.
Can this reproduce on FF32?  If this is a dupe of 992377 - which is possibly a dupe of 994957 - then it should not and we should look into uplifting the fix in bug 994957 to 31.
Flags: needinfo?(hskupin)
Henrik, do you still see it?
Untracking for now. Please resubmit if it still occurs.
Flags: needinfo?(hskupin)
Blocks: 1329181

Hey Henrik,
Can you still reproduce this issue or should we close it?

Flags: needinfo?(hskupin)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(hskupin)
You need to log in before you can comment on or make changes to this bug.