Closed
Bug 908047
Opened 11 years ago
Closed 8 months ago
Profiler debug assertion: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at vm/SPSProfiler.h:357
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jld, Unassigned)
Details
Steps to reproduce: build with --enable-profiling and --enable-debug, start with MOZ_PROFILER_STARTUP=1, then do something with a lot of JS (I used sunspider).
Program received signal SIGSEGV, Segmentation fault.
leave (scratch=..., masm=..., pc=<optimized out>, this=<optimized out>)
at /home/jld/src/mozilla-central/js/src/vm/SPSProfiler.h:356
356 JS_ASSERT(frame->script->code <= pc &&
(gdb) up
#1 leave (reg=..., masm=..., this=<optimized out>)
at /home/jld/src/mozilla-central/js/src/jit/IonInstrumentation.h:33
33 BaseInstrumentation::leave(*trackedPc_, masm, reg);
(gdb) up
#2 js::ion::MacroAssembler::leaveSPSFrame (this=0x7fffbabf4050)
at /home/jld/src/mozilla-central/js/src/jit/IonMacroAssembler.h:800
800 sps_->leave(*this, CallTempReg0);
(gdb) p/x sps_
$1 = 0x7fffbabf4998
(gdb) p/x $1->trackedPc_
$2 = 0x7fffbabf4010
(gdb) p/x *$2
$3 = 0x7fffbb3ed0ec
(gdb) p/x $1->frame->script
$4 = 0x7fffbaf62040
(gdb) p/x $4->code
$5 = 0x7fffbabb5289
(gdb) p/x $4->length
$6 = 0x46
$3 is pc from the original assertion; $5 and $6 are frame->script->code and frame->script->length, respectively. It is clearly out of range for the script it's supposed to be inside.
And for some reason gdb (7.6) is taking about 90 seconds of CPU time for each member lookup, so it was difficult to gather even this much information.
Reporter | ||
Comment 1•11 years ago
|
||
Repro'ed on B2G, so probably not machine-dependent.
Program received signal SIGSEGV, Segmentation fault.
0x41d3d7b2 in js::SPSInstrumentation<js::ion::MacroAssembler, js::ion::Register>::leave (
this=0x45709038) at /home/jld/src/B2G/gecko/js/src/vm/SPSProfiler.h:356
356 JS_ASSERT(frame->script->code <= pc &&
(gdb) p frame
Cannot access memory at address 0x30
(gdb) up
#1 js::ion::IonInstrumentation::leave (this=0x45709038)
at /home/jld/src/B2G/gecko/js/src/jit/IonInstrumentation.h:33
33 BaseInstrumentation::leave(*trackedPc_, masm, reg);
(gdb) up
#2 js::ion::MacroAssembler::leaveSPSFrame (this=0x45709038)
at /home/jld/src/B2G/gecko/js/src/jit/IonMacroAssembler.h:800
800 sps_->leave(*this, CallTempReg0);
(gdb) p sps_
$1 = (js::ion::IonInstrumentation *) 0x4570a898
(gdb) p sps_->trackedPc_
$2 = (jsbytecode **) 0x45709008
(gdb) p *$2
$3 = (jsbytecode *) 0x451910ec ">W"
(gdb) p sps_->frame->script
$4 = (JSScript *) 0x45866300
(gdb) p $4->code
$5 = (jsbytecode *) 0x453f3609 "T"
(gdb) p $4->length
$6 = 70
0x451910ec is definitely not inside a 70-byte script that starts at 0x453f3609.
(This is GDB 7.1-android-gg2, and I'm not having the name lookup issues here that I was in comment #0, for what it's worth.)
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Updated•2 years ago
|
Severity: normal → S3
Updated•8 months ago
|
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•