Closed Bug 908047 Opened 11 years ago Closed 8 months ago

Profiler debug assertion: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at vm/SPSProfiler.h:357

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: jld, Unassigned)

Details

Steps to reproduce: build with --enable-profiling and --enable-debug, start with MOZ_PROFILER_STARTUP=1, then do something with a lot of JS (I used sunspider). Program received signal SIGSEGV, Segmentation fault. leave (scratch=..., masm=..., pc=<optimized out>, this=<optimized out>) at /home/jld/src/mozilla-central/js/src/vm/SPSProfiler.h:356 356 JS_ASSERT(frame->script->code <= pc && (gdb) up #1 leave (reg=..., masm=..., this=<optimized out>) at /home/jld/src/mozilla-central/js/src/jit/IonInstrumentation.h:33 33 BaseInstrumentation::leave(*trackedPc_, masm, reg); (gdb) up #2 js::ion::MacroAssembler::leaveSPSFrame (this=0x7fffbabf4050) at /home/jld/src/mozilla-central/js/src/jit/IonMacroAssembler.h:800 800 sps_->leave(*this, CallTempReg0); (gdb) p/x sps_ $1 = 0x7fffbabf4998 (gdb) p/x $1->trackedPc_ $2 = 0x7fffbabf4010 (gdb) p/x *$2 $3 = 0x7fffbb3ed0ec (gdb) p/x $1->frame->script $4 = 0x7fffbaf62040 (gdb) p/x $4->code $5 = 0x7fffbabb5289 (gdb) p/x $4->length $6 = 0x46 $3 is pc from the original assertion; $5 and $6 are frame->script->code and frame->script->length, respectively. It is clearly out of range for the script it's supposed to be inside. And for some reason gdb (7.6) is taking about 90 seconds of CPU time for each member lookup, so it was difficult to gather even this much information.
Repro'ed on B2G, so probably not machine-dependent. Program received signal SIGSEGV, Segmentation fault. 0x41d3d7b2 in js::SPSInstrumentation<js::ion::MacroAssembler, js::ion::Register>::leave ( this=0x45709038) at /home/jld/src/B2G/gecko/js/src/vm/SPSProfiler.h:356 356 JS_ASSERT(frame->script->code <= pc && (gdb) p frame Cannot access memory at address 0x30 (gdb) up #1 js::ion::IonInstrumentation::leave (this=0x45709038) at /home/jld/src/B2G/gecko/js/src/jit/IonInstrumentation.h:33 33 BaseInstrumentation::leave(*trackedPc_, masm, reg); (gdb) up #2 js::ion::MacroAssembler::leaveSPSFrame (this=0x45709038) at /home/jld/src/B2G/gecko/js/src/jit/IonMacroAssembler.h:800 800 sps_->leave(*this, CallTempReg0); (gdb) p sps_ $1 = (js::ion::IonInstrumentation *) 0x4570a898 (gdb) p sps_->trackedPc_ $2 = (jsbytecode **) 0x45709008 (gdb) p *$2 $3 = (jsbytecode *) 0x451910ec ">W" (gdb) p sps_->frame->script $4 = (JSScript *) 0x45866300 (gdb) p $4->code $5 = (jsbytecode *) 0x453f3609 "T" (gdb) p $4->length $6 = 70 0x451910ec is definitely not inside a 70-byte script that starts at 0x453f3609. (This is GDB 7.1-android-gg2, and I'm not having the name lookup issues here that I was in comment #0, for what it's worth.)
Assignee: general → nobody
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.