Closed Bug 936295 Opened 11 years ago Closed 8 years ago

[e10s] Assertion failure: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at js\src\vm/SPSProfiler.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
e10s later ---

People

(Reporter: TimAbraldes, Unassigned)

References

Details

If I have a gmail tab open long enough, I will see the following assertion fire, followed by plugin-container.exe crashing: Assertion failure: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at c:\src\mc2\js\src\vm/SPSProfiler.h:357 Here's a call stack: mozjs!js::SPSInstrumentation<js::jit::MacroAssembler,js::jit::Register>::leave(unsigned char * pc = 0x06cd2ec1 ">(T", class js::jit::MacroAssembler * masm = 0x17dbe3d8, struct js::jit::Register scratch = struct js::jit::Register)+0x91 mozjs!js::jit::IonInstrumentation::leave(class js::jit::MacroAssembler * masm = 0x17dbe3d8, struct js::jit::Register reg = struct js::jit::Register)+0x20 mozjs!js::jit::MacroAssembler::leaveSPSFrame(void)+0x4f mozjs!js::jit::MacroAssembler::callWithExitFrame(class js::jit::IonCode * target = 0x06323268)+0x11 mozjs!js::jit::CodeGeneratorShared::callVM(struct js::jit::VMFunction * fun = 0x662859b0, class js::jit::LInstruction * ins = 0x17d546a0, struct js::jit::Register * dynStack = 0x00000000)+0x292 mozjs!js::jit::CodeGenerator::visitOutOfLineInterruptCheckImplicit(class js::jit::OutOfLineInterruptCheckImplicit * ool = 0x137709b0)+0x11f mozjs!js::jit::OutOfLineInterruptCheckImplicit::accept(class js::jit::CodeGenerator * codegen = 0x17dbe3a0)+0x13 mozjs!js::jit::OutOfLineCodeBase<js::jit::CodeGenerator>::generate(class js::jit::CodeGeneratorShared * codegen = 0x17dbe3a0)+0x18 mozjs!js::jit::CodeGeneratorShared::generateOutOfLineCode(void)+0x11e mozjs!js::jit::CodeGeneratorX86Shared::generateOutOfLineCode(void)+0x11 mozjs!js::jit::CodeGenerator::generate(void)+0x17c mozjs!js::jit::GenerateCode(class js::jit::MIRGenerator * mir = 0x13acc998, class js::jit::LIRGraph * lir = 0x17d52d40, class js::jit::MacroAssembler * maybeMasm = 0x00000000)+0x5d mozjs!js::jit::CompileBackEnd(class js::jit::MIRGenerator * mir = 0x13acc998, class js::jit::MacroAssembler * maybeMasm = 0x00000000)+0x45 mozjs!js::jit::IonCompile(struct JSContext * cx = 0x11425500, class JSScript * script = 0x158e2a80, class js::jit::BaselineFrame * baselineFrame = 0x008a6348, unsigned char * osrPc = 0x00000000 "", bool constructing = false, js::ExecutionMode executionMode = SequentialExecution (0n0))+0x5f2 mozjs!js::jit::Compile(struct JSContext * cx = 0x11425500, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class js::jit::BaselineFrame * osrFrame = 0x008a6348, unsigned char * osrPc = 0x00000000 "", bool constructing = false, js::ExecutionMode executionMode = SequentialExecution (0n0))+0x286 mozjs!js::jit::CompileFunctionForBaseline(struct JSContext * cx = 0x11425500, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class js::jit::BaselineFrame * frame = 0x008a6348, bool isConstructing = false)+0x1fe mozjs!js::jit::EnsureCanEnterIon(struct JSContext * cx = 0x11425500, class js::jit::ICUseCount_Fallback * stub = 0x17e26518, class js::jit::BaselineFrame * frame = 0x008a6348, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, unsigned char * pc = 0x1220e7c9 "???", void ** jitcodePtr = 0x008a62d8)+0x127 mozjs!js::jit::DoUseCountFallback(struct JSContext * cx = 0x11425500, class js::jit::ICUseCount_Fallback * stub = 0x17e26518, class js::jit::BaselineFrame * frame = 0x008a6348, struct js::jit::IonOsrTempData ** infoPtr = 0x008a6314)+0x23a 0xe6b6e9b mozjs!array_join(struct JSContext * cx = 0x000001c4, unsigned int argc = 0x11009640, class JS::Value * vp = 0x00000001)+0x4e 0xe6b06c4 mozjs!mozilla::detail::AddU32ToHash(unsigned int hash = 0x2d1f8380, unsigned int value = 2)+0xe mozjs!EnterBaseline(struct JSContext * cx = 0x11425500, struct js::jit::EnterJitData * data = 0x008a658c)+0x302 mozjs!js::jit::EnterBaselineMethod(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008a70fc)+0xcf mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008a77a8)+0xa403 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008a77a8)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js::CallOrConstructBoundFunction(struct JSContext * cx = 0x11425500, unsigned int argc = 1, class JS::Value * vp = 0x043c4ce0)+0x3c5 mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64a46009, class JS::CallArgs * args = 0x008a7b30)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2d8 mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008a8c6c)+0xa090 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008a8c6c)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js::CallOrConstructBoundFunction(struct JSContext * cx = 0x11425500, unsigned int argc = 1, class JS::Value * vp = 0x043c4be0)+0x3c5 mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64a46009, class JS::CallArgs * args = 0x008a8ff4)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2d8 mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008aa130)+0xa090 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008aa130)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js::CallOrConstructBoundFunction(struct JSContext * cx = 0x11425500, unsigned int argc = 2, class JS::Value * vp = 0x008aa550)+0x3c5 mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64a46009, class JS::CallArgs * args = 0x008aa4b8)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2d8 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::Value * thisv = 0x043c4ac0, class JS::Value * fval = 0x008aa5ec, unsigned int argc = 2, class JS::Value * argv = 0x043c4ac8, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x1e0 mozjs!js::DirectProxyHandler::call(struct JSContext * cx = 0x11425500, class JS::Handle<JSObject *> proxy = class JS::Handle<JSObject *>, class JS::CallArgs * args = 0x008aa6f8)+0xa7 mozjs!js::CrossCompartmentWrapper::call(struct JSContext * cx = 0x11425500, class JS::Handle<JSObject *> wrapper = class JS::Handle<JSObject *>, class JS::CallArgs * args = 0x008aa6f8)+0x161 mozjs!js::Proxy::call(struct JSContext * cx = 0x11425500, class JS::Handle<JSObject *> proxy = class JS::Handle<JSObject *>, class JS::CallArgs * args = 0x008aa6f8)+0xc5 mozjs!proxy_Call(struct JSContext * cx = 0x11425500, unsigned int argc = 2, class JS::Value * vp = 0x043c4ab8)+0xaf mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64d0eba0, class JS::CallArgs * args = 0x008aa918)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x249 mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008aba54)+0xa090 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008aba54)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js_fun_call(struct JSContext * cx = 0x11425500, unsigned int argc = 1, class JS::Value * vp = 0x043c48c0)+0x224 mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64a470c6, class JS::CallArgs * args = 0x008abdc4)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2d8 mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008acf00)+0xa090 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008acf00)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js_fun_apply(struct JSContext * cx = 0x11425500, unsigned int argc = 2, class JS::Value * vp = 0x043c4830)+0x890 mozjs!js::CallJSNative(struct JSContext * cx = 0x11425500, <function> * native = 0x64a39011, class JS::CallArgs * args = 0x008ad3d8)+0x64 mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x2d8 mozjs!Interpret(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008ae514)+0xa090 mozjs!js::RunScript(struct JSContext * cx = 0x11425500, class js::RunState * state = 0x008ae514)+0x19b mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x3aa mozjs!js::Invoke(struct JSContext * cx = 0x11425500, class JS::Value * thisv = 0x008ae674, class JS::Value * fval = 0x008ae6dc, unsigned int argc = 1, class JS::Value * argv = 0x008ae74c, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x1e0 mozjs!JS_CallFunctionValue(struct JSContext * cx = 0x11425500, class JSObject * objArg = 0x10e11490, class JS::Value fval = class JS::Value, unsigned int argc = 1, class JS::Value * argv = 0x008ae74c, class JS::Value * rval = 0x008ae7b4)+0x139 xul!mozilla::dom::EventListener::HandleEvent(struct JSContext * cx = 0x11425500, class JS::Handle<JSObject *> aThisObj = class JS::Handle<JSObject *>, class nsDOMEvent * event = 0x13b02ec8, class mozilla::ErrorResult * aRv = 0x008ae8c4)+0x2c2 xul!mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget *>(class mozilla::dom::EventTarget ** thisObj = 0x008ae8f8, class nsDOMEvent * event = 0x13b02ec8, class mozilla::ErrorResult * aRv = 0x008ae8c4, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling = eReportExceptions (0n0))+0x124 xul!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x121f64d8, class mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener,nsIDOMEventListener> * aListener = 0x121f64d8, class nsIDOMEvent * aDOMEvent = 0x13b02ef4, class mozilla::dom::EventTarget * aCurrentTarget = 0x121e3b60, class nsCxPusher * aPusher = 0x008aea8c)+0xd3 xul!nsEventListenerManager::HandleEventInternal(class nsPresContext * aPresContext = 0x00000000, class mozilla::WidgetEvent * aEvent = 0x17ce8778, class nsIDOMEvent ** aDOMEvent = 0x008aea7c, class mozilla::dom::EventTarget * aCurrentTarget = 0x121e3b60, nsEventStatus * aEventStatus = 0x008aea80, class nsCxPusher * aPusher = 0x008aea8c)+0x1f7 xul!nsEventListenerManager::HandleEvent(class nsPresContext * aPresContext = 0x00000000, class mozilla::WidgetEvent * aEvent = 0x17ce8778, class nsIDOMEvent ** aDOMEvent = 0x008aea7c, class mozilla::dom::EventTarget * aCurrentTarget = 0x121e3b60, nsEventStatus * aEventStatus = 0x008aea80, class nsCxPusher * aPusher = 0x008aea8c)+0xe2 xul!nsEventTargetChainItem::HandleEvent(class nsEventChainPostVisitor * aVisitor = 0x008aea74, class ELMCreationDetector * aCd = 0x008aeb24, class nsCxPusher * aPusher = 0x008aea8c)+0x133 xul!nsEventTargetChainItem::HandleEventTargetChain(class nsTArray<nsEventTargetChainItem> * aChain = 0x008aeb0c, class nsEventChainPostVisitor * aVisitor = 0x008aea74, class nsDispatchingCallback * aCallback = 0x00000000, class ELMCreationDetector * aCd = 0x008aeb24, class nsCxPusher * aPusher = 0x008aea8c)+0x19a xul!nsEventDispatcher::Dispatch(class nsISupports * aTarget = 0x121e4000, class nsPresContext * aPresContext = 0x00000000, class mozilla::WidgetEvent * aEvent = 0x17ce8778, class nsIDOMEvent * aDOMEvent = 0x13b02ef4, nsEventStatus * aEventStatus = 0x008aec54, class nsDispatchingCallback * aCallback = 0x00000000, class nsCOMArray<mozilla::dom::EventTarget> * aTargets = 0x00000000)+0xd19 xul!PostMessageEvent::Run(void)+0x8dc xul!nsThread::ProcessNextEvent(bool mayWait = false, bool * result = 0x008aed77)+0x400 xul!NS_ProcessNextEvent(class nsIThread * thread = 0x00de95e0, bool mayWait = false)+0x54 xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x008aef80)+0xfd xul!mozilla::ipc::MessagePumpForChildProcess::Run(class base::MessagePump::Delegate * aDelegate = 0x008aef80)+0x14b xul!MessageLoop::RunInternal(void)+0x4e xul!MessageLoop::RunHandler(void)+0x82 xul!MessageLoop::Run(void)+0x1d xul!nsBaseAppShell::Run(void)+0x50 xul!nsAppShell::Run(void)+0x12 xul!XRE_RunAppShell(void)+0x7a xul!mozilla::ipc::MessagePumpForChildProcess::Run(class base::MessagePump::Delegate * aDelegate = 0x008aef80)+0x5d xul!MessageLoop::RunInternal(void)+0x4e xul!MessageLoop::RunHandler(void)+0x82 xul!MessageLoop::Run(void)+0x1d xul!XRE_InitChildProcess(int aArgc = 0n4, char ** aArgv = 0x00dd9808, GeckoProcessType aProcess = GeckoProcessType_Content (0n2))+0x7c2 plugin_container!NS_internal_main(int argc = 0n7, char ** argv = 0x00dd9808)+0xd0 plugin_container!wmain(int argc = 0n8, wchar_t ** argv = 0x00dd51d0)+0x119 plugin_container!__tmainCRTStartup(void)+0x1bf plugin_container!wmainCRTStartup(void)+0xf KERNEL32!BaseThreadInitThunk+0xe ntdll!__RtlUserThreadStart+0x20 ntdll!_RtlUserThreadStart+0x1b
Summary: [e10s] Assertion failure when running with e10s enabled → [e10s] Assertion failure: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at js\src\vm/SPSProfiler.h
Many SPS/profiler changes/fixes landed the past 3 years. Please file a new bug if you're still seeing this.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.