Closed Bug 992377 Opened 10 years ago Closed 10 years ago

Fatal assert with gecko profiler on yammer

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 994957

People

(Reporter: bzbarsky, Assigned: djvj)

References

Details

(Keywords: assertion, Whiteboard: [js:p1]) 

Steps to reproduce:

1) Install Gecko profiler extension
2) Log in to Yammer

ACTUAL RESULTS: Some of the time (2 out of 3 loads so far for me) I get a fatal assert:

Assertion failure: offset < length(), at ../../../mozilla/js/src/jsscript.h:944

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
[Switching to process 61779 thread 0xd857]
JSScript::offsetToPC (this=0x136c6fe70, offset=43) at jsscript.h:944
944             JS_ASSERT(offset < length());
(gdb) bt
#0  JSScript::offsetToPC (this=0x136c6fe70, offset=43) at jsscript.h:944
#1  0x0000000102cecf00 in js::ProfileEntry::pc (this=0x1006771e0) at SPSProfiler.cpp:330
#2  0x00000001073e1cbf in addProfileEntry (entry=@0x1006771e0, aProfile=@0x112d32860, stack=0x100677000, lastpc=0x0) at TableTicker.cpp:345
#3  0x00000001073d88b6 in doSampleStackTrace (aStack=0x100677000, aProfile=@0x112d32860, sample=0x12b98ce08) at TableTicker.cpp:555
#4  0x00000001073d86b8 in TableTicker::InplaceTick (this=0x11304bce0, sample=0x12b98ce08) at TableTicker.cpp:634
#5  0x00000001073d849a in TableTicker::Tick (this=0x11304bce0, sample=0x12b98ce08) at TableTicker.cpp:572
#6  0x00000001073ef0b3 in SamplerThread::SampleContext (this=0x114085280, sampler=0x11304bce0, thread_profile=0x112d32860) at platform-macos.cc:269
#7  0x00000001073eeed2 in SamplerThread::Run (this=0x114085280) at platform-macos.cc:222
#8  0x00000001073dbfdc in ThreadEntry (arg=0x114085280) at platform-macos.cc:103
#9  0x00007fff97d94772 in _pthread_start ()
#10 0x00007fff97d811a1 in thread_start ()
(gdb) frame 0
#0  JSScript::offsetToPC (this=0x136c6fe70, offset=43) at jsscript.h:944
944             JS_ASSERT(offset < length());
(gdb) p offset
$12 = 43
(gdb) p length()
$13 = 21
(gdb) p filename()
$15 = 0x1358c9600 "https://c64.assets-yammer.com/assets/vendor-4debc085c4ec407eb4852954143be359.js"
(gdb) p lineno()
$17 = 24

(sadly, this is minified script; I _think_ this is jQuery).

(gdb) frame 3
#3  0x00000001073d88b6 in doSampleStackTrace (aStack=0x100677000, aProfile=@0x112d32860, sample=0x12b98ce08) at TableTicker.cpp:555
555         addProfileEntry(aStack->mStack[i], aProfile, aStack, nullptr);
(gdb) p i
$21 = 15
(gdb) p aStack->mStack[i]
$22 = {
  <js::ProfileEntry> = {
    string = 0x140386d60 "._data (https://c64.assets-yammer.com/assets/vendor-4debc085c4ec407eb4852954143be359.js:24)", 
    sp = 0x0, 
    script_ = 0x136c6fe70, 
    idx = 43, 
    static NullPCIndex = -1, 
    static NoCopyBit = 1
  }, <No data fields>}
I guess this is related to the removal of the update for inlined functions, we might still update the pc-offset based on the inlined function and not based on the outer-most.
Flags: needinfo?(kvijayan)
Keywords: assertion
Whiteboard: [js:p1]
This is likely a dup of bug 994957.
Assignee: nobody → kvijayan
Flags: needinfo?(kvijayan)
Depends on: 994957
Cleaning up old bugs.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.