1340094 - segfault in js/src/vm/TypedArrayObject.cpp

Status: RESOLVED WONTFIX

(Core :: JavaScript Engine, defect)

Description

[fly_a320]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20170214095711

Steps to reproduce:

make -j1 -f client.mk install 

segfaults at 

/usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/xpcshell -g /usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/ -a /usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/ -f /usr/src/blfs-src/firefox-51.0.1/toolkit/mozapps/installer/precompile_cache.js -e precompile_startupcache("resource://gre/");

GDB backtrace:

gdb /usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/xpcshell

[...]

(gdb) r -g /usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/ -a /usr/src/blfs-src/firefox-51.0.1/my-build-dir/dist/bin/ -f /usr/src/blfs-src/firefox-51.0.1/toolkit/mozapps/installer/precompile_cache.js -e 'precompile_startupcache("resource://gre/")'

[...]


resource://gre/modules/addons/SpellCheckDictionaryBootstrap.js
resource://gre/modules/addons/WebExtensionBootstrap.js
resource://gre/modules/addons/XPIProvider.jsm

Program received signal SIGSEGV, Segmentation fault.
js::TypedArrayObject::setElement (obj=..., index=0, d=0.21720764288049021) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/TypedArrayObject.cpp:2433
2433            Float64Array::setIndexValue(obj, index, d);
(gdb) bt
#0  js::TypedArrayObject::setElement (obj=..., index=0, d=0.21720764288049021) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/TypedArrayObject.cpp:2433
#1  0x4349158d in SetDenseOrTypedArrayElement (cx=cx@entry=0x496f1000, obj=obj@entry=..., index=0, v=..., result=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/NativeObject.cpp:2311
#2  0x434a8397 in SetExistingProperty (cx=cx@entry=0x496f1000, obj=..., obj@entry=..., id=id@entry=..., v=..., receiver=..., pobj=..., shape=..., result=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/NativeObject.cpp:2346
#3  0x434a8b43 in js::NativeSetProperty (cx=0x496f1000, obj=..., id=..., value=..., receiver=..., qualified=js::Qualified, result=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/NativeObject.cpp:2432
#4  0x43452c57 in js::SetProperty (cx=0x496f1000, obj=..., id=..., v=..., receiver=..., result=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/NativeObject.h:1546
#5  0x4349c3c1 in SetObjectElementOperation (pc=0x0, script=0x0, strict=<optimized out>, receiver=..., value=..., id=..., obj=..., cx=0x496f1000) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:1495
#6  Interpret (cx=cx@entry=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:2802
#7  0x434a288a in js::RunScript (cx=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:404
#8  0x434a2d81 in js::InternalCallOrConstruct (cx=0x496f1000, args=..., construct=js::NO_CONSTRUCT) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:476
#9  0x434a2e0e in InternalCall (cx=cx@entry=0x496f1000, args=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:503
#10 0x434a2eb8 in js::CallFromStack (cx=0x496f1000, args=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:509
#11 0x4349cc90 in Interpret (cx=cx@entry=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:2922
#12 0x434a288a in js::RunScript (cx=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:404
#13 0x434aa892 in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=<optimized out>) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:685
#14 0x434aa96c in js::Execute (cx=0x496f1000, script=..., envChainArg=..., rval=0x0) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:718
#15 0x4332533d in ExecuteScript (cx=cx@entry=0x496f1000, scope=..., scope@entry=..., script=..., script@entry=..., rval=0x0) at /usr/src/blfs-src/firefox-51.0.1/js/src/jsapi.cpp:4314
#16 0x4332a597 in JS_ExecuteScript (cx=0x496f1000, scriptArg=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/jsapi.cpp:4347
#17 0x40bb804e in mozJSComponentLoader::ObjectForLocation (this=<optimized out>, aInfo=..., aComponentFile=<optimized out>, aObject=..., aTableScript=..., aLocation=<optimized out>, aPropagateExceptions=<optimized out>, 
    aException=...) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/loader/mozJSComponentLoader.cpp:944
#18 0x40bba3a8 in mozJSComponentLoader::ImportInto (this=0x496ef880, aLocation=..., targetObj=..., callercx=0x496f1000, vp=...) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/loader/mozJSComponentLoader.cpp:1175
#19 0x40bbaf65 in mozJSComponentLoader::Import (this=0x496ef880, registryLocation=..., targetValArg=..., cx=0x496f1000, optionalArgc=1 '\001', retval=...)
    at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/loader/mozJSComponentLoader.cpp:1051
#20 0x40bc3a55 in nsXPCComponents_Utils::Import (this=0x4b2dada0, registryLocation=..., targetObj=..., cx=0x496f1000, optionalArgc=1 '\001', retval=...) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCComponents.cpp:2502
#21 0x4048bd7c in NS_InvokeByIndex () from /lib/libxul.so
#22 0x40c0d12a in Invoke (this=0xbfffedb0) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCWrappedNative.cpp:2059
#23 Call (this=0xbfffedb0) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCWrappedNative.cpp:1378
#24 XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCWrappedNative.cpp:1345
#25 0x40c110cb in XPC_WN_CallMethod (cx=0x496f1000, argc=2, vp=0x4b272148) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:999
#26 0x434a2bb0 in CallJSNative (args=..., native=<optimized out>, cx=0x496f1000) at /usr/src/blfs-src/firefox-51.0.1/js/src/jscntxtinlines.h:235
#27 js::InternalCallOrConstruct (cx=0x496f1000, args=..., construct=js::NO_CONSTRUCT) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:458
#28 0x434a2e0e in InternalCall (cx=cx@entry=0x496f1000, args=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:503
#29 0x434a2eb8 in js::CallFromStack (cx=0x496f1000, args=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:509
#30 0x4349cc90 in Interpret (cx=cx@entry=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:2922
#31 0x434a288a in js::RunScript (cx=0x496f1000, state=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:404
#32 0x434aa892 in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=<optimized out>) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:685
#33 0x434aa96c in js::Execute (cx=0x496f1000, script=..., envChainArg=..., rval=0xbffff5f0) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/Interpreter.cpp:718
#34 0x43329b3f in Evaluate (cx=cx@entry=0x496f1000, scopeKind=scopeKind@entry=js::Global, env=env@entry=..., optionsArg=..., srcBuf=..., rval=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/jsapi.cpp:4404
#35 0x4332a76c in JS::Evaluate (cx=0x496f1000, options=..., bytes=0xbffffc25 "precompile_startupcache(\"resource://gre/\")", length=<optimized out>, rval=...) at /usr/src/blfs-src/firefox-51.0.1/js/src/jsapi.cpp:4456
#36 0x40be3052 in ProcessArgs (jsapi=..., argv=argv@entry=0xbffff998, argc=argc@entry=4, aDirProvider=0xbffff838) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCShellImpl.cpp:1097
#37 0x40be876a in XRE_XPCShellMain (argc=4, argv=0xbffff998, envp=0xbffff9ac, aShellData=0xbffff8bf) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/src/XPCShellImpl.cpp:1563
#38 0x0804b9cc in main (argc=<optimized out>, argv=<optimized out>, envp=0xbffff9ac) at /usr/src/blfs-src/firefox-51.0.1/js/xpconnect/shell/xpcshell.cpp:62

(gdb) p obj
$1 = (js::TypedArrayObject &) @0x4ae05be8: {<js::NativeObject> = {<js::ShapedObject> = {<JSObject> = {<js::gc::Cell> = {<No data fields>}, 
        group_ = {<js::WriteBarrieredBase<js::ObjectGroup*>> = {<js::BarrieredBase<js::ObjectGroup*>> = {<js::BarrieredBaseMixins<js::ObjectGroup*>> = {<No data fields>}, value = 0x4db0dc70}, <No data fields>}, <No data fields>}, 
        static TraceKind = JS::Object, static MaxTagBits = 3, static ITER_CLASS_NFIXED_SLOTS = 1, static MAX_BYTE_SIZE = 144}, 
      shape_ = {<js::WriteBarrieredBase<js::Shape*>> = {<js::BarrieredBase<js::Shape*>> = {<js::BarrieredBaseMixins<js::Shape*>> = {<No data fields>}, value = 0x4db12f88}, <No data fields>}, <No data fields>}}, slots_ = 0x0, 
    elements_ = 0x43c620c8, static SLOT_CAPACITY_MIN = 8, static MAX_SLOTS_COUNT = 268435455, static MAX_FIXED_SLOTS = 16, static MAX_DENSE_ELEMENTS_ALLOCATION = 268435455, static MAX_DENSE_ELEMENTS_COUNT = 268435453, 
    static MIN_SPARSE_INDEX = 1000, static SPARSE_DENSITY_RATIO = 8}, static BUFFER_SLOT = 0, static LENGTH_SLOT = 1, static BYTEOFFSET_SLOT = 2, static RESERVED_SLOTS = 3, static DATA_SLOT = 3, static classes = {{
      name = 0x43c6f603 "Int8Array", flags = 1562379011, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559ae60 <TypedArrayObjectClassSpecs>, ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, 
      static NON_NATIVE = 262144}, {name = 0x43933310 "Uint8Array", flags = 1629487875, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559ae80 <TypedArrayObjectClassSpecs+32>, ext = 0x4559af80 <TypedArrayClassExtension>, 
      oOps = 0x0, static NON_NATIVE = 262144}, {name = 0x43c6f60d "Int16Array", flags = 1696596739, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559aea0 <TypedArrayObjectClassSpecs+64>, 
      ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, static NON_NATIVE = 262144}, {name = 0x43c6f618 "Uint16Array", flags = 1763705603, cOps = 0x4559afa0 <TypedArrayClassOps>, 
      spec = 0x4559aec0 <TypedArrayObjectClassSpecs+96>, ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, static NON_NATIVE = 262144}, {name = 0x43c6f624 "Int32Array", flags = 1830814467, 
      cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559aee0 <TypedArrayObjectClassSpecs+128>, ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, static NON_NATIVE = 262144}, {name = 0x43c6f62f "Uint32Array", 
      flags = 1897923331, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559af00 <TypedArrayObjectClassSpecs+160>, ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, static NON_NATIVE = 262144}, {
      name = 0x4397a69c "Float32Array", flags = 1965032195, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559af20 <TypedArrayObjectClassSpecs+192>, ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, 
      static NON_NATIVE = 262144}, {name = 0x4397a6ab "Float64Array", flags = 2032141059, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559af40 <TypedArrayObjectClassSpecs+224>, ext = 0x4559af80 <TypedArrayClassExtension>, 
      oOps = 0x0, static NON_NATIVE = 262144}, {name = 0x4393cabd "Uint8ClampedArray", flags = 2099249923, cOps = 0x4559afa0 <TypedArrayClassOps>, spec = 0x4559af60 <TypedArrayObjectClassSpecs+256>, 
      ext = 0x4559af80 <TypedArrayClassExtension>, oOps = 0x0, static NON_NATIVE = 262144}}, static protoClasses = <same as static member of an already seen type>, static sharedTypedArrayPrototypeClass = {name = 0x438e95eb "???", 
    flags = 2952790016, cOps = 0x0, spec = 0x4559b020 <TypedArrayObjectSharedTypedArrayPrototypeClassSpec>, ext = 0x0, oOps = 0x0, static NON_NATIVE = 262144}, static FIXED_DATA_START = 4, static INLINE_BUFFER_LIMIT = 96, 
  static SINGLETON_BYTE_LENGTH = 10485760, static protoFunctions = 0x4559b0c0 <js::TypedArrayObject::protoFunctions>, static protoAccessors = 0x4559b2e0 <js::TypedArrayObject::protoAccessors>, 
  static staticFunctions = <same as static member of an already seen type>, static staticProperties = <same as static member of an already seen type>}

Comment 1

[fly_a320]

a backtrace with a debug-build reveals some more: we end in 

js/src/jit/none/AtomicOperations-none.h:104

with MOZ_CRASH();

I am not a C++ developer but it looks to me like we should have never hit that funktion in the none architecture:

resource://gre/modules/addons/SpellCheckDictionaryBootstrap.js
resource://gre/modules/addons/WebExtensionBootstrap.js
resource://gre/modules/addons/XPIProvider.jsm

Program received signal SIGSEGV, Segmentation fault.
0xb3e30ee9 in js::jit::AtomicOperations::storeSafeWhenRacy<double> (addr=0xa4b05c18, val=0.81201686073004709)
    at /usr/src/blfs-src/firefox-51.0.1/js/src/jit/none/AtomicOperations-none.h:104
104         MOZ_CRASH();
(gdb) bt
#0  0xb3e30ee9 in js::jit::AtomicOperations::storeSafeWhenRacy<double> (addr=0xa4b05c18, val=0.81201686073004709)
    at /usr/src/blfs-src/firefox-51.0.1/js/src/jit/none/AtomicOperations-none.h:104
#1  0xb3e2f004 in js::jit::AtomicOperations::storeSafeWhenRacy<double> (addr=..., val=0.81201686073004709) at /usr/src/blfs-src/firefox-51.0.1/js/src/jit/AtomicOperations.h:230
#2  0xb3e8a4c7 in (anonymous namespace)::TypedArrayObjectTemplate<double>::setIndex (tarray=..., index=0, val=0.81201686073004709)
    at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/TypedArrayObject.cpp:997
#3  0xb3e81700 in (anonymous namespace)::TypedArrayObjectTemplate<double>::setIndexValue (tarray=..., index=0, d=0.81201686073004709)
    at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/TypedArrayObject.cpp:430
#4  0xb3e698f8 in js::TypedArrayObject::setElement (obj=..., index=0, d=0.81201686073004709) at /usr/src/blfs-src/firefox-51.0.1/js/src/vm/TypedArrayObject.cpp:2433

Comment 2

[Lars T Hansen [:lth]]

What is happening here is that the atomic operations by their nature *cannot* be platform independent, and so even if you are compiling with the none platform you must supply an implementation of these primitives for the hardware that you intend to be running the JS engine on.

If you look at the end of js/src/jit/AtomicOperations.h there is a nasty #ifdef nest that accomplishes exactly this.  In the case for JS_CODEGEN_NONE there are additional #ifdefs that select (supposedly) correct files for specific platforms when you don't use the JIT.  You probably need to add a case for x86 here.  Since you're on linux it's probably easiest for you to just include jit/none/AtomicOperations-ppc.h, which are not "correct" for any platform but happen to work.

(Closing as "WONTFIX" not because you're not having a problem but because this is really working as designed.)

Comment 3

[fly_a320]

Thanks for your hints!