Closed Bug 2024326 Opened 1 month ago Closed 1 month ago

mozjs SIGBUS on armhf

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 140
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
151 Branch
Tracking Flags:
Tracking Status
firefox151 --- fixed

People

(Reporter: ales.astone, Assigned: ales.astone)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 2 obsolete files)

Bug 2024326 - Mutex,ConditionVariable: Ensure alignment of platformData r=jandem,glandium
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

mozjs (downstream SpiderMonkey in shared-library form) crashes with SIGBUS on armhf due to a memory alignment issue in ConditionVariableImpl

stacktrace:
#0 0xb5091ffc in __atomic_wide_counter_fetch_add_acquire (c=0x4288bc, val=2) at ../include/atomic_wide_counter.h:50
#1 __condvar_fetch_add_wseq_acquire (cond=0x4288bc, val=2) at pthread_cond_common.c:40
#2 __pthread_cond_wait_common (cond=0x4288bc, mutex=0xb6fc3738 <js::gHelperThreadLock>, clockid=0, abstime=0x0) at pthread_cond_wait.c:350
#3 ___pthread_cond_wait (cond=0x4288bc, mutex=0xb6fc3738 <js::gHelperThreadLock>) at pthread_cond_wait.c:453
#4 0xb5bd99f4 in mozilla::detail::ConditionVariableImpl::wait (this=this@entry=0x4288bc, lock=...) at /usr/src/mozjs140-140.7.0-2/mozglue/misc/ConditionVariable_posix.cpp:106
#5 0xb54f5bd6 in js::ConditionVariable::wait (this=0x4288bc, lock=...) at /usr/src/mozjs140-140.7.0-2/js/src/threading/ConditionVariable.h:52
#6 js::ConditionVariable::wait (this=0x4288bc, lock=...) at /usr/src/mozjs140-140.7.0-2/js/src/threading/ConditionVariable.h:58
#7 js::HelperThread::threadLoop (this=this@entry=0x4288b0, pool=pool@entry=0x4262d0) at /usr/src/mozjs140-140.7.0-2/js/src/vm/InternalThreadPool.cpp:316
#8 0xb54f5c36 in js::HelperThread::ThreadMain (pool=0x4262d0, helper=0x4288b0) at /usr/src/mozjs140-140.7.0-2/js/src/vm/InternalThreadPool.cpp:251
#9 0xb54f06f2 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0u, 1u> (this=0x428900)
at /usr/src/mozjs140-140.7.0-2/js/src/threading/Thread.h:228
#10 js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start (aPack=0x428900)
at /usr/src/mozjs140-140.7.0-2/js/src/threading/Thread.h:217
#11 0xb50926f8 in start_thread (arg=0xb44003a0) at pthread_create.c:454
#12 0xb50e6978 in ?? () at ../sysdeps/unix/sysv/linux/arm/clone3.S:71 from /usr/lib/arm-linux-gnueabihf/libc.so.6

This assert is valuable as it ensure that the platformData_ size does not get
truncated because of the integer division
sizeof(pthread_cond_t) / sizeof(void*)
but it does not actually verify the alignment.

platformData_ is defined as a void*[] but it will be used to hold a
pthread_mutex_t/pthread_cond_t. We must ensure that its address is aligned
the same way as (or stricter than) a pthread_mutex_t/pthread_cond_t.

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → JavaScript Engine
Product: Firefox → Core

I have patches here: https://phabricator.services.mozilla.com/D288470, https://phabricator.services.mozilla.com/D288470
So far untested, waiting for the armhf builders in launchpad.net

Assignee: nobody → ales.astone
Attachment #9554282 - Attachment description: WIP: Bug 2024326 - Mutex,ConditionVariable: Clear up misleading comment about alignment → Bug 2024326 - Mutex,ConditionVariable: Clear up misleading comment about alignment r=jandem,glandium
Status: NEW → ASSIGNED
Attachment #9554283 - Attachment description: WIP: Bug 2024326 - Mutex,ConditionVariable: Ensure alignment of platformData → Bug 2024326 - Mutex,ConditionVariable: Ensure alignment of platformData r=jandem,glandium
Blocks: SpiderMonkey
Severity: -- → S3
Priority: -- → P2

Declaring the variable as (void*)[] does not guarantee proper alignment to
hold a pthread_mutex_t/pthread_cond_t.
Since we're already including pthread.h, make the variable actually hold the
wanted type. Here we keep using an array of size 1 to satisfy existing
expectations that the name platformData_ is an array.

Forwarded: https://phabricator.services.mozilla.com/D288470
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=2024326
Bug-Ubuntu: https://launchpad.net/bugs/2144310

Attachment #9554282 - Attachment is obsolete: true
Attachment #9554788 - Attachment is obsolete: true
Pushed by jdemooij@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/3c8ac54e45cf https://hg.mozilla.org/integration/autoland/rev/dbb4f597e051 Mutex,ConditionVariable: Ensure alignment of platformData r=jandem,glandium

https://hg.mozilla.org/mozilla-central/rev/dbb4f597e051

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox151: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 151 Branch
QA Whiteboard: [qa-triage-done-c152/b151]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: