514645 - signal BUS (invalid address alignment) with SPARCV9 64bit Firefox

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Ginn Chen]

start SPARC V9 64bit firefox (NANOJIT is not enabled.)
it will core with signal BUS.

I think the root cause is JSUpvarArray.vector[] is array of uint32.
So pointer to regexp can be 64-bit misaligned.

Recompile js/src with -misalign flag can get around.
But the performance would not be good.

Comment 1

[Brendan Eich [:brendan]]

Attachment: proposed fix

Ginn, thanks for reporting. Could you please test this patch, and if it works, with igor's r+ land it? If you could then please also take assignment of the bug. Thanks again,

/be

Comment 2

[Brendan Eich [:brendan]]

I had the patch hiding in my q, so committed:

http://hg.mozilla.org/tracemonkey/rev/4c38883a0438

/be

Comment 3

[Ginn Chen]

Brendan, thanks for the fix. Firefox starts without BUS signal with it.

But, sizeof(JSTryNote) == 3 * sizeof(uint32), would it be a problem?

Comment 4

[Brendan Eich [:brendan]]

(In reply to comment #3)
> Brendan, thanks for the fix. Firefox starts without BUS signal with it.
> 
> But, sizeof(JSTryNote) == 3 * sizeof(uint32), would it be a problem?

No. The fix sorts allocations in non-increasing alignment grain order, so we both pack efficiently and avoid misaligning wider types.

/be

Comment 5

[Ginn Chen]

Ah, you're definitely right.
I misread the code.

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/mozilla-central/rev/4c38883a0438

Comment 7

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/052157edb993