Closed Bug 645467 Opened 15 years ago Closed 15 years ago

Unaligned access causes random crashes on ARM Linux

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 634594

People

(Reporter: glandium, Unassigned)

Details

I'm trying to get Firefox 4 to work on the Debian armel port (armv4t, GNU EABI, little endian). At the moment, since I haven't modified methodjit to compile on armv4t, the js engine is built with --disable-methodjit. (which means I can't be hitting bug 643760) I'm hitting a whole lot of crashes, so I just took a random one to track. The stack trace is the following: #0 from_utf16_loop_unaligned (step=<value optimized out>, data=<value optimized out>, inptrp=<value optimized out>, inend=0xcef8002d <Address 0xcef8002d out of bounds>, outbufstart=0xbeaa4384, irreversible=0x425c6f80, do_flush=0, consume_incomplete=-1096137852) at ../iconv/loop.c:332 #1 gconv (step=<value optimized out>, data=<value optimized out>, inptrp=<value optimized out>, inend=0xcef8002d <Address 0xcef8002d out of bounds>, outbufstart=0xbeaa4384, irreversible=0x425c6f80, do_flush=0, consume_incomplete=-1096137852) at ../iconv/skeleton.c:623 #2 0x425c6f80 in __gconv (cd=0x119f00, inbuf=0xbeaa5424, inbufend=0xcef8002d <Address 0xcef8002d out of bounds>, outbuf=0xbeaa541c, outbufend=0xbeaa43cc "\304e\247A\354C\252\276\210\b\301D\034T\252\276 T\252\276$T\252\276(T\252\276\004D\252\276", irreversible=0xbeaa4384) at gconv.c:80 #3 0x425c6458 in iconv (cd=0x1ac00c, inbuf=0x2, inbytesleft=0xbeaa43f0, outbuf=0xbeaa541c, outbytesleft=0xbeaa43ec) at iconv.c:53 #4 0x41a75f14 in xp_iconv (converter=0x119f00, input=0xbeaa5424, inputLeft=0xbeaa43f0, output=0xbeaa541c, outputLeft=0xbeaa43ec) at ../../../xpcom/io/nsNativeCharsetUtils.cpp:162 #5 0x41a765c4 in nsNativeCharsetConverter::UnicodeToNative (this=0xbeaa5428, input=0xbeaa5424, inputLeft=0xbeaa5420, output=0xbeaa541c, outputLeft=0xbeaa5418) at ../../../xpcom/io/nsNativeCharsetUtils.cpp:564 #6 0x41a768ec in NS_CopyUnicodeToNative (input=..., output=...) at ../../../xpcom/io/nsNativeCharsetUtils.cpp:861 #7 0x41a96430 in nsLocalFile::Append (this=0x2ccb30, node=...) at ../../../xpcom/io/nsLocalFileUnix.cpp:2001 #8 0x41acd624 in NS_InvokeByIndex_P (that=0x1ac00c, methodIndex=2, paramCount=3471835183, params=0xcef0002d) at ../../../../../../../xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:247 #9 0x412f49d0 in Invoke (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at ../../../../../js/src/xpconnect/src/xpcwrappednative.cpp:3124 #10 Call (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at ../../../../../js/src/xpconnect/src/xpcwrappednative.cpp:2390 #11 XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at ../../../../../js/src/xpconnect/src/xpcwrappednative.cpp:2354 #12 0x41303918 in XPC_WN_CallMethod (cx=0x64360, argc=1, vp=0x4470c270) at ../../../../../js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613 #13 0x421ff214 in CallJSNative (cx=0x64360, entryFrame=0x4470c1b8, inlineCallCount=1, interpMode=JSINTERP_NORMAL) at ../../../js/src/jscntxtinlines.h:701 #14 js::Interpret (cx=0x64360, entryFrame=0x4470c1b8, inlineCallCount=1, interpMode=JSINTERP_NORMAL) at ../../../js/src/jsinterp.cpp:4799 #15 0x422126f4 in js::RunScript (cx=0x64360, script=0x2cc518, fp=0x4470c1b8) at ../../../js/src/jsinterp.cpp:653 #16 0x42214e40 in js::Execute (cx=0x64360, chain=0x44c060a0, script=0x2cc518, prev=0x0, flags=0, result=0xbeaa8ee0) at ../../../js/src/jsinterp.cpp:1028 #17 0x4213ae48 in JS_ExecuteScript (cx=0x64360, obj=0x44c060a0, script=0x2cc518, rval=0xbeaa8ee0) at ../../../js/src/jsapi.cpp:5026 #18 0x0000c344 in Load (cx=0x64360, argc=1, vp=0x4470c170) at ../../../../../js/src/xpconnect/shell/xpcshell.cpp:499 #19 0x421ff214 in CallJSNative (cx=0x64360, entryFrame=0x4470c140, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at ../../../js/src/jscntxtinlines.h:701 #20 js::Interpret (cx=0x64360, entryFrame=0x4470c140, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at ../../../js/src/jsinterp.cpp:4799 #21 0x4215afe8 in js::InvokeSessionGuard::invoke (this=0xbeaac1c0, cx=0x64360) at ../../../js/src/jsinterpinlines.h:623 #22 0x4215796c in array_extra (cx=0x64360, mode=FOREACH, argc=3, vp=0x4470c100) at ../../../js/src/jsarray.cpp:2857 #23 0x42157c44 in array_forEach (cx=0x64360, argc=1, vp=0x4470c100) at ../../../js/src/jsarray.cpp:2914 #24 0x421ff214 in CallJSNative (cx=0x64360, entryFrame=0x4470c030, inlineCallCount=2, interpMode=JSINTERP_NORMAL) at ../../../js/src/jscntxtinlines.h:701 #25 js::Interpret (cx=0x64360, entryFrame=0x4470c030, inlineCallCount=2, interpMode=JSINTERP_NORMAL) at ../../../js/src/jsinterp.cpp:4799 #26 0x422126f4 in js::RunScript (cx=0x64360, script=0x2ef430, fp=0x4470c030) at ../../../js/src/jsinterp.cpp:653 #27 0x42214e40 in js::Execute (cx=0x64360, chain=0x44c060a0, script=0x2ef430, prev=0x0, flags=0, result=0xbeab06f0) at ../../../js/src/jsinterp.cpp:1028 #28 0x4213ae48 in JS_ExecuteScript (cx=0x64360, obj=0x44c060a0, script=0x2ef430, rval=0xbeab06f0) at ../../../js/src/jsapi.cpp:5026 #29 0x0000dbc0 in ProcessFile (cx=0x64360, obj=0x44c060a0, filename=0x0, file=0x426dc528, forceTTY=1) at ../../../../../js/src/xpconnect/shell/xpcshell.cpp:1127 #30 0x0000de90 in Process (cx=0x64360, obj=0x44c060a0, filename=0x0, forceTTY=1) at ../../../../../js/src/xpconnect/shell/xpcshell.cpp:1166 #31 0x0000e7d8 in ProcessArgs (cx=0x64360, obj=0x44c060a0, argv=0xbeab0a38, argc=18) at ../../../../../js/src/xpconnect/shell/xpcshell.cpp:1334 #32 0x000102d0 in main (argc=18, argv=0xbeab0a38, envp=0xbeab0a84) at ../../../../../js/src/xpconnect/shell/xpcshell.cpp:2013 (Note the args to NS_InvokeByIndex_P are mixed up, but they are irrelevant anyways) The crash is due to access to 0xcef8002d which points to unmapped memory. And it turns out 0xcef8002d is nowhere in the values supposed to be used. In fact, the problem starts manifesting itself in NS_CopyUnicodeToNative, when doing input.BeginReading(iter): (gdb) print input $3 = (const nsAString_internal &) @0xbeaa5ade: {mData = 0x4002d, mLength = 65536, mFlags = 65536} (gdb) print input.BeginReading(iter) $4 = (nsAString_internal::const_iterator &) @0xbeaa5438: {mStart = 0xcef0002d, mEnd = 0xcef8002d, mPosition = 0xcef0002d} This is due to the pointer to input not being properly aligned. 0x0cef is found at 0xbeaa5adc. This address (apparently on stack) seems to come from the js engine, but I'd need some guidance to know where that comes from exactly. FWIW, the unit test being run is xpcshell/chrome/test/unit/test_bug519468.js, and I've also tried to disable JIT in runxpcshelltests.py, and to build with no optimization.
Actually, this might just be a xpconnect issue.
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.