[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#759395: marked as done (libmozjs185-1.0: SIGBUS on sparc under certain conditions)

Your message dated Sat, 31 Mar 2018 03:51:38 +0000
with message-id <[🔎] E1f27YI-0007kr-5n@fasolo.debian.org>
and subject line Bug#894238: Removed package(s) from unstable
has caused the Debian Bug report #759395,
regarding libmozjs185-1.0: SIGBUS on sparc under certain conditions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
759395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759395
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libmozjs185-1.0
Version: 1.8.5-1.0.0+dfsg-4.1
Severity: normal

Hi, I encountered this through the package tests in cjs.  This piece of code,
when run with cjs in sparc causes a SIGBUS:

===
const Lang = imports.lang;
const Accessor  = new Lang.Class({
    Name: 'AccessorMagic',

    _init: function(val) {
        this._val = val;
    },

    get value() {
        return this._val;
    },
    set value(val) {
        _error = new Error();
        return;
    }
});
var a = new Accessor(44);
a.value = 8;
===

The problem goes away if the error is not created in the setter. I added debug
symbols and debugged this on a sparc host and came up with the following stack
trace:

#0  0xf7d7d208 in js::Invoke (cx=0x74b00, argsRef=0xffff1018, flags=<unknown type>) at jsinterp.cpp:692
#1  0xf7d6846c in js::Interpret (cx=0x74b00, entryFrame=0xf6724228, inlineCallCount=<unknown type>, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:4810
#2  0xf7d7d020 in js::RunScript (cx=0x74b00, script=0xdb2a0, fp=0xf6724228) at jsinterp.cpp:653
#3  0xf7d7dd8c in js::Invoke (cx=0x74b00, argsRef=0xffff2db0, flags=<unknown type>) at jsinterp.cpp:740
#4  0xf7d231ac in js::CallOrConstructBoundFunction (cx=0x74b00, argc=<unknown type>, vp=0xf67241c0) at jsfun.cpp:2319
#5  0xf7d7d410 in js::Invoke (cx=0x74b00, argsRef=0xffff3188, flags=<unknown type>) at jscntxtinlines.h:701
#6  0xf7cb61a8 in js::InvokeSessionGuard::invoke(JSContext*) const () at ./dist/include/LIR.h:268

The line in the first frame is:
		if (!clasp->call) {

The problem is that the variable clasp has a value of 0x2, which would normally
cause a segfault, but it's causing a sigbus due to alignment issues.

I've tried to follow the code around to try to find out when it's set to this
incorrect value, but I couldn't find it yet.

These are the line where the local variable is set:

    JSObject &callee = args.callee().toObject();
    Class *clasp = callee.getClass();

callee is args._argv[-2]
toObject returns the data.s.payload.obj member.

When not broken, we get:
(gdb) p args.argv_[-2]
$1 = {data = {asBits = 4133512120, s = {tag = <unknown type>, payload = {i32 = -161455176, u32 = <unknown type>, boo = -161455176,
        str = 0xf66063b8, obj = 0xf66063b8, ptr = 0xf66063b8, why = 4133512120, word = <unknown type>}}, asDouble = -nan(0xf0007f66063b8),
    asPtr = 0xffff0007}}

(gdb) p *(args.argv_[-2].data.s.payload.obj)
$2 = {Cell = {CellShift = <optimized out or zero length>, CellSize = <optimized out or zero length>, CellMask = <optimized out or zero length>}, {
    lastProp = 0x86d58, map = 0x86d58}, clasp = 0xf7fc6c20 <js_FunctionClass>, flags = <unknown type>, objShape = <unknown type>, emptyShapes = 0x0,
  proto = 0xf6603050, parent = 0xf660b1b0, privateData = 0xf6610d20, capacity = <unknown type>, slots = 0xf66063e0,

When broken:
(gdb) p args.argv_[-2]
$3 = {data = {asBits = 552280, s = {tag = <unknown type>, payload = {i32 = 552280, u32 = <unknown type>, boo = 552280, str = 0x86d58, 
        obj = 0x86d58, ptr = 0x86d58, why = 552280, word = <unknown type>}}, asDouble = -nan(0xf000700086d58), asPtr = 0xffff0007}}
(gdb) p *(args.argv_[-2].data.s.payload.obj)
$4 = {Cell = {CellShift = <optimized out or zero length>, CellSize = <optimized out or zero length>, CellMask = <optimized out or zero length>}, {
    lastProp = 0x17, map = 0x17}, clasp = 0x2, flags = <unknown type>, objShape = <unknown type>, emptyShapes = 0xf7fc6c20 <js_FunctionClass>, 
  proto = 0x0, parent = 0xffffffff, privateData = 0x20000, capacity = <unknown type>, slots = 0xc2921, 

I'll try to keep looking into this and follow-up if I find anything interesting.

-- 
Regards,
Marga

--- End Message ---
--- Begin Message --- 
Version: 1.8.5-1.0.0+dfsg-8+rm

Dear submitter,

as the package mozjs has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/894238

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---
Reply to: