Bug#688086: Analysis

Jurij Smakov jurij at wooyd.org
Sun Sep 30 20:41:12 UTC 2012 

I don't see iceape crashing immediately on startup, but it's fairly 
common for it to crash on any site which uses Javascript, so I'll 
assume that this is the bug you see, lacking other information. I 
tried iceweasel (10.0.7esr-2) and it crashes in exactly the same way.

Here's a backtrace:

#0  updateLastPath (label=..., linker=..., this=0xee1544c4) at 
/build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/PolyIC.h:437
#1  SetPropCompiler::generateStub (this=0xffcd3ddc, initialShape=<optimized out>, shape=<optimized out>, adding=<optimized out>)    at /build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/PolyIC.cpp:502
#2  0xf741d748 in SetPropCompiler::update (this=0xffcd3ddc) at /build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/PolyIC.cpp:668
#3  0xf74124b4 in js::mjit::ic::SetProp (f=..., pic=0xee1544c4)    at /build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/PolyIC.cpp:2058
#4  0xf746ce94 in JaegerStubVeneer () at /build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/TrampolineSparc.s:164
#5  0xf746ce94 in JaegerStubVeneer () at /build/buildd-iceweasel_10.0.7esr-2-sparc-752pBb/iceweasel-10.0.7esr/js/src/methodjit/TrampolineSparc.s:164
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

The disassembled portion of updateLastPath where the crash happens:

   0xf741c764 <+2436>:  ldd  [ %fp + -1512 ], %g2
   0xf741c768 <+2440>:  ld  [ %g1 + 0x14 ], %g4
=> 0xf741c76c <+2444>:  std  %g2, [ %g1 + 0x30 ]

As far as I can tell, it translates to the following line of code in 
js/src/methodjit/PolyIC.h (struct PICInfo):

lastStubStart = JITCode(loc.executableAddress(), linker.size());

JITCode is a class which has two word-size members, m_start (pointer) 
and m_size (size_t). Compiler tries to store it as a double-word in 
one instruction, and this is only possible if the lastStubStart is 
8-bytes aligned. Offset of lastStubStart into struct PICInfo is 0x30 
(as can be seen above), so in order for it to be 8-bytes aligned, the 
whole PICInfo structure needs to be 8-bytes aligned. This is clearly 
not the case, this=0xee1544c4 passed to updateLastPath is PICInfo 
structure's address, and it's only 4-bytes aligned.

Trying to track down the place where PICInfo is allocated violating 
alignment requirements, I found the mjit::Compiler::finishThisUp 
(in js/src/methodjit/Compiler.cpp) which tries to construct some 
complex data structure by computing its size as dataSize, allocating a 
chunk of memory for it, then manually stuffing objects there, 
including PICInfo:

    [...]
    ic::PICInfo *jitPics = (ic::PICInfo *)cursor;
    jit->nPICs = pics.length();
    cursor += sizeof(ic::PICInfo) * jit->nPICs;
    for (size_t i = 0; i < jit->nPICs; i++) {
        new (&jitPics[i]) ic::PICInfo();
        [...]

Not surprisingly, this goes wrong at some point, and PICInfo structure 
occasionally gets placed at an insufficiently aligned address - I was 
able to confirm that by inserting an fprintf statement there to print 
out the adresses of jitPics[i] and corresponding lastStubStart object.

I don't have a solid proof that this is the cause of the problem, but 
it seems pretty likely, as any attempt of "manual" memory management 
like this increases the probability that alignment requirements get 
violated. I suggest notifying the iceweasel maintainer and reporting 
this upstream, because I don't really see a simple way to fix it. 

Best regards,
-- 
Jurij Smakov                                           jurij at wooyd.org
Key: http://www.wooyd.org/pgpkey/                      KeyID: C99E03CC

More information about the pkg-mozilla-maintainers mailing list