Bug#674908: Testing with newer iceweasel

Sun Feb 3 17:24:45 UTC 2013

Hi Hideki,

I've tried the "release" version from mozilla.debian.net today:

jurij at debian:~$ dpkg -l | grep iceweasel
ii  iceweasel                                14.0.1-2                     sparc        Web browser based on Firefox
ii  iceweasel-dbg                            14.0.1-2                     sparc        debugging symbols for iceweasel

Unfortunately, it performs even worse than the current wheezy version, 
crashing immediately on startup:

jurij at debian:~$ iceweasel
Xlib:  extension "RANDR" missing on display ":1.0".
Bus error (core dumped)

Stack trace (first ten frames):

Core was generated by `/usr/lib/iceweasel/firefox-bin'.
Program terminated with signal 10, Bus error.
#0  PushOff (ss=0xffede2d8, off=3, op=JSOP_NAME, pc=0xefbe356a ";") at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:1458
1458    /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp: No such file or directory.
(gdb) bt
#0  PushOff (ss=0xffede2d8, off=3, op=JSOP_NAME, pc=0xefbe356a ";") at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:1458
#1  0xf768c3b8 in Decompile (ss=<optimized out>, pc=0xefbe356a ";", nb=10) at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:5356
#2  0xf7695eec in DecompileCode (jp=0xebc43ac0, script=0xeed63d90, pc=0xefbe356a ";", len=10, pcdepth=1)
    at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:5423
#3  0xf7696138 in DecompileExpression (cx=0xf7922340, script=<optimized out>, fun=0xeed92260, pc=<optimized out>)
    at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:5829
#4  0xf76963ac in js_DecompileValueGenerator (cx=0xf7922340, spindex=<optimized out>, v=..., fallback=0x0)
    at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsopcode.cpp:5718
#5  0xf75f32cc in DecompileValueGenerator (fallback=<optimized out>, v=..., spindex=1, cx=<optimized out>) at ../../../js/src/jsopcode.h:401
#6  js_ReportIsNullOrUndefined (cx=0xf7922340, spindex=1, v=..., fallback=0x0) at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jscntxt.cpp:770
#7  0xf7676118 in js_ValueToNonNullObject (cx=0xf7922340, v=...) at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsobj.cpp:5908
#8  0xf7648c70 in ValueToObject (v=..., cx=<optimized out>) at ../../../js/src/jsobj.h:1435
#9  GetPropertyOperation (vp=0xffede6b0, lval=..., pc=0xefbe3575 "\270", cx=0xf7922340)
    at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsinterpinlines.h:243
#10 js::Interpret (cx=0xf7922340, entryFrame=0xf0e003e8, interpMode=js::JSINTERP_NORMAL)
    at /build/buildd-iceweasel_14.0.1-2-sparc-jQxQ7a/iceweasel-14.0.1/js/src/jsinterp.cpp:2654
[...]

It is happening due to an unaligned store operation:

(gdb) disass
Dump of assembler code for function PushOff(SprintStack*, ptrdiff_t, JSOp, jsbytecode*):
   0xf7688840 <+0>:     save  %sp, -96, %sp
   0xf7688844 <+4>:     ld  [ %i0 + 0x28 ], %g1
   0xf7688848 <+8>:     ld  [ %i0 + 0x1c ], %g2
   0xf768884c <+12>:    ld  [ %g1 + 0x28 ], %g1
   0xf7688850 <+16>:    lduh  [ %g1 + 0x56 ], %g3
   0xf7688854 <+20>:    lduh  [ %g1 + 0x52 ], %g1
   0xf7688858 <+24>:    sub  %g3, %g1, %g1
   0xf768885c <+28>:    cmp  %g2, %g1
   0xf7688860 <+32>:    bcc,pn   %icc, 0xf76888d0 <PushOff(SprintStack*, ptrdiff_t, JSOp, jsbytecode*)+144>
   0xf7688864 <+36>:    sll  %g2, 2, %g1
   0xf7688868 <+40>:    ld  [ %i0 + 0x10 ], %o7
   0xf768886c <+44>:    mov  0x35, %g3
   0xf7688870 <+48>:    ld  [ %i0 + 0x14 ], %g4
   0xf7688874 <+52>:    cmp  %i2, 0xe4
   0xf7688878 <+56>:    be,pn   %icc, 0xf768888c <PushOff(SprintStack*, ptrdiff_t, JSOp, jsbytecode*)+76>
   0xf768887c <+60>:    st  %i1, [ %o7 + %g1 ]
   0xf7688880 <+64>:    mov  0x37, %g3
   0xf7688884 <+68>:    cmp  %i2, 0xe5
   0xf7688888 <+72>:    movne  %icc, %i2, %g3
   0xf768888c <+76>:    stb  %g3, [ %g4 + %g2 ]
   0xf7688890 <+80>:    mov  %i0, %o0
   0xf7688894 <+84>:    inc  %g2
   0xf7688898 <+88>:    ld  [ %i0 + 0x18 ], %g3
   0xf768889c <+92>:    mov  3, %o1
=> 0xf76888a0 <+96>:    st  %i3, [ %g3 + %g1 ]
   0xf76888a4 <+100>:   st  %g2, [ %i0 + 0x1c ]
   0xf76888a8 <+104>:   call  0xf7688760 <js::Sprinter::reserve(unsigned int)>
   0xf76888ac <+108>:   mov  1, %i0
   0xf76888b0 <+112>:   cmp  %o0, 0
   0xf76888b4 <+116>:   be,pn   %icc, 0xf76888dc <PushOff(SprintStack*, ptrdiff_t, JSOp, jsbytecode*)+156>
   0xf76888b8 <+120>:   nop 
   0xf76888bc <+124>:   clrb  [ %o0 ]
   0xf76888c0 <+128>:   clrb  [ %o0 + 1 ]
   0xf76888c4 <+132>:   clrb  [ %o0 + 2 ]
   0xf76888c8 <+136>:   rett  %i7 + 8
   0xf76888cc <+140>:   nop 
   0xf76888d0 <+144>:   ld  [ %i0 ], %o0
   0xf76888d4 <+148>:   call  0xf78de654 <JS_ReportOutOfMemory at plt>
   0xf76888d8 <+152>:   clr  %i0
   0xf76888dc <+156>:   rett  %i7 + 8
   0xf76888e0 <+160>:   nop 
End of assembler dump.
(gdb) info reg i3 g1 g3
i3             0xefbe356a       -272747158
g1             0x4      4
g3             0xf1a5f02e       -240783314
(gdb)

Either way, I assume that chances of new version getting into wheezy 
at this point are pretty slim. For the current wheezy version I've 
posted some analysis of the crash at

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688086#10

Perhaps we should look into fixing the alignment issues of this code.

Best regards,
-- 
Jurij Smakov                                           jurij at wooyd.org
Key: http://www.wooyd.org/pgpkey/                      KeyID: C99E03CC