Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1242326

Summary: Unhandled Level1 translation fault in polkitd due to mozjs package
Product: [Fedora] Fedora Reporter: Radha Mohan Chintakuntla <mohun106>
Component: mozjs17Assignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: debarshir, jeremy.linton, pbrobinson, peter.newton, rric, walters, yselkowi, zheng.xu
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: aarch64   
OS: Linux   
Whiteboard:
Fixed In Version: mozjs17-17.0.0-16.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1289432 1375305 1375547 1395969 1395972 (view as bug list) Environment:
Last Closed: 2016-09-17 00:58:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 922257, 1375305, 1375547    
Attachments:
Description Flags
Patch that fixes this bug
none
48-bit VA fix for mozjs1.8.5
none
48-bit VA fix for mozjs17
none
48-bit VA fix for mozjs24
none
48-bit VA fix for mozjs38 none

Description Radha Mohan Chintakuntla 2015-07-13 05:25:28 UTC
Created attachment 1051279 [details]
Patch that fixes this bug

Description of problem:
On Aarch64 systems with a VA bits of 48 the polkitd process crashes continuously due to an unhandled level 1 translation fault. On debugging we found that it is caused by the mozjs code.



Version-Release number of selected component (if applicable):
Fedora 21 for Aarch64

How reproducible:
Its easily reproducible on Cavium ThunderX platform.

Steps to Reproduce:
1. Just boot the F21 release for aarch64 and can be seen every time polkitd runs

Actual results:
Below is the crash.

====== cut here ========
unhandled level 1 translation fault (11) at 0x00000000, esr 0x92000045
pgd = ffff8003c3e3ba00
[00000000] *pgd=0000000000000000, *pud=0000000000000000

CPU: 0 PID: 1983 Comm: polkitd Not tainted 3.18.0 #1
task: ffff8003c3a60b00 ti: ffff8003c3ba0000 task.ti: ffff8003c3ba0000
PC is at 0xffff7a733f90
LR is at 0xffff7a733f74
pc : [<0000ffff7a733f90>] lr : [<0000ffff7a733f74>] pstate: 20000000
sp : 0000ffffe1ef0e60
x29: 0000ffffe1ef0e90 x28: 0000ffffb1acdc40 
x27: 0000ffffb1ad18e0 x26: 0000ffffb1acd720 
x25: 0000ffff7a9e2588 x24: 0000000000000000 
x23: 0000000000000000 x22: 0000ffffe1ef0f78 
x21: 0000ffffb1ad1840 x20: 0000000000800000 
x19: 0000ffff7a7a7e08 x18: 0000ffff7a363b4c 
x17: 0000ffff7a797b40 x16: 0000ffff7a40af0c 
x15: 00000000ffffffff x14: 0000ffff7ac0a000 
x13: 0000ffff7ac09000 x12: 0000ffffe1ef0ce0 
x11: 0000ffff7ac2a250 x10: 0000000002eb0939 
x9 : 0000000000000000 x8 : 0000000000000001 
x7 : ffffffffffffffff x6 : 0000ffffb1aca9f0 
x5 : 0000ffffb1aca9f0 x4 : 0000ffffb1aca9f0 
x3 : 0000ffff7a40b074 x2 : 0000ffff7a40b578 
x1 : 000000000000007b x0 : 0000000000000000 

====== end =========

Expected results:
It shouldn't crash.

Additional info:
The attached patch to the mozjs source fixes the problem. On aarch64 architecture the VA bit maximum is 48.

Comment 1 Jan Kurik 2015-07-15 13:18:20 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 2 Peter Newton 2015-08-18 22:53:00 UTC
I was interested in making mozjs17 work on an aarch64 system so I built the mozjs17 RPM with the patch above applied.  I can confirm that the RPM built and all of its tests passed on this aarch64 system with a 48b VA kernel.

However, I also built the RPM on a KVM/QEMU VM running Fedora 22 with stock Fedora 22 kernel which is configured with a 42b VA (see Documentation/arm64/memory.txt in kernel source).  In this case, the patch causes the RPM to fail its tests.

I think that JS::Value on 64b platforms uses 17b of tag and 47b of payload (punboxing) for pointers.  So, I am not sure that the patch is actually correct.

Comment 3 Radha Mohan Chintakuntla 2015-08-19 04:30:58 UTC
Thanks for testing this out. I am not 100% aware of the mozjs code, so was looking for anyone who can tell if this patch is sufficient or not. Feel free to improve it to make it work on all combinations.

Comment 4 Jeremy Linton 2016-08-02 18:25:34 UTC
Please don't apply the attached patch, it will break x86. It also causes an ABI break, requiring everything linked against mozjs to be rebuilt (which implies a .so name bump).


I have a backported version of the upstream patch against mozjs24, and an additional patch to move polkitd off mozjs17 to mozjs24. 

I would take the bug, but I don't appear to have permissions.

Comment 5 Zheng Xu 2016-09-07 06:56:53 UTC
Created attachment 1198512 [details]
48-bit VA fix for mozjs1.8.5

Modify the tag pointer data structure using less tagged bits to mozjs be compatible with 48-bit VA kernel configuration.

Comment 6 Zheng Xu 2016-09-07 06:58:17 UTC
Created attachment 1198513 [details]
48-bit VA fix for mozjs17

Limit the heap allocation to use memory within 47 bits to make mozjs be compatible with 48-bit VA kernel configuration.

Comment 7 Zheng Xu 2016-09-07 06:58:53 UTC
Created attachment 1198514 [details]
48-bit VA fix for mozjs24

Limit the heap allocation to use memory within 47 bits to make mozjs be compatible with 48-bit VA kernel configuration.

Comment 8 Zheng Xu 2016-09-07 06:59:49 UTC
Created attachment 1198515 [details]
48-bit VA fix for mozjs38

Limit the heap allocation to use memory within 47 bits to make mozjs be compatible with 48-bit VA kernel configuration.

Comment 9 Zheng Xu 2016-09-07 07:09:59 UTC
Not sure if it is too late. I just attached the patches for mozjs fixes for different versions.

Note : mozjs1.8.5 is a bit different. Because the old mozjs has pre-generated js strings in C code which will be mapped to memory by dynamic linker, so changing heap allocation doesn't help. But the patch for mozjs1.8.5 modifies the tag pointer data structure which is a part of JSAPI, so all the packages depending on mozjs1.8.5 need to be re-built if the patch is used.

Comment 10 Fedora Update System 2016-09-12 17:41:35 UTC
mozjs17-17.0.0-16.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6a046a4367

Comment 11 Debarshi Ray 2016-09-12 17:42:43 UTC
Thanks you very much for the patches!

Comment 12 Jeremy Linton 2016-09-12 21:28:27 UTC
See also bug# 1375368 which moves polkit to mozjs24

Comment 13 Fedora Update System 2016-09-14 03:25:27 UTC
mozjs17-17.0.0-16.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6a046a4367

Comment 14 Fedora Update System 2016-09-17 00:58:05 UTC
mozjs17-17.0.0-16.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.