Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1289432 - Unhandled Level1 translation fault in polkitd due to mozjs package
Summary: Unhandled Level1 translation fault in polkitd due to mozjs package
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mozjs17
Version: 7.2
Hardware: aarch64
OS: Linux
Target Milestone: rc
: ---
Assignee: Colin Walters
QA Contact: Desktop QE
Depends On:
TreeView+ depends on / blocked
Reported: 2015-12-08 05:59 UTC by Radha Mohan Chintakuntla
Modified: 2016-04-12 17:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1242326
Last Closed: 2016-04-12 17:53:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1143022 0 None None None Never

Description Radha Mohan Chintakuntla 2015-12-08 05:59:51 UTC
+++ This bug was initially created as a clone of Bug #1242326 +++

Description of problem:
On Aarch64 systems with a VA bits of 48 the polkitd process crashes continuously due to an unhandled level 1 translation fault. On debugging we found that it is caused by the mozjs code.

Version-Release number of selected component (if applicable):
Fedora 21 for Aarch64

How reproducible:
Its easily reproducible on Cavium ThunderX platform.

Steps to Reproduce:
1. Just boot the F21 release for aarch64 and can be seen every time polkitd runs

Actual results:
Below is the crash.

====== cut here ========
unhandled level 1 translation fault (11) at 0x00000000, esr 0x92000045
pgd = ffff8003c3e3ba00
[00000000] *pgd=0000000000000000, *pud=0000000000000000

CPU: 0 PID: 1983 Comm: polkitd Not tainted 3.18.0 #1
task: ffff8003c3a60b00 ti: ffff8003c3ba0000 task.ti: ffff8003c3ba0000
PC is at 0xffff7a733f90
LR is at 0xffff7a733f74
pc : [<0000ffff7a733f90>] lr : [<0000ffff7a733f74>] pstate: 20000000
sp : 0000ffffe1ef0e60
x29: 0000ffffe1ef0e90 x28: 0000ffffb1acdc40 
x27: 0000ffffb1ad18e0 x26: 0000ffffb1acd720 
x25: 0000ffff7a9e2588 x24: 0000000000000000 
x23: 0000000000000000 x22: 0000ffffe1ef0f78 
x21: 0000ffffb1ad1840 x20: 0000000000800000 
x19: 0000ffff7a7a7e08 x18: 0000ffff7a363b4c 
x17: 0000ffff7a797b40 x16: 0000ffff7a40af0c 
x15: 00000000ffffffff x14: 0000ffff7ac0a000 
x13: 0000ffff7ac09000 x12: 0000ffffe1ef0ce0 
x11: 0000ffff7ac2a250 x10: 0000000002eb0939 
x9 : 0000000000000000 x8 : 0000000000000001 
x7 : ffffffffffffffff x6 : 0000ffffb1aca9f0 
x5 : 0000ffffb1aca9f0 x4 : 0000ffffb1aca9f0 
x3 : 0000ffff7a40b074 x2 : 0000ffff7a40b578 
x1 : 000000000000007b x0 : 0000000000000000 

====== end =========

Expected results:
It shouldn't crash.

Additional info:
The attached patch to the mozjs source fixes the problem. On aarch64 architecture the VA bit maximum is 48.

--- Additional comment from Jan Kurik on 2015-07-15 09:18:20 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:

--- Additional comment from Peter Newton on 2015-08-18 18:53:00 EDT ---

I was interested in making mozjs17 work on an aarch64 system so I built the mozjs17 RPM with the patch above applied.  I can confirm that the RPM built and all of its tests passed on this aarch64 system with a 48b VA kernel.

However, I also built the RPM on a KVM/QEMU VM running Fedora 22 with stock Fedora 22 kernel which is configured with a 42b VA (see Documentation/arm64/memory.txt in kernel source).  In this case, the patch causes the RPM to fail its tests.

I think that JS::Value on 64b platforms uses 17b of tag and 47b of payload (punboxing) for pointers.  So, I am not sure that the patch is actually correct.

--- Additional comment from Radha Mohan Chintakuntla on 2015-08-19 00:30:58 EDT ---

Thanks for testing this out. I am not 100% aware of the mozjs code, so was looking for anyone who can tell if this patch is sufficient or not. Feel free to improve it to make it work on all combinations.

Comment 1 Jon Masters 2016-04-12 17:53:42 UTC

*** This bug has been marked as a duplicate of bug 1324216 ***

Comment 2 Jon Masters 2016-04-12 17:55:58 UTC
I have marked this bug as a duplicate of another requesting that we incorporate an upstream patch to address the erroneous use of more bits than permitted for tagged pointers in spidermonkey. This fix will be required for a later kernel change to a 48-bit VA, or for testing of upstream kernels with a 48-bit VA configured.

Note You need to log in before you can comment on or make changes to this bug.