Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1578429 - firefox crashes at ContextToFP() on ppc64le
Summary: firefox crashes at ContextToFP() on ppc64le
Keywords:
Status: CLOSED DUPLICATE of bug 1498561
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 28
Hardware: ppc64le
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PPCTracker
TreeView+ depends on / blocked
 
Reported: 2018-05-15 14:54 UTC by Menanteau Guy
Modified: 2018-05-16 11:56 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-16 11:56:14 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
gdb backtrace (4.54 KB, text/plain)
2018-05-15 14:54 UTC, Menanteau Guy 		no flags Details
View All

Description Menanteau Guy 2018-05-15 14:54:27 UTC 
Created attachment 1436812 [details]
gdb backtrace

Unable to start firefox-60.0-4 on a qemu ppc64le machine.

I installed a f27 fedora qemu ppc64le machine with last updates. When I start a
firefox-60.0-4 I get a Segmentation fault.
Same problem on f28.

on the console I have:
[363497.629997] firefox[32007]: unhandled signal 11 at 0000000000000000 nip 000000010000d514 lr 000000010000d790 code 1

when I use gdb (I run firefox thru a shh -X session), I do:
gdb -tui /usr/lib64/firefox/firefox
(gdb) run --no-remote

Program received signal SIGSEGV, Segmentation fault.
RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::TreeNode::SetColor (
    aColor=Red, this=<synthetic pointer>)
    at /usr/src/debug/firefox-60.0-4.f27.ppc64le/memory/build/rb.h:203

   |192         NodeColor Color()                                              │
   │193         {                                                              │
   │194           return mNode ? Trait::GetTreeNode(mNode).Color() : NodeColor:│
   │195         }                                                              │
   │196                                                                        │
   │197         bool IsRed() { return Color() == NodeColor::Red; }             │
   │198                                                                        │
   │199         bool IsBlack() { return Color() == NodeColor::Black; }         │
   │200                                                                        │
   │201         void SetColor(NodeColor aColor)                                │
   │202         {                                                              │
  >│203           MOZ_RELEASE_ASSERT(mNode);                                   │
   │204           Trait::GetTreeNode(mNode).SetColor(aColor);                  │
   │205         }                                                              │
   │206                                                                        │
   │207         T* Get() { return mNode; }                                     │
   │208                                                                        │
   │209         MOZ_IMPLICIT operator bool() { return !!mNode; }               │
   │210                                                                        │
   │211         bool operator==(TreeNode& aOther) { return mNode == aOther.mNod│
   │212                                                                        │
   │213       private:                                                         │
   │214         T* mNode;                                                      │
   │215       };
Comment 1 Martin Stransky 2018-05-16 10:15:13 UTC 
Yes, that's because of jemalloc. You can try jemalloc disabled builds:

https://koji.fedoraproject.org/koji/taskinfo?taskID=26989530

Also there's a crash at js/src/wasm/WasmSignalHandlers.cpp, ContextToPC() does not have handler for ppc64le and other arches here.

bt:
#0  0x00003fffb1f49edc in ContextToPC(ucontext_t*) (context=0x3fffffff5a60)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/wasm/WasmSignalHandlers.cpp:441
#1  0x00003fffb1f4acf4 in RedirectJitCodeToInterruptCheck(JSContext*, ucontext_t*) (cx=0x1004b37f0, context=0x3fffffff5a60)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/wasm/WasmSignalHandlers.cpp:1553
#2  0x00003fffb1f4aeac in JitInterruptHandler(int, siginfo_t*, void*) (signum=26, info=0x3fffffff67d8, context=0x3fffffff5a60)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/wasm/WasmSignalHandlers.cpp:1601
#3  0x00003fffb7f90478 in <signal handler called> () at arch/powerpc/kernel/vdso64/sigtramp.S
#4  0x00003fffb136e7a8 in js::detail::DefineComparisonOps<js::PreBarriered<jsid> >::get(js::PreBarriered<jsid> const&) (v=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/gc/Barrier.h:977
#5  0x00003fffb13382cc in operator==<js::PreBarriered<jsid> >(js::PreBarriered<jsid> const&, js::PreBarriered<jsid>::ElementType const&) (a=..., b=...) at /home/komat/rpmbuild/BUILD/firefox-60.0/objdir/dist/include/js/RootingAPI.h:1541
#6  0x00003fffb1278648 in js::Shape::searchLinear(jsid) (this=0x3fff5f62ba10, id=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/Shape.h:1623
#7  0x00003fffb1a1bb14 in js::Shape::searchNoHashify(js::Shape*, jsid) (start=0x3fff5f62ba10, id=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/Shape-inl.h:391
#8  0x00003fffb1a55c6c in js::NativeObject::lookupPure(jsid) (this=0x3fff99e8e120, id=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/NativeObject.cpp:289
#9  0x00003fffb0ea07c4 in js::NativeObject::lookupPure(js::PropertyName*) (this=0x3fff99e8e120, name=0x3fff99e28640)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/NativeObject.h:836
#10 0x00003fffb0eaa050 in js::GlobalObject::maybeGetIntrinsicValue(JSContext*, JS::Handle<js::GlobalObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x1004b37f0, global=..., name=..., vp=..., exists=0x3fffffff6ccf)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/GlobalObject.h:711
#11 0x00003fffb0eaa13c in js::GlobalObject::getIntrinsicValue(JSContext*, JS::Handle<js::GlobalObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) (cx=0x1004b37f0, global=..., name=..., value=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/GlobalObject.h:726
#12 0x00003fffb0eb4da0 in js::GetIntrinsicOperation(JSContext*, unsigned char*, JS::MutableHandle<JS::Value>) (cx=0x1004b37f0, pc=0x10065b718 "\217\001", vp=...) at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/Interpreter-inl.h:293
#13 0x00003fffb0ed1028 in Interpret(JSContext*, js::RunState&) (cx=0x1004b37f0, state=...)
    at /home/komat/rpmbuild/BUILD/firefox-60.0/js/src/vm/Interpreter.cpp:3237
#14 0x00003fffb0ebcf98 in js::RunScript(JSContext*, js::RunState&) (cx=0x1004b37f0, state=...)


406	#if defined(_M_X64) || defined(__x86_64__)
407	# define PC_sig(p) RIP_sig(p)
408	# define FP_sig(p) RBP_sig(p)
409	# define SP_sig(p) RSP_sig(p)
410	#elif defined(_M_IX86) || defined(__i386__)
411	# define PC_sig(p) EIP_sig(p)
412	# define FP_sig(p) EBP_sig(p)
413	# define SP_sig(p) ESP_sig(p)
414	#elif defined(__arm__)
415	# define FP_sig(p) R11_sig(p)
416	# define SP_sig(p) R13_sig(p)
417	# define LR_sig(p) R14_sig(p)
418	# define PC_sig(p) R15_sig(p)
419	#elif defined(__aarch64__)
420	# define PC_sig(p) EPC_sig(p)
421	# define FP_sig(p) RFP_sig(p)
422	# define SP_sig(p) R31_sig(p)
423	# define LR_sig(p) RLR_sig(p)
424	#elif defined(__mips__)
425	# define PC_sig(p) EPC_sig(p)
426	# define FP_sig(p) RFP_sig(p)
427	# define SP_sig(p) RSP_sig(p)
428	# define LR_sig(p) R31_sig(p)
429	#endif

Missing other arches definitions.

430	
431	#if defined(PC_sig) && defined(FP_sig) && defined(SP_sig)
432	# define KNOWS_MACHINE_STATE
433	#endif
434	
445	static uint8_t*
446	ContextToFP(CONTEXT* context)
447	{
448	#ifdef KNOWS_MACHINE_STATE
449	    return reinterpret_cast<uint8_t*>(FP_sig(context));
450	#else
451	    MOZ_CRASH(); <<<
452	#endif
453	}
Comment 2 Menanteau Guy 2018-05-16 11:37:55 UTC 
The bug describe in comment 1 is more relative to the bug #1498561. I just updated it.
Comment 3 Menanteau Guy 2018-05-16 11:40:53 UTC 
I will try with patch of bug #1498561 and jemalloc disabled. Thanks for the info.
Comment 4 Martin Stransky 2018-05-16 11:56:14 UTC 
Let's track it at Bug 1498561.

*** This bug has been marked as a duplicate of bug 1498561 ***
Note You need to log in before you can comment on or make changes to this bug.