Bug#926868: mozjs60: non262/extensions/clone-errors.js crashes on s390x

Julien Cristau jcristau at debian.org
Thu Apr 11 14:51:51 BST 2019 

Source: mozjs60
Severity: important
Tags: upstream help

I disabled non262/extensions/clone-errors.js on s390x in mozjs60
60.2.3-2.1 because it would SIGSEGV.

gdb output follows, this is how far I've got.

Cheers,
Julien

(sid_s390x-dchroot)jcristau at zelenka:~/mozjs60/js/src/tests$ gdb --batch -ex 'source /home/jcristau/mozjs60/debian/build/dist/bin/js-gdb.py' -ex run -ex bt full --args /home/jcristau/mozjs60/debian/build/dist/bin/js -f shell.js -f non262/shell.js -f non262/extensions/shell.js -f non262/extensions/clone-errors.js 
warning: File "/home/jcristau/mozjs60/debian/build/dist/bin/js-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
        add-auto-load-safe-path /home/jcristau/mozjs60/debian/build/dist/bin/js-gdb.py
line to your configuration file "/home/jcristau/.gdbinit".
To completely disable this security protection add
        set auto-load safe-path /
line to your configuration file "/home/jcristau/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
        info "(gdb)Auto-loading safe path"
Loading JavaScript value pretty-printers; see js/src/gdb/README.
If they cause trouble, type: disable pretty-printer .* SpiderMonkey
SpiderMonkey unwinder is disabled by default, to enable it type:
        enable unwinder .* SpiderMonkey
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/s390x-linux-gnu/libthread_db.so.1".
[New Thread 0x3fffb7ff910 (LWP 62445)]
[Thread 0x3fffb7ff910 (LWP 62445) exited]
[New Thread 0x3fffb7ff910 (LWP 62446)]
[New Thread 0x3fffaffe910 (LWP 62447)]
 PASSED! ok

Thread 1 "js" received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0xf01fc60001000000) at malloc.c:3095
3095    malloc.c: No such file or directory.
Python Exception <class 'gdb.error'> No symbol "WasmFaultHandler" in current context.: 
#0  0x000003fffb90ec3a in __GI___libc_free (mem=0xf01fc60001000000) at malloc.c:3095
#1  0x00000001005ad744 in js_free (p=<optimized out>) at ./debian/build/dist/include/js/Utility.h:419
#2  0x00000001005ad744 in JSStructuredCloneData::discardTransferables() (this=this at entry=0x3ffffffe100) at ./js/src/vm/StructuredClone.cpp:1020
#3  0x00000001005ad802 in JSAutoStructuredCloneBuffer::clear() (this=this at entry=0x3ffffffe0f8) at ./js/src/vm/StructuredClone.cpp:2801
#4  0x0000000100366c5e in JSAutoStructuredCloneBuffer::~JSAutoStructuredCloneBuffer() (this=0x3ffffffe0f8, __in_chrg=<optimized out>) at ./debian/build/dist/include/js/StructuredClone.h:575
#5  0x0000000100366c5e in CloneBufferObject::discard() (this=Python Exception <class 'gdb.error'> No type "Class" within class or namespace "js".: 
0x3fffab83200) at ./js/src/builtin/TestingFunctions.cpp:2769
#6  0x0000000100366c5e in CloneBufferObject::Finalize(js::FreeOp*, JSObject*) (fop=<optimized out>, obj=Python Exception <class 'gdb.error'> No type "Class" within class or namespace "js".: 
0x3fffab83200) at ./js/src/builtin/TestingFunctions.cpp:2910
#7  0x000000010070c786 in js::Class::doFinalize(js::FreeOp*, JSObject*) const (this=<optimized out>, obj=Python Exception <class 'gdb.error'> No type "Class" within class or namespace "js".: 
0x3fffab83200, fop=<optimized out>) at ./debian/build/dist/include/js/Class.h:872
#8  0x000000010070c786 in JSObject::finalize(js::FreeOp*) (fop=<optimized out>, this=Python Exception <class 'gdb.error'> No type "Class" within class or namespace "js".: 
0x3fffab83200) at ./js/src/vm/JSObject-inl.h:108
#9  0x000000010070c786 in js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) (thingSize=<optimized out>, thingKind=<optimized out>, fop=<optimized out>, this=0x3fffab83000) at ./js/src/gc/GC.cpp:590
#10 0x000000010070c786 in FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) (fop=<optimized out>, fop at entry=0x3ffffffe9a0, src=src at entry=0x2149b, dest=..., thingKind=thingKind at entry=js::gc::AllocKind::OBJECT4, budget=..., keepArenas=<optimized out>) at ./js/src/gc/GC.cpp:648
#11 0x000000010070e57c in FinalizeArenas(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) (fop=0x3ffffffe9a0, src=0x2149b, dest=..., thingKind=thingKind at entry=js::gc::AllocKind::OBJECT4, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at ./js/src/gc/GC.cpp:682
#12 0x000000010070f836 in js::gc::ArenaLists::foregroundFinalize(js::FreeOp*, js::gc::AllocKind, js::SliceBudget&, js::gc::SortedArenaList&) (this=0x1009e0e90, fop=<optimized out>, thingKind=<optimized out>, sliceBudget=..., sweepList=...) at ./js/src/gc/ArenaList.h:255
#13 0x000000010070f9d2 in js::gc::GCRuntime::finalizeAllocKind(js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind) (this=0x1009ab928, fop=<optimized out>, budget=..., zone=<optimized out>, kind=<optimized out>) at ./js/src/gc/GC.cpp:6124
#14 0x0000000100711c56 in sweepaction::SweepActionCall<js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind) (args#3=<optimized out>, args#2=<optimized out>, args#1=..., args#0=<optimized out>, gc=0x1009ab928, this=<optimized out>) at ./js/src/gc/GC.cpp:6259
#15 0x0000000100711c56 in sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind> >, mozilla::EnumSet<js::gc::AllocKind>, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*) (this=0x1009bce10, args#0=0x1009ab928, args#1=<optimized out>, args#2=..., args#3=<optimized out>) at ./js/src/gc/GC.cpp:6319
#16 0x00000001006e50e8 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*) (this=0x1009bcf10, args#0=0x1009ab928, args#1=0x3ffffffe9a0, args#2=..., args#3=0x1009e0e30) at ./debian/build/dist/include/mozilla/UniquePtr.h:326
#17 0x00000001006e4f74 in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x1009a96e0, args#0=0x1009ab928, args#1=0x3ffffffe9a0, args#2=...) at ./js/src/gc/PrivateIterators-inl.h:113
#18 0x00000001006e4e38 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x1009bcfe0, args#0=0x1009ab928, args#1=0x3ffffffe9a0, args#2=...) at ./debian/build/dist/include/mozilla/UniquePtr.h:326
#19 0x00000001006f3e26 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) (this=0x1009bd040, args#0=0x1009ab928, args#1=0x3ffffffe9a0, args#2=...) at ./debian/build/dist/include/mozilla/UniquePtr.h:326
#20 0x00000001006f4a54 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) (this=this at entry=0x1009ab928, budget=...) at ./debian/build/dist/include/mozilla/UniquePtr.h:326
#21 0x0000000100720282 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoTraceSession&) (this=this at entry=0x1009ab928, budget=..., reason=reason at entry=JS::gcreason::DESTROY_RUNTIME, session=...) at ./js/src/gc/GC.cpp:7084
#22 0x0000000100720f70 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) (this=this at entry=0x1009ab928, nonincrementalByAPI=nonincrementalByAPI at entry=true, budget=..., reason=reason at entry=JS::gcreason::DESTROY_RUNTIME) at ./js/src/gc/GC.cpp:7413
#23 0x00000001007212c6 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) (this=this at entry=0x1009ab928, nonincrementalByAPI=nonincrementalByAPI at entry=true, budget=..., reason=reason at entry=JS::gcreason::DESTROY_RUNTIME) at ./js/src/gc/GC.cpp:7556
#24 0x0000000100721434 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) (this=this at entry=0x1009ab928, gckind=gckind at entry=GC_NORMAL, reason=reason at entry=JS::gcreason::DESTROY_RUNTIME) at ./debian/build/dist/include/js/SliceBudget.h:61
#25 0x000000010056279c in JSRuntime::destroyRuntime() (this=0x1009ab430) at ./js/src/vm/Runtime.cpp:316
#26 0x00000001004f432a in js::DestroyContext(JSContext*) (cx=0x1009b00b0) at ./js/src/vm/JSContext.h:305
#27 0x00000001000af966 in main(int, char**, char**) (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ./js/src/shell/js.cpp:9431

More information about the pkg-gnome-maintainers mailing list