Package: libmozjs185-1.0
Version: 1.8.5-1.0.0+dfsg-4.1
Severity: normal
Hi, I encountered this through the package tests in cjs. This piece of code,
when run with cjs in sparc causes a SIGBUS:
===
const Lang = imports.lang;
const Accessor = new Lang.Class({
Name: 'AccessorMagic',
_init: function(val) {
this._val = val;
},
get value() {
return this._val;
},
set value(val) {
_error = new Error();
return;
}
});
var a = new Accessor(44);
a.value = 8;
===
The problem goes away if the error is not created in the setter. I added debug
symbols and debugged this on a sparc host and came up with the following stack
trace:
#0 0xf7d7d208 in js::Invoke (cx=0x74b00, argsRef=0xffff1018, flags=<unknown
type>) at jsinterp.cpp:692
#1 0xf7d6846c in js::Interpret (cx=0x74b00, entryFrame=0xf6724228,
inlineCallCount=<unknown type>, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:4810
#2 0xf7d7d020 in js::RunScript (cx=0x74b00, script=0xdb2a0, fp=0xf6724228) at
jsinterp.cpp:653
#3 0xf7d7dd8c in js::Invoke (cx=0x74b00, argsRef=0xffff2db0, flags=<unknown
type>) at jsinterp.cpp:740
#4 0xf7d231ac in js::CallOrConstructBoundFunction (cx=0x74b00, argc=<unknown
type>, vp=0xf67241c0) at jsfun.cpp:2319
#5 0xf7d7d410 in js::Invoke (cx=0x74b00, argsRef=0xffff3188, flags=<unknown
type>) at jscntxtinlines.h:701
#6 0xf7cb61a8 in js::InvokeSessionGuard::invoke(JSContext*) const () at
./dist/include/LIR.h:268
The line in the first frame is:
if (!clasp->call) {
The problem is that the variable clasp has a value of 0x2, which would normally
cause a segfault, but it's causing a sigbus due to alignment issues.
I've tried to follow the code around to try to find out when it's set to this
incorrect value, but I couldn't find it yet.
These are the line where the local variable is set:
JSObject &callee = args.callee().toObject();
Class *clasp = callee.getClass();
callee is args._argv[-2]
toObject returns the data.s.payload.obj member.
When not broken, we get:
(gdb) p args.argv_[-2]
$1 = {data = {asBits = 4133512120, s = {tag = <unknown type>, payload = {i32 =
-161455176, u32 = <unknown type>, boo = -161455176,
str = 0xf66063b8, obj = 0xf66063b8, ptr = 0xf66063b8, why = 4133512120,
word = <unknown type>}}, asDouble = -nan(0xf0007f66063b8),
asPtr = 0xffff0007}}
(gdb) p *(args.argv_[-2].data.s.payload.obj)
$2 = {Cell = {CellShift = <optimized out or zero length>, CellSize = <optimized
out or zero length>, CellMask = <optimized out or zero length>}, {
lastProp = 0x86d58, map = 0x86d58}, clasp = 0xf7fc6c20 <js_FunctionClass>,
flags = <unknown type>, objShape = <unknown type>, emptyShapes = 0x0,
proto = 0xf6603050, parent = 0xf660b1b0, privateData = 0xf6610d20, capacity =
<unknown type>, slots = 0xf66063e0,
When broken:
(gdb) p args.argv_[-2]
$3 = {data = {asBits = 552280, s = {tag = <unknown type>, payload = {i32 =
552280, u32 = <unknown type>, boo = 552280, str = 0x86d58,
obj = 0x86d58, ptr = 0x86d58, why = 552280, word = <unknown type>}},
asDouble = -nan(0xf000700086d58), asPtr = 0xffff0007}}
(gdb) p *(args.argv_[-2].data.s.payload.obj)
$4 = {Cell = {CellShift = <optimized out or zero length>, CellSize = <optimized
out or zero length>, CellMask = <optimized out or zero length>}, {
lastProp = 0x17, map = 0x17}, clasp = 0x2, flags = <unknown type>, objShape
= <unknown type>, emptyShapes = 0xf7fc6c20 <js_FunctionClass>,
proto = 0x0, parent = 0xffffffff, privateData = 0x20000, capacity = <unknown
type>, slots = 0xc2921,
I'll try to keep looking into this and follow-up if I find anything interesting.
--
Regards,
Marga
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
