Red Hat Bugzilla – Bug 1289432
Unhandled Level1 translation fault in polkitd due to mozjs package
Last modified: 2016-04-12 13:55:58 EDT
+++ This bug was initially created as a clone of Bug #1242326 +++
Description of problem:
On Aarch64 systems with a VA bits of 48 the polkitd process crashes continuously due to an unhandled level 1 translation fault. On debugging we found that it is caused by the mozjs code.
Version-Release number of selected component (if applicable):
Fedora 21 for Aarch64
Its easily reproducible on Cavium ThunderX platform.
Steps to Reproduce:
1. Just boot the F21 release for aarch64 and can be seen every time polkitd runs
Below is the crash.
====== cut here ========
unhandled level 1 translation fault (11) at 0x00000000, esr 0x92000045
pgd = ffff8003c3e3ba00
 *pgd=0000000000000000, *pud=0000000000000000
CPU: 0 PID: 1983 Comm: polkitd Not tainted 3.18.0 #1
task: ffff8003c3a60b00 ti: ffff8003c3ba0000 task.ti: ffff8003c3ba0000
PC is at 0xffff7a733f90
LR is at 0xffff7a733f74
pc : [<0000ffff7a733f90>] lr : [<0000ffff7a733f74>] pstate: 20000000
sp : 0000ffffe1ef0e60
x29: 0000ffffe1ef0e90 x28: 0000ffffb1acdc40
x27: 0000ffffb1ad18e0 x26: 0000ffffb1acd720
x25: 0000ffff7a9e2588 x24: 0000000000000000
x23: 0000000000000000 x22: 0000ffffe1ef0f78
x21: 0000ffffb1ad1840 x20: 0000000000800000
x19: 0000ffff7a7a7e08 x18: 0000ffff7a363b4c
x17: 0000ffff7a797b40 x16: 0000ffff7a40af0c
x15: 00000000ffffffff x14: 0000ffff7ac0a000
x13: 0000ffff7ac09000 x12: 0000ffffe1ef0ce0
x11: 0000ffff7ac2a250 x10: 0000000002eb0939
x9 : 0000000000000000 x8 : 0000000000000001
x7 : ffffffffffffffff x6 : 0000ffffb1aca9f0
x5 : 0000ffffb1aca9f0 x4 : 0000ffffb1aca9f0
x3 : 0000ffff7a40b074 x2 : 0000ffff7a40b578
x1 : 000000000000007b x0 : 0000000000000000
====== end =========
It shouldn't crash.
The attached patch to the mozjs source fixes the problem. On aarch64 architecture the VA bit maximum is 48.
--- Additional comment from Jan Kurik on 2015-07-15 09:18:20 EDT ---
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.
(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)
More information and reason for this action is here:
--- Additional comment from Peter Newton on 2015-08-18 18:53:00 EDT ---
I was interested in making mozjs17 work on an aarch64 system so I built the mozjs17 RPM with the patch above applied. I can confirm that the RPM built and all of its tests passed on this aarch64 system with a 48b VA kernel.
However, I also built the RPM on a KVM/QEMU VM running Fedora 22 with stock Fedora 22 kernel which is configured with a 42b VA (see Documentation/arm64/memory.txt in kernel source). In this case, the patch causes the RPM to fail its tests.
I think that JS::Value on 64b platforms uses 17b of tag and 47b of payload (punboxing) for pointers. So, I am not sure that the patch is actually correct.
--- Additional comment from Radha Mohan Chintakuntla on 2015-08-19 00:30:58 EDT ---
Thanks for testing this out. I am not 100% aware of the mozjs code, so was looking for anyone who can tell if this patch is sufficient or not. Feel free to improve it to make it work on all combinations.
*** This bug has been marked as a duplicate of bug 1324216 ***
I have marked this bug as a duplicate of another requesting that we incorporate an upstream patch to address the erroneous use of more bits than permitted for tagged pointers in spidermonkey. This fix will be required for a later kernel change to a 48-bit VA, or for testing of upstream kernels with a 48-bit VA configured.