Ubuntu
xulrunner-1.9 package

JS_DefineFunctions Does Not Work in 32bit Build (SegFaults)

Bug #339331 reported by mankyd on 2009-03-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	xulrunner-1.9 (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Calls to JS_DefineFunctions do not work in 32bit builds, sometimes leading to segmentation faults. Here is a sample backtrace from gdb (when it segfaulted):

#0 0x4011c25b in strlen () from /lib/tls/i686/cmov/libc.so.6
#1 0x4082dd98 in JS_DefineFunction (cx=0x81f1eb0, obj=0x81f5830, name=0x1 <Address 0x1 out of bounds>,
call=0x4082ee20 <js_generic_native_method_dispatcher>, nargs=99, attrs=211) at jsapi.c:3738
#2 0x4082ebb7 in JS_DefineFunctions (cx=0x81f1eb0, obj=0x81f5938, fs=0x4093852c) at jsapi.c:3708
#3 0x4092fb44 in MY_InitFunctions (cx=0x81f1eb0) at core.c:1081

Some more investigation has show that JS_DefineFunctions loops over the array that it is passed and calls JS_DefineFunction. The first call to JS_DefineFunction works just fine. It is the second call where the problem occurs.

Specifically, it appears to be a bug in the way the JSFunctionSpec is defined (https://developer.mozilla.org/En/SpiderMonkey/JSAPI_Reference/JSFunctionSpec)

When the following JSFunctionSpec is used, you get a segfault on the 32bit build (but not on the 64bit build):

static JSFunctionSpec global_funcs[] = {
    {"a", TestFunc, 1, 0, 1},
    {"b", TestFunc, 1, 0, 1},
    {NULL,NULL,0,0,0}
};

I have attached a small sample program the demonstrates this bug. It can be compiled with the following comand:
gcc -I/usr/include/mozjs -g -DXP_UNIX test.c -lmozjs -o test

Revision history for this message

mankyd (mankyd) wrote on 2009-03-07:

Small Program Demonstrating SegFault from JS_DefinFunctions in libmozjs Edit (1.5 KiB, text/plain)

Revision history for this message

mankyd (mankyd) wrote on 2009-03-08:

Note: I have compiled SpiderMonkey from source and installed it as a separate library. This fixed the problem, so something is definitely wrong with the binary being distributed with thsi package.

Revision history for this message

John Vivirito (gnomefreak) wrote on 2009-03-08:

How is this xulrunner related? you built spidermonkey and it worked? this sounds more like a spidermonkey bug.

Changed in xulrunner-1.9:
status:	New → Incomplete

Revision history for this message

mankyd (mankyd) wrote on 2009-03-08:

I may be incorrect about this, but I believe xulrunner contains the libmozjs library that comes with Ubuntu. The libmozjs library contains the bug. When I recompiled spidermonkey from code I found on the mozilla website, into a library called libjs, the the segfault in my code resulting from JS_DefineFunctions goes away.

Revision history for this message

Alexander Sack (asac) wrote on 2009-03-09:

how do you build it. for me it doesnt crash

Revision history for this message

Alexander Sack (asac) wrote on 2009-03-09:

i used:

gcc $(pkg-config --cflags --libs mozilla-js) -I/usr/include/xulrunner-1.9.0.7/unstable test.c

Revision history for this message

mankyd (mankyd) wrote on 2009-03-10:

Originally, I simply used:
gcc -I/usr/include/mozjs -g -DXP_UNIX test.c -lmozjs -o test

Using your more detailed command yields the same segfault, however.

It's worth noting that I am using 8.04 as 8.10 doesn't work on my laptop. If it's of interest the md5 of of libmozjs.so is 2898019a2c9ac8c6d374a171ebe31411.

In gdb, I believe I've tracked down the problem to a a mistaken struct size for JSFunctionSpec. In JS_DefineFunctions, they have this code:

JS_PUBLIC_API(JSBool)
JS_DefineFunctions(JSContext *cx, JSObject *obj, JSFunctionSpec *fs)
{
    //...
    for (; fs->name; fs++) {
        //...
        fun = JS_DefineFunction(cx, obj, fs->name, fs->call, fs->nargs, flags);
        //...
    }
    //...
}

JS_DefineFunction makes a call to strlen(fs->name), which segfaults on the second loop through. With the code that I provided, it tries to call strlen(0x01). Specifically, its trying to call strlen() on the value of JSFunctionSpec->extra from the element in the fs array before the current one. I've tested this by changing the value of extra and monitoring what it calls strlen() on.

When I copied the above code into my test program, I get no segfault. sizeof(JSFunctionSpec) returns 16 bytes. It seems that the library that was installed through the package manager thinks its a different value.

Revision history for this message

Alexander Sack (asac) wrote on 2009-07-03:

i think your problem is that you have libmozjs-dev or something installed which is the old xulrunner ... remove that (and remove libmozjs* too to be safe).