boa icon indicating copy to clipboard operation
boa copied to clipboard
verified publisher icon boa-dev

Panic with Pointer is not 4-bits aligned or over 51-bits

Open andreievg opened this issue 9 months ago • 9 comments

Describe the bug Getting this panic on aarch64-linux-android build running on Android device:

2025-06-06 09:19:02.933955487 [ERROR] <log_panics:130>:thread '' panicked at 'assertion left == right failed: Pointer is not 4-bits aligned or over 51-bits. left: 502975824280 right: 12970367429802852760': /.cargo/git/checkouts/boa-126d820dff07bf57/6f03c21/core/engine/src/value/inner/nan_boxed.rs:379

To Reproduce

I've create this repo, with replication instructions, test pass on v0.20, but fail on main, this is only testeable with, arm64-v8a.

Github action result:

with main - fail

https://github.com/andreievg/boa-alignment-test/actions/runs/15518347532/job/43688241875

with 0.20 - pass

https://github.com/andreievg/boa-alignment-test/actions/runs/15518345141/job/43688235969

with revert 14b88c9a (my fork) - fail - oops i thought it was just the latest change, but looks like it might be from: https://github.com/boa-dev/boa/pull/4091

https://github.com/andreievg/boa-alignment-test/actions/runs/15518421733/job/43688400569#step:8:19

with 12faeca - pass (this is before https://github.com/boa-dev/boa/pull/4091)

https://github.com/andreievg/boa-alignment-test/actions/runs/15518534570

Expected behavior Explain what you expected to happen, and what is happening instead.

Build environment (please complete the following information):

  • OS: Samsung tablet, Android
  • Version: On "main", 0.20 works
  • Target triple: aarch64-linux-android
  • Rustc version: 1.86.0

Additional context

@raskad, here is the issue, sorry couldn't get replication going in the github action

andreievg avatar Jun 07 '25 12:06 andreievg

Hi @andreievg. Does Android tag pointers? Some OSes do, and that would not work with our setup (since we tag pointers ourselves too).

hansl avatar Jun 07 '25 23:06 hansl

@hansl According to Android's documentation, yes:

ARM's Memory Tagging Extension (MTE) helps address memory safety issues. MTE works by tagging the 56th-59th address bits of each memory allocation on the stack, heap, and globals. The hardware and instruction set automatically checks that the correct tag is used upon every memory access.

jedel1043 avatar Jun 08 '25 00:06 jedel1043

IMO Android is too big of a platform to not support it, so we should offer an alternative implementation of nan-boxing only for that architecture.

jedel1043 avatar Jun 08 '25 01:06 jedel1043

IMO Android is too big of a platform to not support it, so we should offer an alternative implementation of nan-boxing only for that architecture.

That would be great, i think for now we will revert to 0.20, or use main with revert to this https://github.com/boa-dev/boa/pull/4251 (since i still need the 'safe' version of to_json, for serde). Btw from our testing, 0.20 seemed to be working well for Android.

And lastly the test repo I did, only 'fails' for arm64, x86_64 seems to be ok

andreievg avatar Jun 08 '25 02:06 andreievg

I managed to get action going, wasted a lot of time with emulator, where all I needed was a static linked build tested directly with qemu, updated issue with action result, should I

andreievg avatar Jun 08 '25 12:06 andreievg

Monday I can make the necessary PR to allow a feature flag to disable NaN-boxing. I don't know how long we'll support that flag (some optimizations will rely on JsValue being copyable) but that should unblock you for now.

For the longer term I'll have to investigate what exactly happens to pointers in Android. This might help; https://source.android.com/docs/security/test/tagged-pointers

hansl avatar Jun 08 '25 17:06 hansl

BTW it seems that's something that might be able to disable in the kernel. You could try that for the moment.

hansl avatar Jun 08 '25 17:06 hansl

BTW it seems that's something that might be able to disable in the kernel. You could try that for the moment.

Thanks trying <application android:allowNativeHeapPointerTagging="false">,

Monday I can make the necessary PR to allow a feature flag to disable NaN-boxing

That would be awesome! Thanks. Although we need to ship a build today, so I'll do some work on our end to go back to 0.20 with some changes to make to_json stable (no undefined, which was the main reason for us to go off 'main'), just wanted to mention this, in case you rushing to get that feature flag, we should be ok without it for now.

andreievg avatar Jun 08 '25 21:06 andreievg

@hansl <application android:allowNativeHeapPointerTagging="false"> works thanks for the link, this is not urgent now, but yeah since API above 30 will has tags auto enabled, long term fix would be preferred, appreciate your time in helping. Would it help if i create an action for all tests on aarch64-linux-android, for this repo ?

andreievg avatar Jun 08 '25 23:06 andreievg