The name argument to BuildSymbolName in the trace (stack position 2)
contains:
"inlineStorageLatin1 = "copyfile\000\000\000\000\000\000\000"
I grepped for copyfile in /usr/lib/firefox and got a hit in omni.ja.
omni.ja is a zipfile, extracting it yields a FFI definition of
"copyfile" in modules/osfile/osfile_unix_back.jsm.
Commenting out this block and re-zipping omni.ja allows me to launch
firefox without segfaulting:
/*libc.declareLazyFFI(
SysFile,
"copyfile",
"copyfile",
ctypes.default_abi,
/* return*/ Type.negativeone_or_nothing,
/* source*/ Type.path,
Type.path,
Type.void_t.in_ptr,
Type.uint32_t
);*/
